Welkom op de website over ISA 99.

De ANSI/ISA99 to Secure Your Control System.

ISA99 Security Guidelines and User Resources for Industrial Automation and Control Systems
Voor meer informatie neem contact met me op via LinkedIn

© Frank Woutersen 2008 - 2014

ANSI TECHNICAL REPORT PREPARED ISANSI/ISA-TR99.00.01-2007 Security Technologies dustrial AutomatiControl Systems Approved 29 October 2007 ISA-TR99.00.01-2007 – 2 – Copyright 2007 ISA. rights . ANSI/ISA-TR99.00.01-2007 Security Technologies dustrial AutomatiControl Systems ISBN: 978-1-934394-42-7 Copyright 2007 ISA. rights . resale. Prted United States America. No part thpublicatimay reproduced, stored retrieval system, transmitted any form any means (electronic, mechanical, photocopyg, recordg, otherwise), without priwritten missiPublisher. – 3 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . Preface Thpreface, well footnotes annexes, cluded formatipurposes part ANSI/ISA-TR99.00.01-2007. Thdocument h prepared part service IStoward goal uniformity field strumentation. real value, thdocument should static should subject iodic review. Toward thend, Society welcomes comments criticisms asks addressed Secretary, Standards Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Teleph(919) 549-8411; Fax (919) 549-8288; Email: standards@isa.org. ISStandards Practices Department awgrowg need attentimetric system units general, ternational System Units (SI) particular, preparatistrumentatistandards. Department further awbenefits USusers ISstandards corporatg suitable references SI (metric system) busess professional dealgs countries. Toward thend, thDepartment endeavtroduce SI-acceptable metric units revised standards, recommended practices, technical reports greatest extent possible. Standard ternational System Units (SI): Modern Metric System, published AmericSociety Testg & Materials IEEE/ASTM SI 10- 97, future revisions, reference guide defitions, symbols, abbreviations, conversifactors. policy ISencourage welcome participaticoncerned dividuals terests development ISstandards, recommended practices, technical reports. ParticipatiISstandards-makg process dividual no way constitutes endorsement employer dividual, ISA, any standards, recommended practices, technical reports ISdevelops. CAUTI— ISadheres policy AmericNational Standards stitute regard patents. If ISformed existg patent required standard, require owner patent either grant royalty-free license patent users complyg document license reasonable terms conditions free unfair discrimation. EVEN IF ISUNAWANY PATENT COVERG THDOCUMENT, USER CAUTIONED IMPLEMENTATIDOCUMENT MAY REQUIRE TECHNIQUES, PROCESSES, MATERIALS COVERED PATENT RIGHTS. ISTAKES NO POSITIEXISTENCE VALIDITY ANY PATENT RIGHTS MAY VOLVED IMPLEMENTG DOCUMENT. ISRESPONSIBLE IDENTIFYG PATENTS MAY REQUIRE LICENSE BEFORE IMPLEMENTATIDOCUMENT VESTIGATG VALIDITY SCOPE ANY PATENTS BROUGHT ITS ATTENTION. USER SHOULD CAREFULLY VESTIGATE RELEVANT PATENTS BEFORE USG DOCUMENT USER’S TENDED APPLICATION. However, ISasks anyreviewg thdocument who awany patents may impact implementatidocument notify ISStandards Practices Department patent its owner. Additionally, thdocument may volve hazardous materials, oations equipment. document cananticipate possible applications address possible safety issues associated hazardous conditions. user thdocument must exercise sound professional judgment concerng its applicability user’s particular circumstances. user must also consider applicability any governmental regulatory limitations established safety health practices before implementg thdocument. ISA-TR99.00.01-2007 – 4 – Copyright 2007 ISA. rights . followg served votg members ISA99: NAME COMPANY B. Sger, Chair FluidIQs R. Webb, Managg DirectConsultant E. Byres, Workg Group 1 Leader Byres Security, c. R. Evans, Lead EditIdaho National Laboratory R. Bhojani Bayer Technology Services - AmericM. Braendle ABB D. Brandl BR&L Consultg, c. R. Clark WonderwA. Cobbett BP Process Control Digital ProtectiE. CosmDow Chemical Co. J. DalzISFrance T. DavCitect R. Derynck Verano, c. R. Forrest Ohio State University J. Gilsn NIST T. Glenn YokogawT. Good DuPont Engeerg E. HSarLee Food & Beverage M. Heard EastmChemical Co. D. HolsteOPUS Publishg C. HoRockwell AutomatiB. HubEmersProcessg Management M. Lees Scherg-Plough Corp. C. Mastromonico WestghoSavannah River Co. D. Mills Procter & Gamble Co. G. Morngstar Cedar Rapids Water Dept. A. Nangi3M J. Nye ExxonMobil Research Engeerg T. Phney Honeywell ACS Adv Tech Lab E. Rakaczky vensys Process Systems C. SossmWashgtSafety Management Solutions LLC L. Steocher FluEnterprises, c. I. SusanChevrformatiTechnology Co. B. TaylGeorge WashgtUniversity D. Teumim Teumim Technical LLC D. Tdill Matrikon, c. L. Uden Lyondell Chemical Co. J. Weiss Applied Control Solutions, LLC M. Widmeyer Consultant L. Wkel Siemens SG ISStandards Practices Board approved editithtechnical report publicati27 August 2007. NAME COMPANY T. McAvew, Chair Jacobs Engeerg Group M. Coppler Ametek, c. E. CosmDow Chemical Co. B. Dumortier Schneider Electric D. Dunn Aramco Services Co. – 5 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . J. Gilsn NIST W. HollConsultant E. IcayACES, c. J. JamisConsultant K. Ldner Endress & Hauser Process Solutions AG V. Maggioli Feltronics Corp. A. McCauley, Jr. ChagrValley Controls, c. G. McFarlEmersProcess Management R. Reimer Rockwell Automat. Sands E I du Pont H. SasajimYamatake Corp. T. SchnaRosemount, c. J. TaterConsultant I. Verhappen MTL strument Group R. Webb Consultant W. WeidmParsons Energy & Chemicals Group J. Weiss Applied Control Solutions LLC M. Widmeyer Consultant M. Zielski EmersProcess Management ISA-TR99.00.01-2007 – 6 – Copyright 2007 ISA. rights . Thpage tentionally left blank. – 7 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . Contents Foreword. 9 troducti. 11 1 Scope . 13 2 Purpose. 13 3 General Terms Defitions . 14 3.1 Defitions.14 3.2 Acronyms.18 3.3 Sources Defitions Abbreviations .20 4 Overview . 21 5 AuthenticatiAuthorizatiTechnologies. 22 5.1 Role-Based AuthorizatiTools.23 5.2 Password Authentication.25 5.3 Challenge/Response Authenticati.29 5.4 Physical/Token Authenticati.30 5.5 Smart Card Authenticati.32 5.6 Biometric Authentication.34 5.7 Location-Based Authentication.36 5.8 Password DistriiManagement Technologies.37 5.9 Device-to-Device Authenticati.40 6 Filterg/Blockg/Access Control Technologies. 41 6.1 Network Firewalls .42 6.2 Host-based Firewalls.46 6.3 Virtual Networks .49 7 EncryptiTechnologies DatValidati. 50 7.1 Symmetric (Secret) Key Encrypti.51 7.2 Public Key EncryptiKey Distrii.56 ISA-TR99.00.01-2007 – 8 – Copyright 2007 ISA. rights . 7.3 Virtual Private Networks (VPNs) .59 8 Management, Audit, Measurement, Monitorg, DetectiTools. 63 8.1 Log Auditg Utilities .64 8.2 Virus Malicious Code DetectiSystems .66 8.3 trusiDetectiSystems.69 8.4 Vulnerability Scanners.73 8.5 Forensics AnalysTools (FAT) .76 8.6 Host ConfiguratiManagement Tools.79 8.7 Automated SoftwManagement Tools.81 9 dustrial AutomatiControl Systems Computer Softw. 84 9.1 Server WorkstatiOatg Systems .84 9.2 Real-time Embedded Oatg Systems.87 9.3 Web Technologies.89 10 Physical Security Controls. 91 10.1 Physical Protection.92 10.2 sonnel Security .95 – 9 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . Foreword need protectg dustrial AutomatiControl System (IACS) computer environments malicious cyber trusions hgrown significantly last decade. combaticreased open systems, platforms, protocols IACS environment, along crease jot ventures, alliance partners outsourcg, hlead creased threats higher probability cyber attacks. threats vulnerabilities crease, risk cyber attack dustrial communicatetwork correspondgly creases, well need protecticomputer networked-based formatiSharg AnalysCenters. Additionally, growth telligent equipment embedded systems; creased connectivity computer networked equipment software; enhanced external connectivity coupled rapidly creasg cidents network trusion, telligent hackers, malicious yet easily accessible software, add risk well. Tnumerous electronic security technologies cyber trusicountermeasures potentially available IACS environment. Thtechnical report addresses several categories cyber security technologies countermeasure techniques discusses specific types applications withcategory, vulnerabilities addressed type, suggestions deployment, strengths weaknesses. Additionally, guidance provided usg various categories security technologies countermeasure techniques mitigatiabove-mentioned creased risks. Thtechnical report does make recommendations cyber security technology mitigatimethod others, provides suggestions guidance usg technologies methods, well formaticonsider developg site corporate cyber security policy, program procedures IACS environment. ISA99 standards development committee tends update thtechnical report iodically reflect formation, cyber security technologies, countermeasures, cyber risk mitigatimethods. committee cautions reader followg recommended guidance threport necessarily ensure optimized cyber security attaed reader’s dustrial automaticontrol systems environment. will, however, help identify address vulnerabilities, reduce risk undesired cyber trusions could compromise confidential formatior, even worse, cahumenvironmental harm, well disruptifailure dustrial network control systems dustry frastructure critical assets monitregulate. PublicatithRegistered Technical Report h approved Accredited Standards Develo. Thdocument registered Technical Report series publications accordg procedures RegistratiTechnical Reports ANSI. Thdocument AmericNational Standard material contaed herenormative nature. Comments content thdocument should sent Accredited Standards Develo. _________________________________ ActiveX®, Microsoft®, W32®, W32s®, windows® registered trademarks Microsoft Corporation. ControlNet™ EtherNet/IP™ trademarks ControlNet ternational, c. CIP™ trademark ODVA. FOUNDATIFieldbus® registered trademark Fieldbus Foundation. Java® registered trademark Sun Microsystems, c. Lux® registered trademark Lus Torvalds. MODBUS® MODBUS/TCP® registered trademarks Schneider Automatic. OPC® registered trademark OPC Foundation. Pretty Good Privacy® PGP® registered trademarks PGP Corporation. PROFIBUS® PROFet® registered trademarks PROFIBUS User Organization. RSA® registered trademark RSSecurity c. UNIX® registered trademark Open Group. ISA-TR99.00.01-2007 – 10 – Copyright 2007 ISA. rights . Thpage tentionally left blank. – 11 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . troductiThIStechnical report provides evaluatiassessment many current types electronicbased cyber security technologies, mitigatimethods, tools may apply protectg IACS environment detrimental cyber trusions attacks. various technologies, methods tools troduced threport, discussidevelopment, implementation, oations, matenance, engeerg user services provided. report also provides guidance manufacturers, vendors, security practitioners end-user companies, facilities, dustries technological options countermeasures securg automated IACSs (associated dustrial networks) agast electronic (cyber) attack. Followg recommended guidance thtechnical report necessarily ensure optimized cyber security attaed IACSs. will, however, help identify address vulnerabilities, reduce risk undesired trusions could compromise confidential formaticadisruptifailure control systems critical frastructure assets automate control. concern, recommendations may aid reducg risk any humenvironmental harm may result cyber compromise automated control system, its associated dustrial network. cyber security guidance presented thdocument general nature, should applied control system network appropriate sonnel knowledgeable those specific dustrial automaticontrol systems beg applied. guidance identifies those activities actions typically important provide cyber secure control systems, whose applicatialways compatible effective oatimatenance system’s functions. guidance cludes suggestions recommendations appropriate cyber security applications specific control systems; however, selectideployment particular cyber security activities practices given control system its related dustrial network responsibility system’s owner. tended thguidance mature modified time, exience gaed control system vulnerabilities, specific cyber security implementations mature, controlbased cyber security technologies become available. such, general formthguidance expected remarelatively stable, specifics its applicatisolutions expected evolve. ISA99 Series Standards additithtechnical report, ISA99 committee developg series standards cyber security dustrial automaticontrol systems environment. series cludes: 1. ANSI/ISA99.00.01-2007 – Security dustrial AutomatiControl Systems Part 1: Termology, Concepts Models Published November 2007, thPart 1 standard establishes context remag standards series defg commset termology, concepts models electronic security dustrial automaticontrol systems environment. 2. ISA99.00.02 – Part 2: Establishg dustrial AutomatiControl System Security Program Part 2, expected published mid-late 2008, describes elements cyber security management system provide guidance applicatidustrial automaticontrol systems. ISA-TR99.00.01-2007 – 12 – Copyright 2007 ISA. rights . 3. ISA99.00.03 – Part 3: Oatg dustrial AutomatiControl System Security Program Part 3 address oate security program designed implemented. Thcludes defitiapplicatimetrics measure program effectiveness. Work Part 3 begfollowg completiPart 2. 4. ISA99.00.04 – Part 4: Technical Security Requirements dustrial AutomatiControl Systems Work begmid-2007 Part 4 standard, defe characteristics dustrial automaticontrol systems differentiate them formatitechnology systems security pot view. Based characteristics, standard establish security requirements unique thclass systems. formatiISA99 series standards, please viswww.isa.org/standards. – 13 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 1 Scope ThIStechnical report provides current assessment various cyber security tools, mitigaticounter-measures, technologies may effectively apply modern electronically based IACSs regulatg monitorg numerous dustries critical frastructures. describes several categories control system-centric cyber security technologies; types products available those categories; pros cons usg those products automated IACS environments relative expected threats cyber vulnerabilities; and, important, prelimary recommendations guidance usg cyber security technology products and/countermeasures. concept IACS cyber security applied thIStechnical report broadest possible sense, encompassg types components, plants, facilities, systems dustries critical frastructures. IACSs clude, limited to: • Hardw(e.g., dathistoriservers) softwsystems (e.g., oatg platforms, configurations, applications) Distried Control Systems (DCSs), Programmable Logic Controllers (PLCs), Suvisory Control DatAcquisiti(SCADA) systems, networked electronic sensg systems, monitorg, diagnostic, assessment systems. clusive thhardwsoftwdomaessential dustrial network any connected related formatitechnology (IT) devices lks critical successful oaticontrol system large. such, thdomaalso cludes, limited to: firewalls, servers, routers, switches, gateways, fieldbus systems, trusidetectisystems, telligent electronic/end devices, remote termal units (RTUs), both wired wireless remote modems. • Associated ternal, human, network, mache terfaces used provide control, datloggg, diagnostics, safety, monitorg, matenance, quality assurance, regulatory compliance, auditg types oational functionality either contuous, batch, discrete, combed processes. Similarly, concept cyber security technologies countermeasures also broadly applied thIStechnical report cludes, limited to, followg technologies: • AuthenticatiAuthorizati• Filterg, Blockg, Access Control • Encrypti• DatValidati• Auditg • Measurement • Monitorg DetectiTools • Oatg Systems addition, non-cyber technology—physical security control—essential requirement aspects cyber security discussed threport. 2 Purpose purpose thIStechnical report categorize defe cyber security technologies, countermeasures, tools currently available provide commbaslater technical reports ISA-TR99.00.01-2007 – 14 – Copyright 2007 ISA. rights . standards produced ISA99 committee. technology thtechnical report discussed terms of: • Security vulnerabilities addressed technology, tool, and/countermeasure • Typical deployment • issues weaknesses • Assessment IACS environment • Future directions • Recommendations guidance • formatisources reference material tent thtechnical report document state art cyber security technologies, tools, countermeasures applicable IACS environment, clearly defe technologies creasonably deployed today, defe arewresearch may needed. 3 Defitions Acronyms followg terms ctake various terpretations, defitions thsectiused sapply thdocument. numbers parenthesdicate source document terms. Source documents listed end secti3.3. 3.1 Defitions Access Authority—entity responsible monitorg grantg access privileges IACSs associated dustrial networks authorized entities. (3) Access Control—protectisystem resources agast unauthorized access; process system resources regulated accordg security policy mitted authorized entities (users, programs, processes, systems) accordg policy. (3) Accountability—proty system (cludg its system resources) ensures actions system entity may traced uniquely entity, cheld responsible its actions. (3) ApplicatiLayer Protocols—Protocols specific executg network applications email file transfer. Layer 7 OSI reference model standard ISO 7498, “formatiTechnology—Open Systems terconnection—Basic Reference Model” (www.iso.ch). (2) important note many modern dustrial control systems clude fieldbus networks, normally clude seven layers, applicatilayer. Asymmetric Key Algorithm—See Public Key Cryptographic Algorithm Note: asymmetric, key encodg digital dattransmitted entirely different code decryptg datreceivg end. Thcontrast symmetric key encryption, wheresame key used encrypt decrypt data. Asymmetric logistically secure becaavoids transfer key between transmitter receiver, wherecould tercepted. important note cryptographic methods protect confidential datcritical networks thcontrol networks. IACSs, confidentiality critical authenticatg authorizatistages durg access control given IACS. Usually cryptography adds undesired latency IACS network, very undesirable open closed loop systems must receive, manipulate, send – 15 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . control datrate commensurate asset’s process dynamics. Consequently, availability tegrity usually higher IACS cyber security objectives thconfidentiality. (3) Authentication—security measure designed establish validity transmission, message, origator, means verifyg dividual's authorizatireceive specific categories formation. (4) Authorization—right missigranted system entity access system resource. (3) Availability—probability asset, combed fluence its reliability, mataability, security, able fulfill its required functistated iod time, given pot time. Bandwidth—capacity communicatichannel pass datthrough channel given amount time. usually expressed bits second. side note, control SCADdatusually smaller, yet consistent, bsizes thnetworks, traditionally carry higher levels. Nonetheless, move fieldbus systems requirg higher bwidths due herent nature requirg less wirg formg control algorithms without master statiPLC. (3) Certificate—See Public Key Certificate. (3) CertificatiAuthority—entity Public Key frastructure (PKI) responsible issug certificates, exactg compliance PKI policy. (3) Ciphertext—Dtransformed encryptiso semantic formaticontent (i.e., meang) no longer telligible directly available. Clear text—Datsemantic formaticontent (i.e., meang) telligible directly available. (3) Client—device applicatireceivg requestg services formatiserver application. (1) Confidentiality—Assurance formatidisclosed unauthorized dividuals, processes, devices. (4) Cryptographic Key—parameter varies transformatiformed cryptographic algorithm. (3) Note: Usually shortened just “key.” Cyberattack— Successful exploitatisoftware, hardware, firmwvulnerabilities IACS components and/network components connected dustrial network. DatLk Layer Protocols —Protocols withthspecific OSI level terpretg electrical signals data, conductg errcheckg, formg physical addressg, conductg mediaccess control. (2) protocols exist enterprise systems connected control LANs cases exist protocols dustrial networks. Decryption—process changg ciphertext platext usg cryptographic algorithm key (See “encryption”). (3) ISA-TR99.00.01-2007 – 16 – Copyright 2007 ISA. rights . Defense Depth—security architecture based ideany pot protectimay, probably will, defeated. Note: Defense depth implies layers security detection, even sgle systems, provides followg features: • attackers faced breakg through bypassg layer without beg detected • flaw layer cprotected capabilities layers • system security becomes set layers withovernetwork security. Denial Service (DoS)—preventiterruptiauthorized access system resource delayg system oations functions. (3) Digital Signature—result cryptographic transformatidatwhich, proly implemented, provides services origauthentication, dattegrity, signer non-repudiation. (1) Distriion—See Key Distriion. (3) Encryption—Cryptographic transformatiplatext ciphertext conceals data’s origal meang prevent beg used (See “decryption”). (3) Note: If transformatireversible, correspondg reversal process called “decryption,” transformatirestores encrypted datits origal state. tegrity—quality system reflectg logical correctness reliability oatg system, logical completeness hardwsoftwimplementg protectimechanisms, consistency datstructures occurrence stored data. (4) Note: formal security mode, tegrity often terpreted narrowly meprotectiagast unauthorized modificatidestructiformation. terception—Capture disclosure message contents traffic analyscompromise confidentiality communicatisystem based message destatiorig, frequency length transmission, communicatiattries. terface— logical entry expot provides access module logical formatiflows. Key—See Cryptographic Key. Key Distriion—transport key keyg material entity either owns key generates key anentity tended key. (3) Key Pair—public key its correspondg private key used public key algorithm. (3) Local AreNetwork (LAN)—-communications network designed connect computers telligent devices limited geographic are(typically less th10 kilometers). (5) Latency—time terval between message sent device received second device. Latency, along jitter, key parameters defe formance control system. creased latency control loop cdetrimental sce dynamics asset control dictates amount latency keep control process safe productive. Man--the-Middle—form active wiretappg attack attacker tercepts selectively modifies communicated datorder masquerade entities volved communicatiassociation. Thalso defed snoopg ceffectively misleadg destructive IACS cyber attack sce control room oator’s screen may dicatg safe – 17 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . normal route oation, havoc conducted automated processes assets field. (3) Network Layer Protocol—Protocols routg messages through complex network. Layer 3 OSI reference model. (2) modern dustrial fieldbus protocols SCADprotocols usually contanetwork layer. Non-repudiation—security service provides protectiagast false denial volvement communication. (3) Password—strg characters (letters, numbers, symbols) used authenticate identity verify access authorization. (1) sonal Identificatumber (P)—alphanumeric code password used authenticate identity. (1) Physical Layer Protocol—Protocols transmittg raw electrical signals communications channel. Deals transmissiphysics cablg, modulation, transmissirates. Layer 1 OSI reference model. (2) Platext—Unencoded dattransformed encryptiprocess, outdecryptiprocess. (3) Pot-to-Pot Protocol (PPP)—protocol defed RFC 1661, ternet standard transmittg network layer datagrams (e.g., ternet Protocol (IP) packets) serial pot-to-pot lks, occasionally deployed certatypes SCADnetworks. ProtectiProfile—implementation-dependent set security requirements category Targets Evaluatimeet specific consumer needs. (1) Pseudorandom Number Generat(PRNG) —algorithm produces sequence bits uniquely determed itial value called seed. outPRNG “appears” random, i.e., outstatistically distguishable random values. cryptographic PRNG hadditional proty outunpredictable, given seed known. (3) Public Key—cryptographic key used public key cryptographic algorithm uniquely associated entity may made public. (1) Public Key Certificate—set datuniquely identifies entity, contas entity’s public key, digitally signed trusted party, therebdg public key entity. (1) Public Key (asymmetric) Cryptographic Algorithm—cryptographic algorithm related keys, public key private key. keys proty derivg private key public key computationally feasible. Public Key frastructure (PKI)—framework established issue, mata, revoke public key certificates. (3) Repudiation—Denial entities volved communicatihavg participated part communication. (3) Risk—expectatiloss expressed probability particular threexploparticular vulnerability particular consequence. (3) Secret Key—cryptographic key, used secret key cryptographic algorithm uniquely associated entities should made public. (1) ISA-TR99.00.01-2007 – 18 – Copyright 2007 ISA. rights . Secret Key (symmetric) Cryptographic Algorithm—cryptographic algorithm sgle secret key both encryptidecryption. (1) Security Doma—system subsystem control Lenterprise Lauthority sgle trusted authority. Security domas may organized (e.g., hierarchically) form larger domas. (3) Security Services—Mechanisms used provide confidentiality, dattegrity, authentication, no repudiatiformation. (3) Server—device applicatiprovides formatiservices client applications devices. (3) Sniffg: See terception. Spoof—Pretendg authorized user formg unauthorized action. (3) Symmetric Key—sgle cryptographic key used secret (symmetric) key algorithm. system whereencryptg key platext cipher text identical key convert cyber text back platext. (3) Symmetric Key Algorithm—See Secret Key Cryptographic Algorithm. (3) System Software—special softwdesigned specific computer system family computer systems facilitate oatimatenance computer system associated programs data. (1) Threat—potentially damagg acti(tended untended) capability (ternal external) adversely impact through vulnerability. (6) Throughput—maximum contuous traffic rate IACS device chandle without droppg sgle packet. (2) Vulnerability—flaw weakness system's design, implementation, oatimanagement could exploited violate system's tegrity security policy. (3) Wide AreNetwork (WAN)—-communications network designed connect computers large distance, across country world. (1) 3.2 Acronyms 3DES Triple Digital EncryptiStandard AES Advanced EncryptiStandard AGAmericGAssociatiASM Automated SoftwManagement CERT Computer Emergency Response Team CHAP Challenge Handshake AuthenticatiProtocol CIP® Commdustrial Protocol (formerly Control formatiProtocol) CMVP Cryptographic Module ValidatiProgram COTS Commercial Off Shelf CPU Central Processg Un– 19 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . CS Control System DAC Discretionary Access Control DC DomaController DCS Distried Control Systems DMZ Demilitarized ZDoS Denial-of-Service DPDifferential Power AnalysEC Elliptic Curve ECC Elliptic Curve Cryptosystem FField AreNetwork FAQ Frequently Asked Questions FForensics AnalysTool FIPS Federal formatiProcessg Standards FTP File Transfer Protocol GPS Global Positiong System HCM Host ConfiguratiManagement HIDS Host trusiDetectiSystem HMI HumMache terface HTTP Hy Text Transfer Protocol HTTPS Hy Text Transfer Protocol Secure IACS dustrial AutomatiControl System IAONdustrial AutomatiOpen Networkg AssociatiIATF formatiAssurance Technical Framework ID IdentificatiIDS trusiDetectiSystem IED telligent Electronic Devices IEEE stitute Electrical Electronics Engeers IETF ternet Engeerg Task Force IP ternet Protocol IPsec ternet Protocol Security formatiTechnology LLocal AreNetwork LDAP Lightweight Directory Access Protocol LSS LocatiSignature SensMAC MediAccess Control MMassachusetts stitute Technology NNetwork Address TranslatFNetwork Forensics AnalysNIDS Network trusiDetectiSystem NIST U.S. National stitute Standards Technology NSU.S. National Security AdmistratiOLE® Object Lkg Embeddg ISA-TR99.00.01-2007 – 20 – Copyright 2007 ISA. rights . OPC® OLE Process Control OS Oatg System PC sonal Computer PCN Process Control Network PDsonal Digital Assistant PGP® Pretty Good Privacy® Psonal Identificatumber PKI Public Key frastructure PLC Programmable Logic Controller PPP Pot-to-Pot Protocol PRNG Pseudorandom Number GeneratRBAC Role-Based Access Control RFC Request Comment RSA® Rivest, Shamir AdlemRTOS Real-time Oatg System RTU Remote Termal UnSAM Security Accounts Manager SCADSuvisory Control DatAcquisitiSNMP Simple Network Management Protocol SSH Secure Shell SSL Secure Sockets Layer Sysdiff System Difference Packages TCP TransmissiControl Protocol TCP/IP TransmissiControl Protocol/ternet Protocol TLS Transport Layer Security USB Universal Serial Bus VDS Virus DetectiSystem VLVirtual Local AreNetwork VPN Virtual Private Network WWide AreNetwork Wi-Fi Wireless Fidelity 3.3 Sources Defitions Abbreviations 1. Federal formatiProcessg Standards (FIPS) PUB 140-2, (2001) “SECURITY REQUIREMENTS CRYPTOGRAPHIC MODULES,” Secti2, Glossary Terms Acronyms, U.S. National stitute Standards Technology. 2. Used missiBritish Columbistitute Technology ternet Engeerg Lab, Vancouver, Canada. 3. ternet Security Glossary (RFC2828), ternet Society. Copyright (C) ternet Society (2000). Rights . Thdocument (RFC2828) translations may copied furnished others, derivative works comment otherwise explaassist its implementatimay prepared, copied, published distried, whole part, without – 21 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . restrictiany kd, provided above copyright notice thparagraph cluded copies derivative works. However, thdocument itself may modified any way, removg copyright notice references ternet Society ternet organizations, except needed purpose developg ternet standards case procedures copyrights defed ternet Standards process must followed, required translate languages thEnglish. 4. CNSS structo. 4009, U.S. National formatiAssurance Glossary, May 2003, cnss.gov/Assets/pdf/cnssi_4009.pdf 5. SANS Glossary Terms used Security trusiDetection, May 2003, sans.org/resources/glossary.php 6. U.S. NIST SP: 800-12, troductiComputer Security: NIST Handbook, csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf. 4 Overview Many dustries critical frastructures reported crease number unauthorized attempts access electronic formation, even omous, hack IACSs monitregulate assets crucial nati(e.g., energy pipeles, transportatisystems, water systems, power grid). last several years, number jot ventures, alliance partners, outsourced services dustrial secthcreased dramatically. Durg same iod, IACSs evolved isolated networks based proprietary technologies protocols standards-based networks connected rest enterprise—cludg busess enterprise usually connected ternet enterprises partners corporate WANs. Consequently, now very challengg know who authorized access electronic IACSs formation, access formation, whdatshould able access. Partners busess venture may also competitors anbusess. However, becaIACS equipment directly connected process, loss trade secrets terruptions flow formatipotential consequences security brcertaly ones greatest impact. Far serious cpotential loss production, environmental damage, regulatory violation, compromise safety oation. latter may ramifications beyond targeted company; may grievously damage frastructure host regation. Worldwide, creasg centage populatihbecome computer literate, malicious hackg, additibeg nefarious hobhigh-profile news coverage, hbecome means proffancially. fact, tools automate malicious hackg now publicly available ternet. stances computer virus attacks creasg frequency. External threats terrorist, ext hackers, natistates concerns; knowledgeable siders malicious tent even nocent untended act cpose serious security risk dustry critical frastructure. Combg factors, easy see probability somegag unauthorized damagg access control system hcreased. technology changes standardization, vertical connectivity, remote access (both wire wireless), well partner relationships may good busess, economics, efficiency, productivity ends critical frastructure dustries, crease potential risk compromisg cyber security IACSs. Likewise, threats dustry crease, so does need cyber security. ISA99 workg group responsible thtechnical report determed tseveral categories tools, countermeasures, technologies available securg IACS network. Majcategories covered sections 5 through 10 thtechnical report. formatisectiprovides overview technology, tool and/countermeasure category, list specific types ISA-TR99.00.01-2007 – 22 – Copyright 2007 ISA. rights . applications withcategory, discussiwell type applicatifits IACS environment requirements. IACS networks many same computers communicatitechnologies corporate IT/ enterprise networks, becaeconomical add existg technologies thstart scratch. However, unique technical oatg constrats must considered applyg security technologies. majgoals thtechnical report highlight those arewarrant special consideratiIACS factors. 5 AuthenticatiAuthorizatiTechnologies concept authorizatihexisted long humans had assets worth protectg. Authorizatiitial step protectg IACS system its critical assets unwanted breaches. process determg who whshould allowed out system. Once thformatidetermed, defense--depth access control measures cimplemented verify authorized people devices cactually access IACS system. measure usually authenticatisdevice attemptg access IACS system. Authorizaticgranular determg access specific files applicatiencompassg access entire enterprise IACS network. Authorizatiusually implemented directly viconfiguratitools provided vendors oatg systems, applications, networks. Authorizatimechanisms sup virtually systems impose grearchitectural admistrative challenges levels enterprise IACS computg. Authorizatiauthenticatifundamental access control IACS. distct concepts, often confused becaclose relationship between two. Pro authorizatiis, fact, dependent upauthentication. Authenticatidescribes process positively identifyg potential network users, hosts, applications, services, resources usg combatiidentificatifactors credentials. result thauthenticatiprocess then becomes basmittg denyg further actions. Based response received, system may may allow potential user access its resources. Tseveral possible factors determg authenticity son, device system. example, test could somethg (e.g., Ppassword), somethg owned (e.g., key, dongle, smart card), somethg physical (e.g., biological characteristic fgerprt retal signature), locati(e.g., global positiong system (GPS) locatiaccess), time request made, combatiattries. general, factors used authenticatiprocess, robust cyber security process be. factors used, process generically multi-factauthentication. Tcomponents authentication: • User Authentication—traditional computer authenticati“loggg computer” activatg hummache terface (HMI) adjust process. • Network Service Authentication—ability networked devices distguish between authorized unauthorized remote requests IACS datform actions IACS. Computer systems IACS environment typically rely traditional passwords authentication. Control system suppliers often supply systems default passwords. passwords often easy guess frequently changed, create additional security risk result. current time, protocols used IACS environments generally adequate no network service authentication. NOTE: Network Service Authenticatishould confused “message authentication,” frequently used security literature. Message authenticatideals protectg message modificatidurg transmissisigng – 23 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . digital records long-term electronic storage. Thconcept cluded sectientitled EncryptiTechnologies DatValidation. Listed below several types authenticatiauthorizatitechnologies. sectioatg systems associated IACS systems also cludes discussiauthorizatiissues. 5.1 Role-Based AuthorizatiTools Role-based access control (RBAC) technology tool attractg gredeal attentibecaits potential reducg complexity cost security admistratetworks large numbers telligent devices like IACS systems. RBAC, security admistratisimplified usg roles, hierarchies, constrats organize user access levels. RBAC reduces costs withorganizatibecaaccepts control oatiemployees change frequently thduties withpositions. 5.1.1 Security Vulnerabilities Addressed thTechnology RBAC systems designed mimize potential security violations providg greater control users’ access formatiresources multiple devices IACS network. level control room oataccess ctake several forms, cludg viewg, usg, alterg specific IACS datdevice functions. promise RBAC uniform means manage access plant flodevices reducg cost matag dividual device access levels mimizg errors. traditional approach controllg access IACS formatetwork resources establish specific missions user. missions then configured security level mechanisms supported dividual telligent devices. dustrial control system may thousands devices, DCSs, HMIs, process historians, PLCs, motcontrol centers, smart sensors, application-specific datconcentrators. effective static environment, thapproach difficult manage dynamic environments wusers enter leave employment contractors, origal equipment manufacturers, system tegrators, vendors come go. constant stream changes requires frequent updates access missions, time-consumg error-prprocess. commsecurity lapse thapproach timely missiupdates made, enablg unauthorized users (termated employees) access restricted functions. Quite often, plants either simply disable dividual device security access levels threason. RBAC addresses thproblem basg access user’s role job responsibilities rather thcustomizg access dividual. example, mache oators may able view certafiles, alter them. surface, basg access control job descriptions may seem brestrictg, RBAC cgrant multiple access missions groups hability grant elevated access privileges certadividuals. Usg previous example, mache oators could view files number devices, mache vendor’s support engeers could access additional functions specific mache. Roles calso set up based location, projects, schedule, management level. Although employee contractturnmake difficult matadividual missions, problem roles becausually change often. Beg able add remove users role groups centralized database mimizes effort keep access levels current reduces potential error. 5.1.2 Typical Deployment Access computer system objects IACS based user’s role organization. Users associated roles roles associated missions. Users missiaccess object if user hauthorized role associated mission. ISA-TR99.00.01-2007 – 24 – Copyright 2007 ISA. rights . RBAC tools provide graphical user terfaces simplify process establishg roles, groups, missions. tools often Web-based coated enterprise’s corporate tranet. RBAC tools centralize repository authorizations, delegatg actual role assignment functional department manager. plant might RBAC centralize access control telligent devices control system, assigng sonnel roles becomes separate responsibilities strumentation, matenance, oations support departments. RBAC tools cset, modify, remove authorizations applications, replace authorizatimechanism; check authenticate users every time user wants access application. 5.1.3 Issues Weaknesses order provide uniform authorizatimanagement, RBAC tools must able work tokens, digital certificates, directories, authorizatimechanisms telligent devices protectg. RBAC tools offer terfaces authorizatimechanisms current platforms arena. However, legacy IACS systems specialized IACS equipment require development specialized terface software. Softwdevelopment cpose enormous task many systems, sgle largest reasprevents many companies implementg sgle-sign-capabilities enterprise networks. Thissue large problem dustrial control systems number proprietary oatg systems customized oatg system implementations terfaces. Centralized RBAC strategies potential makg access control systems dependent uphealth availability corporate wide arenetwork central RBAC server. Thus, centralized RBAC troduces additional pots failure cimpact availability dustrial automaticontrol system. Anissue RBAC relatively methodology whose benefits applications yet well understood. Also, IACS architectures presently support methodology 5.1.4 Assessment dustrial AutomatiControl Systems Environment time thtechnical report wreleased, ISA99 committee wawany broad-based RBAC tools specifically developed dustrial control systems. particular, tools uniformly authorize control systems employg products multiple vendors available. However, equipment vendors did offer tools centralize authorizatiportiproducts, access program development applications controllers. 5.1.5 Future Directions Protocols used dustrial environments need accommodate access control mechanisms consistent RBAC. difficult achieve many legacy protocols, thoccurrg modern protocols. example thOLE® Process Control (OPC®) standard, hdeveloped security specifications access control OPC® servers. Products form measure uniform authorizatimanagement dustrial control devices troduced early 2005, widely deployed. functionality products may corporated security gateways combe number security functions. 5.1.6 Recommendations Guidance absence uniform authorizatitools, designers IACSs take precautions mimize amount external traffic control system. various architectural measures attempt stop datflow control system enterprise systems, thcachieved total. RBAC may crease safety spontaneous datrequests control system, panacecareless design datflows. – 25 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 5.1.7 formatiSources Reference Material • troductiRole Based Access Control—NIST CSL BulletRBAC (December 1995), csrc.nist.gov/rbac/NIST-ITL-RBAC-bullet.html, (Accessed July 28, 2006). • D. Ferraiolo, D. Kuhn, R. Chandramouli (2003),”Role-Based Access Control,” Artech House, Boston, MA. • B. Kropp, M. Gallaher, “Access Cost Savgs: Role-Based Access Control Systems CSave Organizations Time Money,” formatiSecurity Magaze, April 2001 (case study), fosecuritymag.techtarget.com/articles/april01/cover.shtml#case_study, (Accessed July 28, 2006). • “Security Authorizations Management,” bhold Company White Pa, September 2001, bhold company, Naarden, Netherlands. 5.2 Password AuthenticatiPassword authenticatitechnologies determe authenticity based testg somethg device control oatrequestg access IACS should know (i.e., secret), sonal identificatumber (P) password. Password authenticatischemes simplest common. Tthree general types passwords: • Passcode P—short sequence numbers used secret (e.g., digits 1234). • Password—short character strg used secret (e.g., “hat34slow”). • Passphrase—long strg used generate secret (e.g., phrase “downtown 23 boats hcars blew smoke cabbage” might generate secret radix-64 value X34B3-By88e-P345s-56df0). password type follows same concept, provides different levels complexity user therefore security system. • passcode simple enough even smallest embedded device manage. often represents number 0 9999 cstored simple 16-bteger. also least secure method. commexamples Pautomatic teller mache card keypad doaccess device. • password longer secret, often 6 14 character range. takes memory processg manage, therefore provides little security. • passphrase longer secret could used create numeric key cipher system. takes effort remember phrase like “downtown 23 boats hcars blew smoke cabbage,” much easier people remember thcode “X34B3-By88e-P345s- 56df0.” Thmethod also provides security becahardest hacker guess less probable password/code-breakg program break. 5.2.1 Security Vulnerabilities Addressed thTechnology IACS environment, passwords cused limrequests services functions authorized users. ISA-TR99.00.01-2007 – 26 – Copyright 2007 ISA. rights . 5.2.2 Typical Deployment Passwords commemployed ways: • password submitted request authorization. Network service requests usually clude password request. commexample Simple Network Management Protocol (SNMP) request cludes community name. • request, system requests password confirm authorization. User authenticatigenerally requests password user attempts access. 5.2.3 Issues Weaknesses strength password directly related its length entropy (randomness). importance length fairly obvious. two-digpasscode h100 possible values 00 99, 8- character password hbillions possible values. Entropy measure randomness password equally important. Passwords predicable sequences digits (e.g., “1234”) commEnglish language words (e.g., “password” “oator”) far easier predict thrandom passwords. Unfortunately, greatest weakness passwords control system users tend pick passwords easy remember therevery low entropy easy predict. passcodes 12-key keypad end up simple physical pattern, like 1254 1478, many computer passwords birth-dates spopet name. Crackg schemes humpreferences pattern recognitifamiliarizatiallow attackers guess correct password far fewer ththeoretical number tries. Password vulnerability creduced if vendimplements active password checker prohibweak, recently used, commused passwords. Anweakness ease third party eavesdroppg. Passwords typed keypad keyboard easily observed recorded, especially arewattackers could plant ty wireless camerhardwkeystroke sniffers. Network service authenticatioften transmits passwords platext (unencrypted), allowg any network capture tool expose actual password. improvement platext passwords hashed passwords. one-way algorithm used cryptographically convert passwords hash code, extremely computationally expensive decrypt back origal password. However, hashed passwords safe. possible determe anpassword hashes same value, also computationally expensive so. seriously, even if passwords sent cryptographic hashes, network capture tools often allow message modified “replayed,” easily creatg message complete valid encrypted password without ever knowg origal password. Password files must protected read copy access. commmethod password crackg copy password file run off-le programs agast file. programs generate large number possible passwords hashes, same one-way algorithm, build password versus hash list. program then compares captured password files list until match found. Thmethod attack limits exposure attacker may result fully compromised system. 5.2.4 Assessment dustrial AutomatiControl Systems Environment problem passwords unique IACS environments user’s ability recenter password may impacted stress moment. Durg majcrishumterventicritically required, oatmay panic difficulty rememberg password either locked out completely delayed beg able respond event. If password h entered – 27 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . wrong system hlimallowed wrong password entries, oatmay locked out manently until authorized employee creset account. Special consideratimust made usg policies based logpassword authenticatiwithIACS environment. Without exclusilist based mache identificati(ID), non-oatlogcresult policies beg implemented auto-logoff timeout admistratpassword replacement cdetrimental oatisystem. controller oatg systems make settg secure passwords difficult, password size very smsystem usually allows group passwords level access, dividual passwords. dustrial (ternet) protocols transmpasswords platext, makg them susceptible terception. cases wthpractice canavoided, important users different (unrelated) passwords encrypted non-encrypted systems. 5.2.5 Future Directions dustrial automaticontrol systems equipment should sophisticated enough allow high-level password security. IACS equipment needs protocols allow passwords transmitted secure ways (i.e., platext). method password future may well commmethod noted RBA, role-based authentication, wseveral oators have, cases, same password therefore equally authorized sce same authorities relatiwhcconce enter control system through authorization. role-based methods associate shher job role opposed hher dividuality useful admistratienvironment wjob roles changg frequently thcommenterprise. Future IACS password equipment protocols must able provide flexibility oatvarious emergency situations. stance, emergency situation, panicked oatmay attempt log unsuccessfully several times. allowg oataccess system emergency situaticould create severe problems disastrous results. Therefore, tmust provisions password algorithm recognize unsuccessful attempts somewho hknowledge password through similarities unsuccessful attempts. algorithm should then allow simple emergency password used oatlogpurposes. 5.2.6 Recommendations Guidance followg general recommendations considerations regards passwords. Specific recommendations presented ISA-99.00.02-2007 standard (viswww.isa.org/standards). • Passwords should appropriate length entropy characterizatisecurity required. particular, should able found dictionary contapredictable sequences numbers letters. • itial passwords passwords reset should securely transmitted tended receiver. User authenticatisubject social engeerg methods must employed. cclude face-to-face ID authenticativoice-mail delivery. • Passwords should used coatterface devices control consoles critical processes. Usg passwords consoles could troduce potential safety issues if oators locked out durg critical events. • kee master passwords should trusted employee, available durg emergencies. Authority change higher-level passwords should limited trusted employees. password log, especially master passwords, should mataed separately control systems, possibly notebook locked vault safe. ISA-TR99.00.01-2007 – 28 – Copyright 2007 ISA. rights . • environments high risk terceptitrusi(remote oatterfaces facility lacks local physical security access controls), users should consider supplementg password authenticatiforms authenticatichallenge/response two-factauthenticatiusg biometric physical tokens. • user authenticatipurposes, password commgenerally acceptable users loggg directly local device computer. Passwords should sent across any network unless protected form strong encryptisalted cryptographic hash specifically designed prevent replay attacks. assumed device used enter password connected network secure manner. • network service authenticatipurposes, passwords should avoided if possible. Tsecure alternatives available, challenge/response public-key authentication. 5.2.7 formatiSources Reference Material • AGA-12, Cryptographic ProtectiSCADCommunications, Part 1: Background, Policies Test Plan, September 2005, gtiservices.org/security/AGA12_part1_draft6.pdf. • NIST SP: 800-12, troductiComputer Security: NIST Handbook, csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf. • Falco, Joe, et al., Security dustrial Control Systems, NIST IR 6859, 2003, isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf. • IAONHandbook Network Security - Draft/RFC v0.4, dustrial AutomatiOpen Networkg Associati(IAONA), Magdeburg, Germany, 2003. • Dray, James, et al, NIST SP: 800-73, terfaces sonal Identity Verification, 2005, csrc.nist.gov/publications/nistpubs/800-73-1/sp800-73-1v7-April20-2006.pdf . • Wilson, Charles, et al, NIST SP: 800-76, Biometric DatSpecificatisonal Identity Verification, 2006, csrc.nist.gov/publications/nistpubs/800-76/sp800-76.pdf. • Mix, S., Suvisory Control DatAcquisiti(SCADA) Systems Security Guide, EPRI, 2003. • Baker, Elae, et al, NIST SP: 800-56, RecommendatiPair-Wise Key Establishment Schemes Usg Discrete Logarithm Cryptography, 2005, csrc.nist.gov/publications/nistpubs/800- 56A/sp800-56A_May-3-06.pdf. • Baker, Elae, et al, NIST SP: 800-57 RecommendatiKey Management, 2005, Part 1, General: csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf. Part 2, Best Practices: csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf. • Zurawski, Richard (2005), dustrial CommunicatiTechnology Handbook, CRC Press, crcpress.com. • Harris, Sh(2005), All--CISSP, McGraw-Hill/Osborne, 2100 Powell Street, 10th floor, Emeryville, C94608 – 29 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 5.3 Challenge/Response AuthenticatiChallenge/response authenticatirequires service requester, IACS oator, service provider know “secret” code advance. service requested, service provider sends random number strg challenge service requester. service requester secret code generate unique response service provider. If response expected, proves service requester haccess “secret” without ever exposg secret network. 5.3.1 Security Vulnerabilities Addressed thTechnology Challenge/response authenticatiaddresses security vulnerabilities traditional password authentication. passwords (hashed pla) sent across network, portiactual “secret” itself beg sent. Givg secret remote device forms authentication. Therefore, traditional password exchange always suffers risk discovery replay. Becasecret advance never sent challenge/response systems, risk discovery elimated. If service provider cnever send same challenge twice, receiver cdetect duplications, risks network capture replay attacks elimated. 5.3.2 Typical Deployment Commchallenge/response systems are: • PPP-CHAP ternet Engeerg Task Force (IETF)/RFC1994—PPP-CHAP allows remote client connect serial dial-up lk server. client must still know password, CHAP challenge/response system verify password without sendg across serial le wattacker may see replay it. • Kerberos IETF/RFC1510—Kerberos centralized server system designed small, sgleauthority networks. allows servers provide service clients based simple, secure “ticket” concept. theoretical example Object Lkg Embeddg (OLE®) OPC® server obtas datread ticket central Kerberos server submits PLC before PLC answer datrequests. Both windows® UNIX®/Lux® options Kerberos support. 5.3.3 Issues Weaknesses • Challenge/response authenticaticanused directly user authenticatibecausers willg manually combe passwords challenge calculate suitable response. Protocols like PPP-CHAP get around thproblem directly acceptg user’s password managg challenge/response authenticatidirectly without direct user awareness. However, thhybrid approach still provides way determed attackers observe keystrokes user enters them. • theoretical weakness challenge/response authenticatiattacker provided both challenge response exame off-le. If algorithm key used create response, attacker cthknowledge calculate “secret.” Thvulnerability easily avoided usg strong cryptographic algorithms make reverse calculatidifficult timeconsumg. • greatest weakness challenge/response authenticatetwork service authenticatilies any system allows “roll-back attack” durg form authenticategotiation. rollback attack, attacker caservice provider agree weaker legacy authenticatimethod, platext passwords no authenticatiall. Thvulnerability cavoided if vendprovides methods prevent rollback, settg service device restrict network service authenticatisecure versions protocol, user enables those methods. ISA-TR99.00.01-2007 – 30 – Copyright 2007 ISA. rights . • Passwords, keys, secrets used challenge/response authenticatimust distried somehow, either physically network, risks exposg them compromisg system. Distriimethods require special cdesign implementatiavoid becomg weak lk security system. 5.3.4 Assessment dustrial AutomatiControl Systems Environment user authenticatidirect challenge/response authenticatifeasible control systems due possible latency may troduced necessary fast dynamics required assess control system dustrial network. . network service authentication, challenge/response authenticatipreferable traditional password source identity authenticatischemes. 5.3.5 Future Directions dustrial automaticontrol systems equipment protocols should sophisticated enough allow challenge/response authenticatiorder provide pro security future. orderg systems, should look good timely challenge/response authenticatiprotocol Challenge Handshake AuthenticatiProtocol (CHAP), authenticates usg challenge/response method. CHAP used same way Password AuthenticatiProtocol, CHAP provides higher degree security. CHAP cused remote users, routers, network access servers provide authenticatibefore providg connectivity. 5.3.6 Recommendations Guidance Challenge/response authenticatiprovides security thencrypted passwords user authenticatiacross network. Managg master encryptialgorithms master passwords becomes creasgly complex parties volved security processes, important consideratirobustness security scheme. 5.3.7 formatiSources Reference Material • PPP Challenge Handshake AuthenticatiProtocol, W. Simpsietf.org/rfc/rfc1994.txt?number=1994 • Microsoft extensions CHAP, G. Zorn, S. Cobb, ternet Society faqs.org/rfcs/rfc2433.html 5.4 Physical/Token AuthenticatiPhysical token authenticatisimilar “password authentication,” except technologies determe authenticity testg device token srequestg access should hher possession, security tokens smart cards. creasgly, PKI keys beg embedded physical devices universal serial bus (USB). tokens support sgle-factauthenticationly, so simply havg possessitoken sufficient authenticated. Others support dual-factauthenticatirequire knowledge Ppassword additipossessg token order authenticated. 5.4.1 Security Vulnerabilities Addressed thTechnology primary vulnerability token authenticatiaddresses ability prevent secret beg easily duplicated shared others. elimates all-too-commscenario password – 31 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . “secure” system beg left wnext sonal computer (PC) oatstation. security token canduplicated without special access equipment supplies. second benefsecret withphysical token cvery large, physically secure, randomly generated. Becaembedded metal silicon, doesn’t same risks manually entered passwords. If security token lost stolen, authorized user loses access, unlike traditional passwords clost stolen without notice. 5.4.2 Typical Deployment Commforms physical/token authentications clude: • Traditional physical lock keys • Security cards (magnetic, smart-chip, optical codg) • Radio-frequency devices form cards, key-fobs, mounted tags • Dongles secure encryptikeys attach USB, serial, parallel ports computers • One-time- authenticaticode generators 5.4.3 Issues Weaknesses sgle-factauthentication, largest weakness physically holdg token means access granted (e.g., anyfdg set lost keys now haccess whatever open). Physical/token authenticatisecure combed second form authentication, memorized Pused along token. Dual-factauthenticatiaccepted good practice high-security applications. Tokens require logistical fancial support issue, distrie, admister. typically also require additional servers support authentication. 5.4.4 Assessment dustrial AutomatiControl Systems Environment Physical/token authenticatieffective security technique should strong role IACS environments. 5.4.5 Future Directions Reliable highly secure token solutions available today. Tokens becomg available forms convenient use, key-rg fobs embedded functionality phoID cards. 5.4.6 Recommendations Guidance Physical/token authenticatihpotential strong role IACS environments. access card token ceffective form authenticaticomputer access, long computer secure are(e.g., once oathgaed access room appropriate secondary authentication, card alcused enable control actions). Wadditional security warranted, sgle-factmethods passwords ccombed physical/token authenticaticreate significantly secure two-factauthenticatisystem. ISA-TR99.00.01-2007 – 32 – Copyright 2007 ISA. rights . Wpossible, ensure hardwimplementatiphysical token tam-proof, any attempt x-ray, reverse engeer, tam registers physical token wkey associated algorithms reside, renders device useless zerog out registers. If physical/token authenticatideployed, important clude sufficient resources manage issues regardg tokens, cludg token distriion, replacement returns. 5.4.7 formatiSources Reference Material • Harris, S. Mike Meyer’s CISSP CertificatiPassport. McGraw-Hill/Osborne, Berkeley, C2002. PP. 37-38, 155-156. • Zurawski, R. dustrial CommunicatiTechnology Handbook. CRC Press, BocRaton, FL 2005. Chapters 1.14-15, 15.14, 20.13-17. 5.5 Smart Card AuthenticatiSmart cards similar token authentication, cprovide additional functionality. Smart cards cconfigured run multiple on-board applications support buildg access, computer dual-facttriple-factauthentication, cashless vendg sgle card, also actg company phoID dividual. Typically, smart cards come credcard size form-factcprted, embossed, dividually sonalized. Smart cards ccustomized, dividualized, issued -hooutsourced service providers who typically issue hundreds thousands cards day. 5.5.1 Security Vulnerabilities Addressed thTechnology Smart cards enhance software-solutions, password authentication, offerg additional authenticatifactremovg humelement memorizg complex secrets. also: • Isolate security-critical computations volvg authentication, digital signatures, key exchange parts system need know. • Enable portability credentials private formatibetween multiple computer systems. • Provide tam-resistant storage protectg private keys forms sonal formation. 5.5.2 Typical Deployment Smart cards cvary simple memory cards cards complex on-board processg capabilities. Cards Java® card even allow dynamic uploadg applications, similar way web browser crun downloaded Java® code. Card readers available USB, PC-card RS232 devices, creasgly available built devices keyboards keypads. latter devices, ensure Pnever processed workstati entered directly smart card. “secure Pentry devices” cprevent workstation-based key logger attacks P. Smart cards cmetallic contacts, similar those commfound today’s credcards, cproximity radio capabilities work up range 1–2 meters. Smart cards also provide ability combe several sgle card. example, buildg access control, computer authentication, applicatiauthentication, cashless vendg ctegrated sgle card. user leaves work arelunch, he would take hcard – 33 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . him purchase lunch (cashless vendg) return secure area, ensurg he removed hsmart card hcomputer, would automatically lock it. Smart card applications computer authenticatitypically hold user’s credentials securely card. user must Punlock card allow credentials accessed. normal applications challenge-response mechanism between computer card allow credentials retaed withcard never transferred computer wcould potentially compromised. 5.5.3 Issues Weaknesses Many smart cards offer high quality dual-factauthenticatisolutions robust enough fancial sectapplications. majority issues logistical around issug cards, particularly replace lost stolen cards. clude: • lost stolen card may provide level access fder • Smart cards without matchg hardwaccess control system no better thnon-smart cards • Lost damaged smart cards ccreate temporary block access dustrial automaticontrol system necessary safety general oations if backup cards issued • If smart card Pentered usg workstation, cvulnerable attack if workstaticompromised. Secure Pentry devices allow workstatiaccess Pcused mitigate thvulnerability. • Usg smart cards multiple applications outside control system, cashless vendg, creates potential code access vulnerability. Talso concern smart card security may compromised usg differential power analys(DPA) techniques. DPformed monitorg electrical activity device, then usg advanced statistical methods determe secret formati(secret keys user Ps) device. 5.5.4 Assessment dustrial AutomatiControl Systems Environment Although smart cards relatively expensive offer useful functionality dustrial control system context, implementatimust dwithoversecurity context plant. necessary identificatidividuals, issuance cards, revocatishould compromise suspected, assignment authorizations authenticated identities, represent significant itial on-gog challenge. cases, corporate resources may available assist deployment smart card public key based frastructures. 5.5.5 Future Directions Smart cards creasg memory processcapacity flexibility. cost smart cards smart card readers likely reduced fancial services organizations adopt smart card technology credcard (begng happen United Kgdom). tegratg smart cards standard product offergs likely follow, credcard payment smart card becomes norm. Anpossible future directitegratiWeb browsers allow secure on-le retail transactions. ISA-TR99.00.01-2007 – 34 – Copyright 2007 ISA. rights . 5.5.6 Recommendations Guidance Smart cards should examed potential controllg access dustrial AutomatiControl System environments, both physical spective access computer systems. If smart cards implemented dustrial control settg, provisions management lost damaged cards should considered, well costs corporate respective access control system provide management process card distriiretrieval. 5.5.7 formatiSources Reference Material • Smart Card Alliance dustry formation, smartcardalliance.org/dustry_fo/dex.cfm • R. Junee, “Smart Cards Side-Channel Cryptanalysis,” ee.usyd.edu.au/~rjunee/sc_side_channel.pdf • Zurawski, R., dustrial CommunicatiTechnology Handbook, CRC Press, BocRaton, FL, 2005 5.6 Biometric AuthenticatiBiometric authenticatitechnologies determe authenticity determg presumably unique biological characteristics humrequestg access. Usable biometric features clude fger mutiae, facial geometry, retal irsignatures, voice patterns, typg patterns, hgeometry. 5.6.1 Security Vulnerabilities Addressed thTechnology Like physical token smart cards, biometric authenticatienhances software-solutions, password authentication, offerg additional authenticatifactremovg humelement memorizg complex secrets. addition, sce biometric characteristics supposedly unique given dividual, biometric authenticatiaddresses issues lost stolen physical token smart cards. 5.6.2 Typical Deployment Commforms biometric authenticaticlude: • Fgerprt scanners • Hgeometry scanners • Eye (irreta) scanners • Face recogniti• Voice recogniti5.6.3 Issues Weaknesses Noted issues biometric authenticaticlude: • biometric devices suffer need detect real object fake (e.g., distguish real humfger silicon-rubber cast real humvoice recorded one) – 35 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • biometric devices subject type-I type-II errors (probability rejectg valid biometric image, probability acceptg valid biometric image, respectively). cases, user should attempt implement biometric authenticatidevices lowest crossbetween probabilities, also crosserrrate • biometric devices environmentally sensitive. result, temature, humidity, environmental factors caffect devices • Biometric scanners reported “drift” time may need occasional retrag. Humbiometric traits may also shift time, necessitatg iodic scanner retrag • Device trag may require face-to-face technical support verification, unlike password cgiven phaccess card chanded out receptionist • Temporary ability sensg device acknowledge legitimate user cprevent needed access control system • biometric authenticatidevices “socially acceptable” thothers. example, retal scans very low scale acceptability, irscanners thumbprt scanners high scale acceptability. Users biometric authenticatidevices need take social acceptability target group consideratiselectg among various biometric authenticatitechnologies. 5.6.4 Assessment dustrial AutomatiControl Systems Environment Biometric devices make useful secondary check versus forms authenticaticbecome lost borrowed. Usg biometric authenticaticombatitoken key badge-oated employee time clocks creases security level. 5.6.5 Future Directions Biometrics becomg reliable creasgly tegrated commcomponents, keyboards. Thtrend already progressg hand-held items sonal datassistants (PDAs) mobile telephones. Biometrics also combes well smart card technology, chold biometric datuser. combed P, thprovides three-factauthentication: somethg presenter has, knows, is. 5.6.6 Recommendations Guidance Biometrics cprovide valuable authenticatimechanism, needs carefully assessed dustrial applications becaphysical environmental issues withfal stallatienvironment may need restructured reliable authorized authentication. exact physical environmental proties stallatiwould coordated system vendmanufacturer. 5.6.7 formatiSources Reference Material • Harris, S. Mike Meyer’s CISSP CertificatiPassport. McGraw-Hill/Osborne, Berkeley, C2002. pp. 32-34. • Teumim, D.J. dustrial Network Security. ISA, Research Triangle Park, NC 2005. p. 106 ISA-TR99.00.01-2007 – 36 – Copyright 2007 ISA. rights . 5.7 Location-Based AuthenticatiLocation-based authenticatitechnologies determe authenticity based physical locatispace device humrequestg access. example, systems may volve usg GPS technologies ensure requestwhe she claims witharephysically secure. Authenticatimay ddirectly, so physical access device implies authority, directly, so ID address representg locatiused imply authority. smcentage network service authentications currently formed IACS environments locatibased, wform identity directly (directly) lked locatiused authenticate user. simple example control device accepts commands if source address (IP) commmatches preconfigured address assigned macontrol room. System security fundamentally depends ability authenticate users control access resources. Geodetic location, calculated locatisignature, adds fourth dimensiuser authenticatiaccess control. cused determe whether sattemptg log approved location, — e.g., user's office buildg home. If user mobile, then set authorized locations could broad geographic regi(e.g., city, state, country). case, loglocatiserves identify place logwell authenticate it. If unauthorized activity detected, facilitate fdg dividual responsible activity. 5.7.1 Security Vulnerabilities Addressed thTechnology User authenticatimechanisms based formatiuser knows (e.g., password P), possessidevice (e.g., access token crypto-card), formatiderived sonal characteristic (biometrics). Nmethods foolproof. Passwords Ps often vulnerable guessg, terception, brute force search. Devices cstolen. Cryptographic systems onetime password schemes cfail even algorithms strong. Typically, security reduces Ps passwords, used control access keys stored files activatihardwtokens. Biometrics cvulnerable terceptireplay. Anway supplement authenticatifurther reduce vulnerabilities passwords ps IACS user, especially remote location, deploy location-based authentication. 5.7.2 Typical Deployment Usg location-based authentication, physical locatiparticular user network node any stant uniquely characterized locatisignature. Thsignature created locatisignature sens(LSS) microwave signals transmitted twenty-four hour satellite constellatiGPS. technique used dependent device determe geodetic locati(latitude, longitude, height precisely defed geocentric coordate reference system) LSS accuracy few meters better. signature its derived locativirtually impossible forge. entity cyberspace unable pretend anywthwits LSS actually situated. attemptg gaaccess host server, remote client challenged supply its current locatisignature. host, also equipped LSS, processes client signature its own simultaneously acquired satellite signals verify client's locatiwithacceptable threshold (few meters centimeters, if required). two-way authentication, reverse process would formed. Re-authorizaticformed every few seconds longer. 5.7.3 Issues Weaknesses locatisignatures hpotential beg used track physical locations dividuals who usg mobile device. Thtechnology also requires hardwdevice both host client end, adds costs. – 37 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 5.7.4 Assessment dustrial AutomatiControl Systems Environment Thtechnology could grebenefauthenticatg users, especially enhancg wireless security withplant site remote location. very tight determatilocation, would easily possible limaccess users withfairly tight geographical arerefconnectidisconnect users outside tharea. mobile users would easily possible create access roles based physical locatichanges. Different roles/capabilities could allowed dependg physical locatiuser. Engeers laptops who cmake changes workg withplant site could restricted view-access off plant site. Thtechnology hmuch potential enhancg security control system. 5.7.5 Future Directions Cost reductivendors thsolutirequired crease attractiveness thtechnology. Technology also needs imbedded mobile devices. 5.7.6 Recommendations Guidance Web searches did reveal resources thsolution. 5.7.7 formatiSources Reference Material “Location-Based Authentication: Groundg Cyberspace Better Security” Dorothy E. Denng Peter F. MacDorcs.georgetown.edu/~denng/fosec/Groundg.txt “terlk Networks, Bluesoft Deliver Wi-Fi Location-Based Security Solutions,” WiFi Revolutewsletter, April 28, 2003, wifirevolution.com/enews/042803b.htm 5.8 Password DistriiManagement Technologies User identificaticoupled reusable password, updated changed policy-driven consistent manner, commform system identificatiauthorizatimechanisms control system oators users. password protected sequence characters used authenticate dividual. Authenticatifactors based whuser knows (e.g., password), h(e.g., smart card), (e.g., biometric); password somethg user knows. Passwords used authenticatimechanisms employed today control system access and, therefore, need highly protected. important passwords strong proly managed therefore distried manner secure also guarantees updates changes negate wrong disclosure, vicarelessness long-term consistent use. 5.8.1 Security Vulnerabilities Addressed thTechnology If passwords proly generated, updated, kept secret, cprovide effective security. Passwords authenticatibased whuser knows opposed somethg control system user his. 5.8.2 Typical Deployment Passwords used durg logprocess either central control room, remote locatiwithdustrial organizatioutside dustrial organization, ctransferred viwireless wire modes combatithereof. 5.8.3 Issues Weaknesses ISA-TR99.00.01-2007 – 38 – Copyright 2007 ISA. rights . Although passwords commused authenticatimechanisms, also considered weakest security mechanisms available. weakness stems facts users usually choose passwords easily guessed, tell others passwords, many times write password sticky note may may hide somewnear computer HMI control room. control system users, security usually important terestg part usg computers HMIs— until somehacks computers steals formatimuch worse, disrupts automated oatikey control system asset. order keep system secure, passwords need kept confidential routely changed, altered, even updated sce attackers (siders cluded) ctry followg techniques obtapassword ultimately compromise security. • Electronic monitorg: attacker clisten network traffic capture formatiespecially user sendg password authenticatiserver. password ccopied reused attacker antime. Reusg password called “replay attack.” • Access password file: Password files usually located authenticatiserver. password file contas many users’ passwords and, if compromised, csource lot damage. password file should protected access control mechanisms encryption. • Brute force attacks: attacker ctool cycles through many possible character, number, symbol combations uncpassword. • Dictionary attacks: attacker files thousands words compuser's password until match found. • Social engeerg: attacker falsely convces dividual attacker hnecessary authorizatiaccess specific resources. 5.8.4 Assessment dustrial AutomatiControl Systems Environment Passwords cstrongest weakest lk any access dustrial automatiprocesses control systems. Static passwords (passwords stay same iod time) used many situations wdynamic passwords impractical. wise idechange static passwords iodically every week. Dynamic passwords (password logon) offer better security should used practical. formatidynamic passwords, see Secti5.8.5, “Future Directions.” 5.8.5 Future Directions Security become important future becacreased awareness vulnerabilities creased abilities hackers. stance, hacker ccrease hability dramatically through sophisticated tools beg developed, key stroke loggg programs embedded through virus enterprise network then control LAN. strategy crease security one-time passwords. one-time password also called dynamic password. dynamic password used authenticatipurposes good once. password used, no longer valid; thus, if hacker obtaed thpassword, could reused. Thtype authenticatimechanism used environments require higher level security thstatic passwords provide. Tgeneral types one-time password generatg tokens: synchronous asynchronous. described below. token device generates one-time password user submauthenticatiserver. – 39 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . token device, password generator, usually handheld device hliquid crystal display possibly keypad. Thhardwseparate computer user attemptg access. token device authenticatiservice need synchronized manner able authenticate user. token device presents user list characters entered password loggg computer. token device authenticatiservice know meang characters. Becasynchronized, token device present exact password authenticatiservice expectg. Thone-time password, also called token, no longer valid itial use. synchronous token device synchronizes authenticatiservice usg time counter core piece authenticatiprocess. If synchronizatitime-based, token device authenticatiservice must hold same time withternal clocks. time value token device secret key used create one-time password, displayed user. user enters thvalue user ID computer, then passes them server runng authenticatiservice. authenticatiservice decrypts thvalue compares value expected. If match, user authenticated allowed computer resources. If token device authenticatiservice counter-synchronization, user need itiate logsequence computer push ttoken device. Thcatoken device authenticatiservice advance next authenticativalue. Thvalue base secret hashed displayed user. user enters thresultg value along user ID authenticated. either time-based counter-based synchronization, token device authenticatiservice must shsame secret base key used encryptidecryption. token device usg asynchronous token-generatg method challenge-and-response scheme authenticate user. thsituation, authenticatiserver sends user challenge, random value also called nonce. user enters thrandom value token device, encrypts returns value user one-time password. user sends thvalue, along user name, authenticatiserver. If authenticatiserver cencrypt value, same challenge wsent earlier, user authenticated. Both synchronous asynchronous token systems cfprey masqueradg if user shares hidentificatiformatitoken device shared stolen. token device calso battery failure malfunctions would stway successful authentication. However, system usg token device vulnerable electronic eavesdroppg, sniffg, password guessg. 5.8.6 Recommendations Guidance degree security needs consistent value formatiprocess, especially control systems, critical dustrial assets equipment protects. Small, stand-alcontrol systems contavaluable formaticonnected significant benign assets, control valuable processes, connected ternet cprotected simple passwords. hand, systems terconnected, contavaluable formation, control valuable process, control valuable dangerous processes equipment, need sophisticated password security. thcase, cognitive passwords one-time passwords appropriate and, long term, cost-effective. compensated process, hacker trusicould result millions dollars lost revenue, severe damage systems products, loss confidential formation, harm sonnel environment. 5.8.7 formatiSources Reference Material ISA-TR99.00.01-2007 – 40 – Copyright 2007 ISA. rights . Harris, Shon, All--CISSP Exam Guide, Third Edition, pp 135-137, 963, McGraw-Hill/Osborne, York, NY. form IT, Security, Access Control Systems, Part 2, “Verifyg Authenticity Identity,” November 7, 2006, formit.com/guides/. 5.9 Device-to-Device AuthenticatiDevice-to-device authenticatiensures malicious changes dattravelg between devices crecognized. Authentic datthose verified authentic origatg device, validated authentic receivg device. Device-to-device authenticatidoes prevent malicious tamg data, denote dmodified. Authenticaticapply dattravelg between devices, identity users sendg receivg data, type applicatisendg data, sessions between devices, any combations these. Strong authenticatitypically defed combg followg methods “somethg you have,” “somethg you know,” “somethg you are.” considered secure form authentication. communicatilayers cclude variety styles physical layer protocols cludg wired wireless, serial based IP based. NIST defes four levels authenticatiusg tokens1, rangg datauthenticationly, datidentity authentication, datidentity authenticatisoft encrypted revolvg tokens, datidentity authenticatihard encrypted tokens. Note ntypes authenticatirequires datbeg sent encrypted. last types require token encrypted along unencrypted data. 5.9.1 Security Vulnerabilities Addressed thTechnology Device-to-device authenticatimitigates vulnerabilities associated dattegrity. Confidentiality dataddressed thtechnology. cases, availability dathigher if authenticatitegrity protectiapplied sce thtechnology does rely encryptidata. Overheads related authenticatitegrity protectitypically lower ththose needed confidentiality protection. Authenticatitechnology prevent any entity without pro token sendg authentic data, regardless datcontent (e.g., datcould telemetry, firmware, files, SCADcommands, other). Thus, man--the-middle attacks mitigated thtechnology. If authenticatidatoccurs device’s applicatilayer, then authenticatitechnology prevent forms attacks focused corruptg datbefore sent. If authenticativalidates user’s identificati(biometric devices), then thtechnology further beneficial. 5.9.2 Typical Deployment Device-to-device authenticatioften deployed conjunctiencryption. However, many control system users, those electric power dustry, need confidentiality gaed encryption, rather need dattegrity ability troubleshoot clear text. 1 Glossary Computer Termology, U.S. National stitute Standards Technology, 1991. – 41 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . types users, authenticatidat(possibly user) provides very good solution. devices users, authenticatiapplicaticformed lieu user. 5.9.3 Issues Weaknesses Device-to-device authenticatimitigate denial service attacks. Advanced man--middle attacks, wclandeste hackers passively sniff network traffic, gaaccess codes addresses, then ject malicious attack, hdered authenticatitechnologies. Authenticatishould confused authorizati(access privileges granted entity), ndoes clude role-based access control (e.g., group memberships). 5.9.4 Assessment dustrial AutomatiControl Systems Environment Authenticatitechnologies widely used withTransmissiControl Protocol/ternet Protocol (TCP/IP) based networks. However, many protocols dustrial AutomatiControl System environment IP based require specific implementations authentication. Utility dustries natural gelectric power currently pursug security solutions communications, clude authentication. 5.9.5 Future Directions Several groups currently workg solutions control system security. IEC TC57 h tasked securg IEC 60-870-5 protocol DNP3 protocols, prolific withelectric power utility dustry. AmericGAssociatifalizg its specification, AGA-12, requirg both cryptographic authenticatitechnologies. apparent manufacturg utility communications requirg tegrated security. many controls applications, confidentiality required, therefore authenticatigood security solution. Issues surroundg key (token) management technologies become prevalent authenticatisolutions tegrated. 5.9.6 Recommendations Guidance Users should advendbest practices ensure pro device-to-device authenticatideployment. 5.9.7 formatiSources Reference Material • AmericGAssociatiWorkg Group AGA-12 (www.aga.org) • IEC TC57 Technical Committee (www.iec.ch) • DNP Users Group • Glossary Computer Termology, U.S. National stitute Standards Technology, 1991. 6 Filterg/Blockg/Access Control Technologies Access control technologies filter blockg technologies designed direct regulate flow formatibetween devices systems once authorizatih determed. Firewalls commused form thtechnology. ISA-TR99.00.01-2007 – 42 – Copyright 2007 ISA. rights . 6.1 Network Firewalls firewmechanism used control access network protect attached computers unauthorized uses. Firewalls enforce access control policies usg mechanisms either block mcertatypes traffic, thus regulatg flow formation. Firewalls typically block traffic outside protected areside protected area, mittg users side communicate outside services. Talso other, restrictive configurations restrict external access withprotected network. restrictive policies also possible likely appropriate IACS context. important firewseparatg company’s enterprise network ternet, even important firewalls between enterprise network dustrial automaticontrol systems LANs. Additionally, best cyber security practice servers control system Lneeds access enterprise network placed between firewalls demilitarized z(DMZ) arrangement. Tthree general classes firewalls: • Packet Filterg—Thtype firewchecks address formatipacket datset criteribefore forwardg packet. Dependg packet criteria, firewcdrop packet, forward it, send message origator. advantages packet filterg firewalls clude low cost low impact network formance, usually becasource address packet examed. example, IP source address packet identified, then established rule determes if packet should discarded forwarded. Thmethod also sometimes called static filterg. • Stateful spection—Stateful spectifirewalls filter packets network layer, determe whether sessipackets legitimate, evaluate contents packets applicatilayer. Stateful spectikeeps track active sessions formatideterme if packets should forwarded blocked. offers high level security, good formance, transparency end users, expensive. Due its complex nature, cless secure thsimpler types firewalls if admistered highly competent sonnel. Thmethod also sometimes called dynamic packet filterg. • ApplicatiProxy—Thtype firewexames packets applicatilayer filters traffic based specific applicatirules, specified applications (e.g., browsers) protocols (e.g., file transfer protocol (FTP). offers high level security, hsignificant impact network formance. transparent end-users requires manual configuraticlient computer. 6.1.1 Security Vulnerabilities Addressed thTechnology growg need exists communicatibetween process control networks outside. Typically, communicatione-way, thus transferrg process datout. firewefficient welldevice used enforce security datcommunicatiprocess. firewprovides security protectiIACS environment by: • Limitg datfrom/process control network • Loggg successful unsuccessful transactions through firew• Enablg networks teract designed so (routg/NAT). – 43 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . Process network side ZDMZ z(optional) FirewCorporate network Outside ZLimitg datfrom/process control network cconfigured several ways. sophisticated firewalls ability filter combatiof: • IP-addresses (IP-segments) outside allowed side vice vers• Ports allowed communicati• Applications allowed communication. Although typical control systems, trusidetectisystems (IDS) may stalled firewalls connected enablg IDS-system respond security threat--stance, blockg firewalls, resettg sessions droppg traffic matches attack signature. trusidetectisystem monitors either traffic patterns network files host computers, lookg signatures dicate truder hattemptg break system. 6.1.2 Typical Deployment Firewalls cimplemented several levels total network company. Firewalls tegrated part company’s security strategy; thus, brmodels depicted central organization. Firewalls used IACS environments often protect physical are(i.e., factory buildg), should used takg account frastructure datcommunication. If set up improly (i.e., wrong positetwork), firewalls worthless becafirewhconfigured secure filter order busess oate. 6.1.3 Issues Weaknesses Firewalls solutitrusiproblems IACS. weaknesses relyg firewalls clude: • Firewalls designed process dustry applications (DCS, SCADA), makg difficult tailfilterg optimal security. IACSs, firewalls should used sgle means protection. Softwhardwfirewalls should used connectisecurity measures IDS-systems, monitorg systems netIQ/MOM, computer softwActive Directory VPN (Virtual Private Network). • Firewalls evolved become creasgly complex, sometimes requirg specialized extise different brmodel. • Reviewg logs (matenance) tedious time-consumg task. Central monitorg systems eased work. • Patchg firewalls (matenance) important patchg servers clients network. ISA-TR99.00.01-2007 – 44 – Copyright 2007 ISA. rights . 6.1.4 Assessment dustrial AutomatiControl Systems Environment Firewalls should used important tool ensure security. applicaticonfiguratifirewalls should balanced agast ceived security threlikely impact case security exploused. case complex technologies, important start simply logically greater spective md. Specifically, configuratifirewalls should start settg up firewconfiguratideny traffic, then lookg traffic required allowg explicitly. effort required oatifirewalls should also considered. Level extise, complexity stability traffic through firewall, past exience important factors keep md determg appropriate level security. DMZ cefficient place servers communicate outside. 6.1.5 Future Directions Firewalls necessary tool ensure security tneed direct datcommunicatibetween networks. Hardwfirewalls preferred primary security component, sce secure thsoftwfirewalls. newer windows® oatg systems “Vista”, softwfirewalls built oatg system, make security configuraticlients servers easier efficient. 6.1.6 Recommendations Guidance Recommendations hardwfirewalls recognized vendors (i.e., limited number models), well knowledgeable, dedicated sonnel set up oate firewalls. Configuratifirewshould compliance followg guideles: • Traffic between zones networks connected firewgenerally closed (stateful event) • firewshould open traffic process control network admistrative network, DMZ. No traffic should allowed directly admistrative network process network. • Topen traffic DMZ admistrative network selected servers process control network • Topen traffic admistrative network buildg (IP-segment) DMZ selected servers process network • Never allow traffic whole process control network, admistrative network; allow traffic needed servers • Never allow traffic process control network ternet • Network components process control network cmanaged centrally • Secure management terface appropriate authenticatimeasures • Remove default passwords. Oatifirewshould daccordg written structions should clude: – 45 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Review logs • Review firewconfiguratisettg frequently adequacy • Patchg firewoatg system (OS). 6.1.7 formatiSources Reference Material • formatiAssurance Technical Framework document Secti6.1, IATF Forum iatf.net/framework_docs/version-3_1/dex.cfm • ternet Firewalls Frequently Asked Questions (FAQ), M. Curt, M. Ranum terhack.net/pubs/fwfaq/ • Choosg Best Firewall. G. Cronje, SANS stitute Readg Room psans.org/readg_room/whitepas/firewalls/951.php • Ports Services Safety Descriptions Regardg FirewUse, R. Farrow, Spirit.com spirit.com/Resources/ports.html • NISCC Good Practice Guide FirewDeployment SCADProcess Control Networks, National frastructure Security CoordatiCentre, London, 2005, cpni.gov.uk/docs/re- 20050223-00157.pdf. • IAONHandbook Network Security - Draft/RFC v0.4, dustrial AutomatiOpen Networkg Associati(IAONA), Magdeburg, Germany, 2003. • Falco, Joe, et al., Security dustrial Control Systems, NIST IR 6859, 2003, isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf. • NIST SP: 800-12, troductiComputer Security: NIST Handbook, csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf. • Mix, S., Suvisory Control DatAcquisiti(SCADA) Systems Security Guide, EPRI, 2003. • Dzung, D., Naedele, M., VHoff, T., Crevat, M. “Security dustrial CommunicatiSystems,” Proceedgs IEEE. stitute Electrical Electronics Engeers c. 2005. • “Security Unconscious?” controlglobal.com/dustrynews/2005/166.html, September 12, 2005. • Pollet, J., “PatriotSCADDistried FirewSCADdustrial Networks,” PlantdatTechnologies, Houston, Texas. • Green, M., Gallo, S., Miller, R., “Grid-Enabled Virtual OrganizatiBased Dynamic Firewall,” Proceedgs Fifth IEEE/ACM ternational Workshop Grid Computg, 2004. • Wool, A., “usability direction-based filterg firewalls,” Computers & Security (2004) 23, pp. 459-468. • Santiraveewan, V. mpoontanalarp, Y., “Graph-based Methodology Analyzg IP Spoofg Attack,” Proceedgs 18th ternational Conference Advanced formatetworkg Application, 2004. ISA-TR99.00.01-2007 – 46 – Copyright 2007 ISA. rights . • Gou, X., J, W., “Multi-agent System MultimediCommunications Traversg NAT/FirewNext Generatetworks,” Proceedgs Second Annual Conference Communicatetworks Services Research, 2004. • Ly, S. Bigdeli, A., “Extendable Dynamically Reconfigurable Multi-Protocol Firewall,” ternational Journal SoftwEngeerg Knowledge Engeerg, Vol. 15, No. 2 (2005) pp. 363-371. • Xu, Y., Lee, H.C.J., “Source Address Filterg FirewDefend agast Denial Service Attacks,” IEEE, 2004, pp. 3296-300. • “Advantech.” controlglobal.com/vendors/products/2005/208.html. 2005. • Cranor, L.F. Garfkel, S. Security Usability: Designg Secure Systems People CUse. O’Reilly Media, c. Sebastopol, C2005. PP. 328. • Harris, S. Mike Meyer’s CISSP CertificatiPassport. McGraw-Hill/Osborne, Berkeley, C2002. PP. 48-55, 58-63, 83, 89, 91. • Teumim, D.J. dustrial Network Security. ISA, Research Triangle Park, NC 2005. P. 73. • Zurawski, R. dustrial CommunicatiTechnology Handbook. CRC Press, BocRaton, FL 2005. Chapters 6.3, 27.3. 6.2 Host-based Firewalls Host-based firewalls softwsolutions deployed workstaticontroller control traffic enters leaves specific device. Thtype firewenforces local access control policy either blockg mittg certatypes traffic network terface card IP stack level before presentg packet applications runng host. 6.2.1 Security Vulnerabilities Addressed thTechnology host-based firewcomputer system serves same purpose lock filg cabet. protects specific computer unauthorized communicatiapplications users systems. calso used low-cost protectimechanism computers connected directly ternet, VPN-capable laptops PDAs, commused home smbusess environments. vendors offer host-based firewalls act host trusidetectisystems. offergs clude simplified clients serve sonal firewalls sonal computer advanced options available server. Tasks formed host-based firewalls clude: • Blockg bound packets beg processed applications device • Controllg outgog traffic host • Recordg formatiuseful traffic monitorg trusidetection. – 47 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 6.2.2 Typical Deployment Host-based firewalls stalled mache create protected collecticomputers mache havg its own access rules. Thprotectimethod typically tended last le defense, protectg workstatidefenses failed block unwanted packet. Host-based firewalls similar capabilities network firewalls, cludg stateful packet spection. serve complimentary functetwork firewalls dividual workstations, protect application-level softwmany DoS attacks filterg out bad packets network terface card TCP/IP stack level. 6.2.3 Issues Weaknesses Host-based firewalls protect workstations agast data-driven attacks (i.e., viruses), denial-of-service attacks, social engeerg attacks, malicious siders. Similar network firewalls, host-based firewalls cprotect agast tunnelg allowed applicatiprotocols fected poorly written applications. Firewalls tend viewed panacea, potentially providg false sense security should looked part larger network security approach. Firewdeployment does remove need implement softwcontrols ternal networks pro host security servers. Firewalls help if organizatidoes understkd access wants allow deny. Developg effective access control rules complex process typically requires professional specifically traed network security issues. 6.2.4 Assessment dustrial AutomatiControl Systems Environment IACS environment, host-based firewalls still relatively rare, particularly critical control devices workstations. controller-based oatg systems mdeployment thtype softwHMI vendors may prohibusg thtype softwworkstations guarantee pro oatiretawarranty. NOTE: Host Firewcompatibility issue result many DCS vendors testg validatg systems controlled set applications HMI. vendmay void its DCS warranty if user adds softwsystem becapotential terference critical systems. Impro softwstallaticould also negate supplier liabilities. Issues faced deployg host-based firewalls IACS environments clude: • lack firewproducts available non-IP based protocols FoundatiFieldbus®, Profibus®, any serial-based network. • lack host-based (software) firewproducts available typical controller-based oatg systems found PLCs, RTUs DCSs. • windows® UNIX® control system softwpackages may compatible host-based (software) firewproducts. • possible additilatency control system communications. • lack exience design filter rule sets suitable dustrial applications. • Significant overhead required manage host-based firewalls widely dissed systems typical SCADenvironments. ISA-TR99.00.01-2007 – 48 – Copyright 2007 ISA. rights . Thtechnology requires improved central admistratimanagement widely dissed hostbased firewalls before likely see widespread mission-critical devices IACS environment. time publication, wsporadically deployed noncritical workstations case-by-case basis. 6.2.5 Future Directions • Improved central admistratimanagement distried host-based firewalls. • Dynamic modificatilocal firewpolicy based system-wide events. • Usg host-based firewalls distried trusidetection. 6.2.6 Recommendations Guidance Trelatively few host-based firewalls IACS environment. general, control systems mfirewalls similar software, vendors may prohibthtype softwworkstations. Commercially available firewalls unawdustrial protocols MODBUS/TCP Ethernet/IP. Therefore, firewalls canexame SCADpackets applicatilayer offer proxy services protocols. time publication, no commercial package had identified offered solutithproblem. seen, development firewalls understprotocols cimplement rules filter SCADtraffic needed. response thneed, open-source MODBUS h developed awfirewextensions Lux® kernel. softwavailable free modbusfw.sourceforge.net/. Development similar solutions platforms configuratiwould facilitate widespread deployment firewalls dustry. development micro-firewalls dividual near field control devices needed. concept distried micro-firewalls protectg critical programmable logic controls (PLCs) RTUs h proposed, limited development work h done. concept would microfirewstalled front dividual controller termal protect malicious attack. micro-firewalls would offer second layer defense side process control network (PCN) firewprotect system attacks origatg withPCN. Tpromisg efforts address thproblem time publication. , British Columbistitute Technology had itiated project develop prototype system. Second, Siemens had plans release VPN Gateway could also act distried micro-firewall. 6.2.7 formatiSources Reference Material • formatiAssurance Technical framework document Secti6.1, IATF Forum iatf.net/framework_docs/version-3_1/dex.cfm • ternet Firewalls FAQ , M. Curt, M. Ranum, terhack.net/pubs/fwfaq/ • Choosg Best Firewall. G. Cronje, SANS stitute Readg Room psans.org/readg_room/whitepas/firewalls/951.php • Shimonski, Robert J., Shder, DebrLittlejohn, Shder, Dr. ThomW. (2003), Best Damn FirewBook iod, Syngress Publishg, c., 800 Hgham Street, Rockland, M02370. • Zurawski, Richard (2005), dustrial CommunicatiTechnology Handbook, CRC Press, crcpress.com. – 49 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Harris, Sh(2005), All--CISSP, McGraw-Hill/Osborne, 2100 Powell Street, 10th floor, Emeryville, C94608. 6.3 Virtual Networks Virtual Local AreNetworks (VLANs) divide physical networks smaller logical networks crease formance, improve manageability, simplify network design. VLANs achieved through configuratiEthernet switches. VLconsists sgle broadcast domaisolates traffic VLANs. Just replacg hubs switches reduces Ethernet® collisidoma, usg VLANs limits broadcast/doma, well allows logical subnets spmultiple physical locations. VLANs typically require Ethernet frames taggg usg IEEE 802.1Q (see secti6.3.6) proprietary standards ter-switch lk, so those frames belong VLctransmitted received ports configured network. Switches typically provide trunkg characteristics exchange VLdatabase formatiso updates cpropagate through multiple terconnected switches. Tcategories VLANs: • Static—often referred “port-based,” wswitch ports assigned VLso transparent end user • Dynamic—end device negotiates VLcharacteristics switch determes VLbased IP hardwaddresses. Although thIP subnet may coexist same VLAN, general recommendatione-to-relationship between subnets VLANs. Thpractice requires router multi-layer switch jomultiple VLANs. Many routers firewalls support tagged frames so sgle physical terface cused route between multiple logical networks. 6.3.1 Security Vulnerabilities Addressed thTechnology VLANs typically deployed address host network vulnerabilities same way firewalls trusidetectisystems are. However, proly configured, VLANs allow switches enforce security policies segregate traffic Ethernet layer. Proly segmented networks calso mitigate risks broadcast storms may result port scanng worm activity. 6.3.2 Issues Weaknesses Switches susceptible attacks mediaccess control (MAC) spoofg, table overflows, attacks agast spanng tree protocols, dependg device its configuration. VLhoppg (ability attack ject frames unauthorized ports) h demonstrated usg switch spoofg double-encapsulated frames. attacks canconducted remotely require local physical access switch. variety features MAC address filterg, portbased authenticatiusg IEEE 802.1x, specific vendbest practices cused mitigate attacks agast VLAN, dependg device implementation. 6.3.3 Assessment dustrial AutomatiControl Systems Environment Field arenetworks (FANs), also called fieldbus systems, ideally suited dustrial automaticontrol systems environment. general, FANs cclarger distances thlocal arenetworks (LANs). Also, FANs low datrates and, sce FANs transport maly process data, size datpackets smreal-time capabilities important. hand, LANs high datrates carry large amounts datlarge packets. LANs, timeless primary concern, real-time behavirequired. LANs well suited dustrial automaticontrol systems environment. ISA-TR99.00.01-2007 – 50 – Copyright 2007 ISA. rights . VLANs effectively deployed plant flonetworks automaticell, even those contag FANs, assigned sgle VLlimunnecessary traffic floodg allow network devices same VLspmultiple switches. 6.3.4 Future Directions Although routers provided support IEEE 802.1Q frame taggg, firewsupport tagged packets virtual terfaces hrecently released. combed port-based authenticati(802.1x), may possible assign control system users trusted (less trusted) VLANs based authenticaticredentials tegrity oatg system. 6.3.5 Recommendations Guidance Adherence vendbest practices cassist ensurg secure VLdeployment. However, twidespread, strong terest usg ternet various ways control systems crease productivity seamless connectivity between control system dustrial enterprise. Along les, connectg FANs ternet next widely encompassg step dustrial automaticontrol systems. Thconnecticould dviVPN type tunnelg approach through gateways, based either Web technologies higher level protocols. Web technologies clude Hytext Transfer Protocol (http), Java, Extensible Markup Language. Higher level protocols clude SNMP Lightweight Directory Access Protocol (LDAP). 6.3.6 formatiSources Reference Material • tel Networkg Technical Briefs: Virtual LANs: Flexible Network SegmentatiHigh-Speed LANs tel Corp. tel.com/network/connectivity/resources/doc_library/tech_brief/virtual_lans.htm • UC DavNetwork 21: VLformatiUniversity Californi- Davnet21.ucdavis.edu/newvlan.htm • IEEE 802.1Q - Virtual LANs IEEE, stitute Electrical Electronics Engeers. ieee802.org/1/pages/802.1Q.html • SAFE Blueprt SAFE Enterprise Layer 2 Addendum, Cisco Systems, c. cisco.com/en/US/netsol/ns340/ns394/ns171/ns128/networkg_solutions_package.html • Zurawski, Richard (2005), dustrial CommunicatiTechnology Handbook, CRC Press, crcpress.com. • Harris, Sh(2005), All--CISSP, McGraw-Hill/Osborne, 2100 Powell Street, 10th floor, Emeryville, C94608. 7 EncryptiTechnologies DatValidatiEncryptiprocess encodg decodg datorder ensure formatiaccessible those authorized access. Datvalidatitechnologies safeguard accuracy completeness formatiused dustrial process. – 51 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 7.1 Symmetric (Secret) Key EncryptiSymmetric (secret) key encryptivolves transformg digital message (called platext) apparently uncorrelated bstream ciphertext. well-defed algorithm hputs forms reversible transformation: • platext (encryption) ciphertext (decryption) • secret bstrg key. receivg device possessisame algorithm key ctransform ciphertext back origal platext message. Without key, verse transformaticomputationally feasible. name “symmetric encryption” due fact same key reversible algorithm used both encrypt origal platext message decrypt ciphertext message. simple analogy combatilock whose mechanism knowable package literature studyg lock h disassembled. combati(often set 3 numbers between 0 35) “key” lock. easy open lock key known. Tryg possible combations eventually open lock, so locks adequate if cost tryg average half possible physically distct combations ((36 x 36 x 36) / 2) greater thvalue whatever lock protects. Locks greater set numbers combatiprovide greater protection. Similarly, larger symmetric keys generally provide greater protection. Cryptographic systems considered secure effort required reckey protected message costs thvalue imparted recovery. Effective encryptirequires both sender tended recipient same key keep secret others. security cryptographic system rests difficulty determg correct key rather thsecret algorithm. Unclassified symmetric key algorithms published extensively cryptanalyzed before considered suitable use. list approved U.S. National stitute Standards Technology (NIST) Federal formatiProcessg Standard (FIPS) 140-2 cludes Triple Digital EncryptiStandard (3DES) Advanced EncryptiStandard (AES). AES often designated AES 128, AES 192, AES 256, dicate number bits key. older Digital EncryptiStandard beg phased out. algorithms described above “block” ciphers becaencrypt blocks, frequently paddg end message make multiple block length before encryption. Changg bciphertext block randomly alters 50% resultg block platext decryption. block cipher typically used buildg block create stream cipher wh“mode oation.” employed stream cipher modes block ciphers are: • Counter mode (message confidentiality), wcomposite value consistg message count block-with-message count encrypted provide unique “keystream” block then combed reversibly platext block create ciphertext, vice vers• Cipher block-chag mode (message tegrity), wcascade block encryptions platext, combed pricumulative encryption, provides cryptographic checksum entire message. Conceptually, stream cipher encrypts decrypts formatiunits sgle bit. Native stream ciphers typically feed back platext message, form, modify key cipher throughout encryptidecryptioation, process generically autokey. Thcontrast stream cipher modes block ciphers, typically sgle unmodified key successive encryptidecryptioation. Native stream ciphers long used ISA-TR99.00.01-2007 – 52 – Copyright 2007 ISA. rights . governments protect classified communications, received little attentiopen research community. Tno NIST-approved native stream ciphers. 7.1.1 Security Vulnerabilities Addressed thTechnology Symmetric key encryptieffective used buildg block provide datconfidentiality (privacy), so any“listeng” datcanunderstit, essential component message tegrity message source authentication. used lk encrypt(explaed Typical Deployment), symmetric key encrypticused distguish communicatidevices part desired network. Thfeature generally attractive SCADprocess control systems wish allow little no access control network, difficult deploy systems requirg unrestricted ternet access. Refer Public Key EncryptiKey Distriidetails addressg vulnerabilities, authenticatikey distriirisks. 7.1.2 Typical Deployment Symmetric key cryptography typically implemented either lk encryptembedded device protected. method explaed below. Lk Encryptors—lk encrypthardwundistct datports. ports called platext (red) ports; receive datencrypted attached equipment transmittg send decrypted datattached equipment receivg. remag port ciphertext (black) port; sends encrypted datstream (often protocol formation) ciphertext port units receives ciphertext formatithose units. Withlk encryptor, platext ciphertext ports need separate. receivg lk encryptaccepts, decrypts, passes datreceivg attached equipment. lk encryptors provide additional dedicated port management functions, itialization, matenance, key change. Lk encryptors often used retrofequipment already stalled network hlimited physical access. Embedded Cryptography—Symmetric key cryptography may also embedded cryptographic module side unprotected, often special purpose chip. prciple, cryptographic routes could corporated programs process control equipment. However, special purpose processors often cextensive mathematics quickly, keepg cryptographic portions separate may make them secure. Embedded cryptography often preferred deployment, often practical retrofexistg control SCADsystems. 7.1.3 Issues Weaknesses Modern cryptographic algorithms rarely broken direct attack. failures due poprotocol, side formation, posecurity policy, deceptiattacks humcomponent system. Even good algorithms, cryptographic systems adequate protocols may attacked recordg replayg messages, studyg message patterns, message forgery alteration, key loss/theft. Communicatoise cproblem becagood cryptographic algorithms alter message unpredictably, even if sgle bchanged. Cryptography also slows communications becaadditional time required encrypt, decrypt, authenticate message. addition, encrypted messages often longer thunencrypted messages due followg items: • Additional check sums reduce errors • Protocols control cryptography • Paddg (block ciphers) – 53 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Authenticatiprocedures • required cryptographic processes. Time creases ctens milliseconds retroflk encryptors slow les (300 19,600 baud) milliseconds embedded encryption. Dependg protocol system configuration, tmay problems lk encryptors encryptg both message address, makg messages impossible route multi-drop configuration. systems may support broadcast multicast commands. Cryptography also troduces key management issues. Good security policies require iodic key changes. Thprocess becomes difficult geographic size process control system creases, extensive SCADsystems beg severe example. Becasite visits change keys ccostly slow, useful able change keys remotely. Key management issues described fully Public Key Cryptography. effective safeguard complete cryptographic system approved accredited cryptographic certificatilaboratory. NIST/CSE Cryptographic Module ValidatiProgram (CMVP) best ternationally recognized. Even then, technology effective if tegral part effectively enforced formatisecurity policy. AmericGAssociati(AGA) report 12-1 (see secti7.1.7) contas example security policy. directed toward SCADsystem, much its policy recommendations could apply any manufacturg control system. 7.1.4 Assessment dustrial AutomatiControl Systems Environment Cryptography does appear widespread IACSs current time. Process control datpassg between devices IACS network may need encrypted due reduced vulnerability datwithphysically secure area. However, datpasses wide arenetworks ternet off-site users support sonnel, then communications should encrypted protect both confidentially tegrity data. stances wprocess control datpasses between IACS network site LAN, relative vulnerability criticality must assessed determe whether cryptography appropriate. 7.1.5 Future Directions variety proprietary cryptographic systems probably enter marketplace near future. also likely products appear claim widely recognized algorithms (AES, 3DES, etc.) proprietary protocols. Several standards government organizations make recommendations compliant products emerge. Both retrofembedded products comply AG12-1 (see secti7.1.7) contue enter market comg years. 7.1.6 Recommendations Guidance Overall, cryptography must deployed part comprehensive, enforced security policy. Select cryptographic protectimatched value formaticontrol system assets beg protected IACS oatg constrats. Specifically, cryptographic key should long enough guessg takes effort, time, cost thvalue protected asset. Also, protect encryptihardwphysical tamg uncontrolled electronic connections. Select cryptographic protectiremote key management if units beg protected so numerous geographically dissed changg keys difficult expensive. Additionally, consider followg protectg highly valuable control system datformatithrough cryptography. 1. Require separate platext ciphertext ports unless network absolutely requires restrictipass both platext ciphertext through port. ISA-TR99.00.01-2007 – 54 – Copyright 2007 ISA. rights . 2. units ccertified comply standard, FIPS 140-2 (see secti7.1.7) through CMVP. Standards ensure cryptographic systems studied carefully weaknesses wide range exts, rather thbeg developed few engeers sgle company. mimum, certificatimakes probable that: • method (counter mode) used ensure same message does generate same value time • IACS messages protected agast replay forgg • Key management secure throughout life cycle key • system usg good quality random number generat• entire system h implemented securely. AGA12-2 report provides good example dustry consensus approach. directed toward gdustry SCADsystems, hmany characteristics apply any dustrial AutomatiControl System. 7.1.7 formatiSources Reference Material • AES Home page csrc.nist.gov/CryptoToolkit/aes/ • AmericGAssociatiReport (AG12-1) “Cryptographic ProtectiSCADCommunications.” gtiservices.org/security/ • Menezes, Alfred J., vOorschot, Paul C., Vanstone, Scott A. (1996), Handbook Applied Cryptography, CRC Press, crcpress.com. readable discussidetails many arecryptography attacks, thbook pre-dates AES. • National stitute Standards Technology (NIST), Federal formatiProcessg Standard FIPS PUB 140-2, “Security Requirements Cryptographic Modules.” • Schneier, Bruce (1999), Applied Cryptography: Protocols, Algorithms & Source Code C, John Wiley, www.wiley.com. Provides readable, very detailed discussicryptography protocols, little sight deploy control systems. • Smith, Richard E. (1997), ternet Cryptography, AddisWesley, www.awprofessional.com. Provides readable troductisubject cryptography applied ternet, examples commercial deployment. Much thdiscussicapplied control systems modification. Becathbook predates AES, visAES website recent details. • AGA-12, Cryptographic ProtectiSCADCommunications, Part 1: Background, Policies Test Plan, September, 2005, gtiservices.org/security/AGA12_part1_draft6.pdf. • Falco, Joe, et al., Security dustrial Control Systems, NIST IR 6859, 2003, isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf. • IAONHandbook Network Security - Draft/RFC v0.4, dustrial AutomatiOpen Networkg Associati(IAONA), Magdeburg, Germany, 2003. • NIST SP: 800-12, troductiComputer Security: NIST Handbook, csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf. – 55 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Baker, Elae, et al, NIST SP: 800-56, RecommendatiPair-Wise Key Establishment Schemes Usg Discrete Logarithm Cryptography, 2005, csrc.nist.gov/publications/nistpubs/800- 56A/sp800-56A_May-3-06.pdf. • Baker, Elae, et al, NIST SP: 800-57 RecommendatiKey Management, 2005, • Part 1, General: csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf. • Part 2, Best Practices: csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part2.pdf. • Katzenbeisser, S., Petitcolas, F.A.P., “Defg Security Steganographic Systems,” Proceedgs SPIE, 4675, 2002, pp. 50-5. • “Thales e-Security.” controlglobal.com/vendors/products/2005/207.html, 2005. • Schwaiger, C. Treytl, A., “Smart Card Based Security Fieldbus Systems,” AustriCard, Vienna, Austri• “CKM Technology Overview,” TecSec c., 2001. • “GTechnology stitute Awards Contract SafeNet SCADField Communications Security Development,” safenet-c.com/news/view.asp?news_ID=264, May 2005. • Schweitzer Engeerg Laboratories, c., “Corporate Overview,” 2004. • Peterson, D., “Protocol SCADField Communications,” controlglobal.com/articles/2005/424.html, July 12, 2005. • Lamberieux, P., “White Pa: Encryption,” NormDatDefense Systems. February 1999. • “SSL VPN vs. IPsec VPN,” Array Networks, c. 2004. • Graham, J. Patel, S., “Security Considerations DNP3 SCADSystems,” Department Computer Engeerg Computer Science University Louisville. • Cohen, B., “VPN Gateway Appliances-Access Remote Datlike Big Guys,” smallbusesscomputg.com/testdrive/article.php/3501156, April 28, 2005. • Zurawski, Richard (2005), dustrial CommunicatiTechnology Handbook, CRC Press, crcpress.com. • Harris, Sh(2005), All--CISSP, McGraw-Hill/Osborne, 2100 Powell Street, 10th floor, Emeryville, C94608. • Schneier, B., Applied Cryptography-Protocols, Algorithms, Source Code C. John Wiley & Sons, c, dianapolis, 1996. pp. 3, 5, 39. • Teumim, D.J., dustrial Network Security. strumentation, Systems, AutomatiSociety, Research Triangle Park, NC 2005. p. 92. ISA-TR99.00.01-2007 – 56 – Copyright 2007 ISA. rights . 7.2 Public Key EncryptiKey Distrioted secti7.1, secret key cryptography sgle key symmetric manner both encryptidecryption. public key cryptography, pair different related keys, usually public-private key pair, replaces sgle key. private public keys mathematically related public key cused others encrypt messages sent holder correspondg private key, then cdecrypted private key. Similarly, private key cused sign cryptographic hash document, others cvalidate signature vicorrespondg public key. key holder usually circulates public key users same community, does reveal correspondg private key users. security system rests secrecy private key. public private key pair may generated directly user, may received user central key generatiauthority. Thlatter approach particularly appropriate tlegal corporate key escrow requirements, sce requirements generally obligate key generatescrow key(s) before use. mimize requirements legal corporate key escrow, enhance protectiauthenticati(signg) keys, applications recommended separate key pairs used encryptiauthentication. encryptiprivate key needs backed up cases. Thallows private authenticatikey generated retaed times user, thus enhancg security. Thdefault mode oatikey management systems. Recovery loss private authenticatikey provided issue key pair. Sce datencrypted authenticatikey pair, no datlost. 7.2.1 Security Vulnerabilities Addressed thTechnology Shared secrets used symmetric encryptischemes leave open possibility participants beg compromised, thus compromisg portions system rely secret beg secure. Further, mechanism must provided sender(s) receiver(s) shsecret. If secret canshared securely, then tno pot havg shared secret. Sce password hashes typically one-way hashg algorithms vulnerabilities, simple username password authenticatimechanisms vulnerable anyknowledge algorithm used. Therefore, other, robust means sharg secrets required. Public (asymmetric) key cryptography addresses weaknesses shared secrets one-way hashg algorithms providg framework wherelatter cstrue value. Fast encryptiarbitrary datbest dusg symmetric key algorithms. problem algorithms need securely shcommsecret key. Usg asymmetric cryptography, sender encrypts sharable secret (symmetric encryptikey) usg tended recipient’s public key, then passes recipient. recipient decrypts thnow-shared secret usg its private key. thpot, both recipient sender shared secret cencrypt arbitrary datvery high rate speed. same technique cwork multiple recipients sharg sgle key; receives same secret encrypted its own public key, decrypts formatiits private key retrieve shared secret. example, S/MIME secure email standard implemented modern e-mail programs thapproach, message contag separate public-keyencrypted versimessage key tended recipient; message content encrypted usg thsymmetric key. additional layer authenticatiprovided (e.g., through public key frastructure-PKI trusted Certificate Authority Server), public keys recipient(s) cauthenticated vitrusted third party before settg up secure channel datcommunication. Public key cryptography also provides potential unforgeable digital signatures. formatisigned, contract datrecord, compressed vicryptographic one-way functi(hash) – 57 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . short bstrg. private key used transform short bstrg, anyccompute, equivalent strg dependent private key. Anywishg validate digital signature ccompute hown cryptographic hash origal digital document compstrg he gets he applies correspondg public key purported signature. If compare, holder private key signed digital document record. 7.2.2 Typical Deployment Public key authenticaticommdeployed : • Transport-layer-security (IETF TLS Secure Sockets Layer-IETF SSL) • Virtual public network technologies, ternet Protocol Security (IPsec) • Secure-Shell (IETF SSH) • Kerberos (three-way-handshake) authenticatiusg certificate authority. 7.2.3 Issues Weaknesses Tno security weaknesses domant public key/PKI encryptialgorithms. However, security algorithms provide depends key length, quality key generatikey management, users implement PKI. Users need understproly create, distrie, protect keys. greatest weakness comes users who technology proly. significant weakness any public-key based system wh“man--the-middle” attack. If petratsuccessful sertg himself between sender receiver, petratcpretend recipient sender, pretend sender recipient, through petrator’s own public-private key pair. best way protect agast thvulnerability public key frastructure equivalent issue signed certificates authenticatg public keys used. Time limits should also keys. Public key frastructures conformg modern standards PKIX (RFC 3280) suitable protectiprofiles address many concerns. Kerberos authenticatirubric developed Massachusetts stitute Technology (MIT) able address weakness available OS platforms. processg required public key algorithms very central processg un(CPU) tensive canreasonably supported many 16-bsmaller CPUs. Ncmeet demands sub-second time-critical communications, even very fast CPUs. Its primary distrig sessikeys symmetric (secret) key encryptimessagg withsession, digitally signg documents validatg signed documents. 7.2.4 Assessment dustrial AutomatiControl Systems Environment Public (asymmetric) key encryptiprovides generic means solvg issues key distriiunforgeable digital signatures. However, itially deployed public key algorithms much slower thsymmetric key encryptialgorithms keys must very long. example, 1024-bRivest, Shamir Adlem(RSA) public key roughly equivalent 80-bsymmetric key. Newer public key algorithms address issues. elliptical curve (EC) public key equivalent 80-bsymmetric key 160 bits. heavy computational requirements and, smsystems, required extrmemory primary hurdles deployment asymmetric encryptiIACS environment. general construsg encryptiIACS environment limitatidue time-critical formance, cludg HMI response time. rexception, datmessage encryptisystems should symmetric key algorithms, keys previously shared usg ISA-TR99.00.01-2007 – 58 – Copyright 2007 ISA. rights . asymmetric (public) key encryptitechniques. sharg usually must dwithout time-critical constrats. heavy formance burden public key cryptography generally prohibits time-critical digital signatures, least low-computer-power devices. However, authenticatonrepudiati(undeniability) important thformance, digital signatures provide appropriate tool. 7.2.5 Future Directions past, SCADmonitorg control system communicatisomewhsecure becasystems developed without cyber connections outside world. outside cyber connections made systems, become quite vulnerable. future, public key cryptography should play significant role securg SCADcontrol systems. Public key algorithms contug evolve order provide better security cyber systems counteract attackers contually obtag sophisticated methodologies tools. Currently, best-public key algorithm RSA. RSnamed its ventors MIT, Rivest, Shamir, Adleman. RSblock cipher popular although its key length h creased recent years. Additional key length puts heavier processg load applications. Unfortunately, additional key length slows communicatiprocess down often unacceptable levels applicatiIACS. competitive approach promises similar security RSA, usg far smaller key lengths, elliptic curve cryptosystem (ECC). acceptance ECC methods U.S. NIST, expected systems become available usg efficient algorithms. 7.2.6 Problems EncryptiUsage Additional security warranted SCADIACSs systems become connected outside world. Consequently, systems become connected, attackers may gaaccess through ternet pathways. Symmetric (secret) key encryption, discussed secti7.1, good method secure IACSs. hand, current state-of-the-art public key encryptidoes lend public key encryptiviable IACSs becaprocess itself very slow hits own problems. Symmetric key systems usually much faster thpublic key counterparts. Public key systems place securg IACSs. Public key systems may used exchangg secret key later communications through symmetric key systems. Thhybrid approach commdesign benefits both high speed symmetric key systems secure key exchange usg public key systems. problem public key systems authenticity public key. attacker may offer sender hown public key pretend origates legitimate receiver. sender then fake public key form hencryption, attacker csimply decrypt message usg hprivate key. order thwart attacker attempts substitute hpublic key victim's key, certificates used. certificate combes user formatiuser's public key signed trusted authority guarantees key belongs user. trusted authority usually called certificatiauthority, component PKI. certificate certificatiauthority itself usually verified higher level certificatiauthority confirms certificatiauthority's certificate genue contas its public key. 7.2.7 formatiSources Reference Material • Secure-Sockets-Layer / Transport-Layer-Security Resources, Open SSL Project openssl.org/ • Virtual Private Network Consortium /IPsec Resources vpnc.org/ – 59 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Kerberos, Network AuthenticatiProtocol, Massachusetts stitute Technology web.mit.edu/kerberos/www/ • IPSec Offload formance Comparison, ZD Labs, 2000 tel.com/network/connectivity/resources/doc_library/documents/pdf/tel_ipsec_fal.pdf • C. Mann, “Web-Primer Public-Key Encryption,” Atlantic Monthly, September 2002 theatlantic.com/issues/2002/09/mann_g.htm • Zurawski, Richard (2005), dustrial CommunicatiTechnology Handbook, CRC Press, crcpress.com. • Harris, Sh(2005), All--CISSP, McGraw-Hill/Osborne, 2100 Powell Street, 10th floor, Emeryville, C94608. 7.3 Virtual Private Networks (VPNs) method encryptg datthrough VPN. VPN private network oates overlay public frastructure. contas three components, handled recipient end VPN: • Authenticity Authentication—Security measures designed establish validity transmission, message, origator, means verifyg dividual's authorizatireceive specific categories formation. [FOSEC-99]2 • tegrity—formal security mode, tegrity terpreted narrowly meprotectiagast unauthorized modificatidestructiformation. [FOSEC-99]3 • Confidentiality—Assurance formatidisclosed unauthorized sons, processes, devices. [FOSEC-99]4 secondary component VPNs authorization, encompasses: • rights granted user access, read, modify, sert, delete certadata, execute certaprograms • Access privileges granted user, program, process. [FOSEC-99] 5 classes technology, multi-protocol label switchg, frame relay asynchronous transfer mode, may referred misleadgly VPNs becaenable private network work public frastructure. However, technologies natively contaprimary components VPN described above. 2 atis.org/tg2k/_authentication.html 3 atis.org/tg2k/_tegrity.html 4 atis.org/tg2k/_confidentiality.html 5 atis.org/tg2k/_authorization.html ISA-TR99.00.01-2007 – 60 – Copyright 2007 ISA. rights . 7.3.1 Security Vulnerabilities Addressed thTechnology VPN tended allow private network functiacross public network. VPN cprovide same type security network armored car csecurely transportg company formatimaterial between physical premises. protects formatitransport “outside'' world. IACS environment, outside world typically cludes corporate Lusers who authorized oate control center equipment. VPN cprovide followg services: • Control access trusted network viauthenticati• Matategrity trusted datuntrusted network • Record formatiuseful traffic monitorg, analystrusidetection. 7.3.2 Typical Deployment general, tthree classifications VPN deployments security gateways hosts create VPN connectivity. • security gateway termediate system VPN technology secure traffic transverses pair security gateways. Security gateways also commused implement authorizatitraffic traverses device. Security gateway functionality h implemented existg ternetworkg devices firewalls, routers, switches. terms, VPN ConcentratVPN Gateway, created dedicated computg devices termate large amounts VPN traffic. • host VPN technology secure traffic origates dested host. VPN technology used host either cluded host’s native oatg system added host oatg system specifically enable VPN access. three classifications VPN deployments described detail below. • Security Gateway Security Gateway (Figure 1)—endpots VPN termediary devices pass traffic trusted network antrusted network, relyg VPN technology secure traffic untrusted transport network. Thtype VPN commcalled site-to-site LAN-to-LVPN. Figure 1—Security-to-Security Gateway VPN • Host-to-Security Gateway (Figure 2)—endpot host-computg device termediate device passes traffic host trusted network behd security gateway relyg VPN technology secure traffic untrusted network. Thtype VPN commcalled remote access VPN. – 61 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . Figure 2—Host-to-Security Gateway VPN • Host-to-Host (Figure 3)—endpot VPN tunnel host-computg device. host devices leverage VPN technology host securg communications untrusted network. Figure 3—Host-to-Host Gateway VPN commtypes VPN technology implemented today are: • ternet Protocol Security (IPsec)—IPsec set standards defed IETF govern secure communications datacross public networks secure IP unicast-capable applications. Accordg standard, multicast applications canIPsec. However, tIETF workg group specifically lookg securg multicast traffic IPsec. Alternatively, multicast non-IP-based protocols ctransported through IPsec VPNs encapsulatg protocols IP unicast-capable protocol replicatg transmissidesired VPN receivg device. example, multicast traffic cpassed router router encapsulatg appropriate header before beg encrypted transported viIPsec. IPsec tool cluded many current oatg systems. tent standard guarantee teroability across vendplatforms. tstandards vendteroability, reality determatiteroability multi-vendimplementations depends specific implementatitestg conducted end-user organization. protocol h contually enhanced address specific requirements market, extensions protocol address dividual user authenticatetwork address translati(NAT) device transversal. extensions typically vendspecific clead teroability issues primarily host-to-security gateway environments. • Secure Sockets Layer (SSL) — SSL provides secure channel between maches; channel oblivious datpassg it. Refer secti7.4.7. IETF made slight modifications SSL versi3 protocol created protocol called Transport Layer Security (TLS). SSL TLS often used terchangeably. Threport generically SSL termology. ISA-TR99.00.01-2007 – 62 – Copyright 2007 ISA. rights . SSL often recognized securg HTTP traffic. Thprotocol implementatiHTTP Secure (HTTPS). However, SSL limited securg just HTTP traffic; cused secure many different applicatilayer programs. SSL-based VPN products gaed acceptance becamarket “clientless” VPN products. clientless termology deemed appropriate network oatg systems becaclude SSL implementatioatg systems embedded web browser. VPN admistratdoes stthirdparty VPN “client” software, ccreate “clientless” VPN. real benefimplementaticlientless, client stallatirequires little no admistration. • Secure Shell (SSH)—SSH commterface protocol securely gag access remote computer. widely used network admistrators remotely control Web types servers. latest version, SSH2, proposed set standards IETF. 6 Typically, SSH deployed secure alternative telnet application. However, SSH also hability port forwardg, allows used three deployments listed above. SSH cluded majority UNIX® distriions market, typically added platforms through third-party package. possible overlay VPN technologies order provide secure access through security imeters. stance, company may deploy IPsec VPN provide secure access company’s edge imeter. company may then deploy SSL VPN server allow particular users gaaccess security imeter embedded withcompany. 7.3.3 Issues Weaknesses VPNs protect network workstations agast data-driven attacks (i.e., viruses), denial-of-service attacks, social engeerg attacks, malicious siders. Dependg VPN technology chosen, primary challenges VPNs : • teroability. Thissue primarily associated IPsec due different terpretations IPsec RFCs, typically mitigated withcompany selectg standard IPsec VPN client termatidevices particular vendor. • Setup. mentioned above, tseveral itiatives market make settg up VPNs easier either troducg technologies creasg ease existg technologies. • Ongog support matenance. BecaVPNs technology overlay existg network, companies must spend oational resources mataoverlay change underlyg frastructure changes. VPN technology hits trade-offs. example, SSL-based VPNs viewed beg easier configure thIPsec VPNs client, support wide variety applications protocols IPsec VPNs do. 7.3.4 Assessment dustrial AutomatiControl Systems Environment VPNs often used IACS environment provide secure access untrusted network PCN. Untrusted networks crange ternet corporate LAN. Proly configured, VPNs cgreatly restrict access control system host computers controllers therefore improve security. calso potentially improve PCN responsiveness removg unauthorized nonessential traffic termediary network. 6 whatis.techtarget.com/defition/0,289893,sid9_gci214091,00.html – 63 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . possible deployments clude usg either host-based mi-standalsecurity gateways, either terposed before runng dividual control devices. Thtechnique implementg VPNs dividual device bascsignificant admistratioverhead. Additional issues usg VPNs IACS environment clude: • lack VPN products available non-IP based protocols FoundatiFieldbus®, PROFIBUS®, any serial-based network. Emergg approaches AGA-12 beg developed legacy communications protocols. • lack host-based (software) VPN products available typical controller-based oatg systems found PLCs, RTUs, DCSs. • potential compatibility between host-based (software) VPN products windows® UNIX® control system software. • additilatency control system communications. Thissue requires further research testg. • VPN reconnect times may too long missicritical lks. Thissue requires further research testg. • lack support transport layer encryptischemes IACS protocols PROFet®, Ethernet/IP®, FoundatiFieldbus HSE®, Modbus/TCP®. • lack exience designg large-scale VPNs dustrial applications. • overhead required manage VPNs widely dissed systems typical SCADenvironments. 7.3.5 Future Directions Future directions clude embedded VPN technologies network end devices. 7.3.6 Recommendations Guidance VPN devices used protect control systems should thoroughly tested verify VPN technology compatible applicatiVPN devices unacceptably affect traffic characteristics implementation. 7.3.7 formatiSources Reference Material • IPsec’s Role Network Security: Past, Present, Future. C. Smith, SANS Readg Room, 2001 sans.org/readg_room/whitepas/vpns/742.php • SSL TLS – Designg Buildg Secure Systems, E. Rescorla, Addison-Wesley, 2000 awprofessional.com. 8 Management, Audit, Measurement, Monitorg, DetectiTools Audit, monitorg, detectitools provide ability analyze security vulnerabilities, detect possible compromises, forensically analyze compromise cidents. technologies clude virus detectisystems, trusidetectisystems, host loggg/auditg utilities, event correlatienges, network forensics tools. ISA-TR99.00.01-2007 – 64 – Copyright 2007 ISA. rights . 8.1 Log Auditg Utilities Security cidents leave traces. number traces various files entries created attack coffer valuable formatiextent attack, aresystem affected, even attack currently progress. Typically, server responsible matag set systems logs dividually. size complexity network go up, so does number logs might record hostile act. Unfortunately, so too does time takes system admistratmanage logs. Any security policy must plregular auditg matenance critical logs system trace files likelihood catchg beg able repair damage attack. example, admistrators typically monitsuccess failure logevents, changes local accounts, changes local security policy. Although logsuccess events chelp reconstruct specific user's activities, admistrators look primarily events document consistent pattern failed logons failed attempts change local security policy. oatg systems extensive set logs utilities matag log files. example, Microsoft windows® 2000 hutilities delivered Advanced Server 2000 Resource Kit: 1. AuditPol—AuditPol cused display current security audsettgs, enable disable security auditg, adjust audcriterine categories security events. 2. Dumpel—Dumpel, command-le tool, cused extract events system, security, applicatilog local remote system. system registry also attack target. advent security configuratitools group policy ability centrally distrie registry security changes hundreds thousands workstations, security issues likely become commonplace organizations seek enhance system security levels. Fortunately tmany tools utilities help here. cfound Resource Kwindows® 2000 advanced server. tools kds manage backups, restoratilocal remote system registries kernel settgs. Microsoft platforms, tools Wdiff cscripted exame differences between daily backups registries ascertaif any unforeseen unregulated change htaken place. 8.1.1 Security Vulnerabilities Addressed thTechnology Usg security-auditg tool Auditpol, admistrators ccheck numbers, types responses authenticatiattempts network systems. kds events tools Auditpol cmonitare: • Account events (account logevents) monitlogattempts domacontroller (DC) • Directory (directory service access) generic category cenabled audaccess DC objects • Logevents (logevents) monitlogattempts local system • Object access (object access) generic category cenabled track access specific file, folder, shared resource • Policy events (policy change) track changes local security policy – 65 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Privilege events (privilege use) monitoations grant elevated privileges user group accounts • Process (process trackg) generic category cenabled audaccess specific process • Security Account Manager (SAM) events (account management) monitchanges dividual group accounts local system SAM database • System events (system events) clude system service startup shutdown, messages browser, routg remote access service, W32 time service. case Dumpel, logs systems may screened, backed up parsed out key security events password/authenticatilockout, access usg guest admistratiaccounts so on. tools Wdiff cparse exame differences between chronological logs logs taken identically configured maches derive if any unscheduled unregulated change h done. Also windows® resource kits: System Difference Packages (Sysdiff) Resource Kutility allows users quickly take before-and- snapshots file system registry. Usg difference formation, Sysdiff builds bary package cused stchanges made snapshot. Sysdiff typically used stapplications usg snapshot method. However, thdiscussion, users clog Sysdiff changes then view them readable text form, lets them view Registry changes made particular application. staller utility found Resource Kserves anuseful tool monitorg changes made durg applicatistallation. Thoften-overlooked utility cvery useful becamonitors activity around applicatistallation, cludg API calls setup program modify registry. available freeware: RegMuseful registry troubleshootg tool. allows users spy registry activity created given process. RegMcomprises executable (regmon.exe) kernel-mode filter driver (regsys.sys) stalls default RegM launched. 8.1.2 Typical Deployment Microsoft 2000 utilities, tools deployed manage remote servers typically support extensive scriptg commle terface. Microsoft tools also fMicrosoft Management Console snap . effective tools them triggered events terest regular backup screeng event files. RegMtool cspy processes make changes registry. 8.1.3 Issues Weaknesses system admistrattools may used log auditg policy require extensive scriptg management. Thproblem rapidly changg network environments wireless fidelity (Wi-Fi) situations wmaches enterg leavg network domas regularly. scripts need extensively documented mataed; otherwise, quickly become obsolete effective. alternative lower level auditg based easily ISA-TR99.00.01-2007 – 66 – Copyright 2007 ISA. rights . configured default settgs tools, relyg commstandards setup management network environment. Both methods impose load system admistrator. 8.1.4 Assessment IACS Environment IACS environment, tools requires extensive knowledge professional tharecomputg technology critical productisafety implications facility. networks typically very stable configuratilend themselves well managed scripts auditg matenance. critical tasks network management IACS environment security authenticatimanagement, registry stallatitegrity management, those functions caugment stallatioational qualificatiexercise regulated manufacturg environments. judicious auditg log management tools cprovide valuable assistance matag provg tegrity IACS system stallatithrough system lifecycle. value tools thenvironment ccalculated effort required requalify otherwise retest IACS system wtegrity due attack, due accident error, question. 8.1.5 Future Directions future, auditg utilities may web servers auditg management, well wi-fi highly flexible network configurations. 8.1.6 Recommendations Guidance system auditg utilities should planned ceptiIACS project retrofitted soconvenient. Tenough value providg tangible log evidence tegrity system warrant use. Additionally, active log management utilities cactually flag attack event progress provide locatitracg formatihelp respond attack. 8.1.7 formatiSources Reference Material • SANS stitute trusiDetectiFAQ SANS stitute Readg Room pa. sans.org/resources/idfaq/dex.php • Monitorg Troubleshootg Registry— Darren Mar-Elia, October 2000 windowsitlibrary.com/Content/313/1.html • Event-Log Auditg— Steve Sequis, February 2003. wnetmag.com/windowsScriptg/Article/ArticleID/27574/windowsScriptg_27574.html • Security Auditg Event-Log Sleuthg— PaulSharick, April 2002 wnetmag.com/windowsSecurity/Article/ArticleID/24356/windowsSecurity_24356.html 8.2 Virus Malicious Code DetectiSystems Tongog battle between creators computer virmalicious code firms creatg softwprevent actions. antivirus firms addg proactive technology software, comes types viruses, still largely depend reactg actions virus creators. Short dismantlg your network, tno way totally protect your environment next fast-spreadg virus. thg guaranteed world malicious code: time you read this, ‘black hats’ ‘white hats’ taken competitew levels. – 67 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . time, malicious code hentered systems variety means: boot-sectvirenterg floppy discs, remote procedure cattacks, executable scripts email messages, newer methods, cludg stant messagg spoofed certificaticontrols downloaded ternet. Code detectisystems must therefore comprehensive enough cpossible ways file center system, flexible enough provide defense depth method avoid commonmode failure protection. many cases, discussisurroundg detectivirus fections centers activity antivirus software. Whoften overlooked if antivirus softwcdetect fectifectiattempt, cusually deal situatieffectively. virus cident occur situations wantivirus softwwable detect fectg agent, least itially. Tseveral types dicators possible fection. Virus detectisystems (VDS) cmonitrespond dicators. dicators cresult directly specific virus payload, side effect virus payload, result virus’s attempt spread. dicators virus fecticlude: • terface dicators: wscreen sound generated virus appears several maches once – example, cartosound screen shot pirate jolly roger • System dicators: whost’s oatg profile changed, file shbecomes unsecured suddenly, system functibecomes disabled • File dicators: appearance unfiles host, changed parameters executable file • Network dicators: like network storms, email blasts buffer floodg attempts • Custom dicators: designed address specific host functions vulnerabilities, designed admistratiteam isolate viral behavi– example, usg dummy address book trap malicious code propagates email. 8.2.1 Security Vulnerabilities Addressed thTechnology VDS serves active agent detectiunusual activity categorized dicators above. VDS cmonitact upmalicious code activity either host network server level, email server. VDS cprovide protectiaddressg followg vulnerabilities: • Presence virus, worm Trojhorse host system • Detectitypical pathology behavivirus, worm Trojhorse dicatg attack underway • Detection, isolatisafe shutdown systems affected viral attack. 8.2.2 Typical Deployment Virus DetectiSystems may deployed three modes: 1. Workstatistallation: stalled runng sonal workstatiprotect workstatiagast network server-borne attacks also protect network servers entry virus direct stallatiworkstatifloppy detachable mediISA-TR99.00.01-2007 – 68 – Copyright 2007 ISA. rights . 2. Server stallation: stalled runng shared server protect agast attacks may attempt access workstations server propagate rapidly 3. Boundary stallation: logical physical boundaries network system, protect specifically agast external attack – example, embedded DMZ dedicated firewproxy server. 8.2.3 Issues Weaknesses VDS cfunctistalled, runng full-time mataed current agast state attack methods payload. Typically, few hours attack, majVDS vendors release patch upgrade provide detectiisolatew attack ecosystem. admistratiorganizatidoes ensure stallations VDS up date consistent latest pathologies vulnerable. trade-off needs made considerg extent scope virus detectischeme. Typically, commercial packages cconfigured carry out range tasks, dependg functihost wsoftwstalled. example, typical workstaticonfiguratiset up monitprotect: 1. Agast boot sectvirstartup 2. File shvirus propagati3. ternet email attachment viruses. trade off configure scanng system, applicatidatfiles enough frequency scope provide optimum protectirelative formance degradatecessary carry out task. 8.2.4 Assessment IACS Environment IACS environment, workstations servers usually dedicated certatasks tent oatifacility. Thcludes tasks oations procedure review, recipe laboratory management, loggg shift reportg so on. Additionally, mission-critical functions advanced control techniques, regulatory compliance regulatory process control now run applications commercial-grade maches commcommercial oatg systems windows® XP, brands Lux®. propagatiopen standards tegratg systems together usg techniques OPC, tmany opportunities malicious code propagate quickly across whused highly proprietary systems. Given capabilities commercial tools available, IACS admistratiteam must make assessment trade-off between impact loss formance evitable active VDS, cremental gaprotectiimplementg various malicious code detectioptions. Upgradg algorithms commercial VDS requires importg algorithms ternet detachable media. Thactivity may bypass practices commused isolate IACS network. Therefore, deployment VDS IACS situatimust then assess mission-criticality system, configuratiused, procedures matathose configurations. 8.2.5 Cost Range itial costs host VDS range $20USD $80USD. cases, configurable, serverside versions available email ternet servers. majcommercial VDS vendors also – 69 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . matasubscriptisupport service, rangg $20 USD several $100s USD year-onyear updates, alerts resources latest malicious code attacks. 8.2.6 Future Directions Future directions clude heuristics, statistical neural net technologies VDS. Physical access networks become much prevalent usg Wi-Fi. 8.2.7 Recommendations Guidance VDS configurations policies should carefully coordated trusion-detectisystems firewalls. provides level security flexibility preventg deployment malicious code. Unauthorized trusions should coordated VDS provide advance notice possible attacks. Tshould careful policy constructiconfiguration, matenance deployment VDS secure, mission-critical IACS management access networks. 8.2.8 formatiSources Reference Material • SANS stitute trusiDetectiFAQ. SANS stitute Readg Room pa. sans.org/resources/idfaq/dex.php • Virus protectisoftwvendors clude: - Trend Micro trendmicro.com/en/home/us/enterprise.htm - Sophos sophos.com/ - McAfee us.mcafee.com/ - Symantec symantec.com/dex.htm 8.3 trusiDetectiSystems trusiattempt somebreak miscomputer system. trusidetectisystems moniteither traffic patterns network files host computers, lookg signatures dicate truder hattemptg break system. systems ensure any unusual activity open ports, unusual traffic patterns, changes critical oatg system files brought attentiappropriate security sonnel. Ttraditionally varieties IDS: • Network trusiDetectiSystems (NIDS)—Systems monitnetwork traffic alarms respond identify traffic patterns deem attack. • Host trusiDetectiSystems (HIDS)—Softwmonitors system applicatilog files. systems respond alarm countermeasure user attempts gaaccess unauthorized data, files, services. trusidetectimarket hcreated emergg classificatiproducts referred trusiprevention. products similar traditional NIDS HIDS, designed stantaneously act attack detectiautomatically blockg malicious activity before damage occurs. ISA-TR99.00.01-2007 – 70 – Copyright 2007 ISA. rights . IDS technology basic complimentary classifications trusidetection: • Knowledge-based systems—Thclass IDS products applies knowledge accumulated specific attacks system vulnerabilities. • Behavior-based systems—products assume trusions cdetected observg deviatormal expected behavisystem users. 8.3.1 Security Vulnerabilities Addressed thTechnology IDS serves active monitsimilar way guards video cmonitsite's physical premises. protects computer network computers misboth side outside network. Thtechnology provides security protectidustrial AutomatiControl System environment by: • Monitorg access network • Recordg formatiuseful traffic monitorg threanalys• Detectg, alarmg, respondg, preventg attacks network computers network. 8.3.2 Typical Deployment Tthree ways classifications IDS cdeployed: • NIDS—Passive sniffg through promiscuous terface network subnets. Thterface watches traffic particular subnet(s) IDS attached compares traffic agast set rules determe whether traffic dicates attack. Thtechnique predomant method deployg NIDS. • NIDS—le deployment wNIDS functionality forwardg path computer communications. Thprocess handled embeddg NIDS code routers, firewalls, standalNIDS appliances. • HIDS—IDSs stalled mache monitaudactions computer compthem HIDS policy. NIDS acts defense device monitorg network traffic threats exploitg vulnerabilities computers network. NIDS cform important loggg auditg functions providg alarms attacks agast vulnerabilities capturg attack traffic triggered alarm. NIDS cvariety response actions promiscuous mode, cludg implementg blockg policies firewalls, routers, switches, well resettg transmissicontrol protocol (TCP) sessions carryg attack. deployed le, NIDS also gaability drop traffic matches attack signature prevent attack exploitg vulnerability. Thability reflected term “trusipreventisystems” beg troduced market. HIDS volves loadg softwcomputer havg softwform variety functions order detect prevent attacks computer. HIDS systems vary technique detectg trusions. Typical applications clude: • Monitorg traffic out computer • formg file tegrity checks – 71 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Monitorg suspicious user applicatibehavior. HIDS, referred “trusiprevention” systems, calso prevent attack usg techniques. Best practices recommend effective trusidetectisystem volves deployg both host network IDS. 8.3.3 Issues Weaknesses IDS cprotect network workstations stalled. many stances, IDS stalled every subnet computer withnetwork. total cost usually becomes limitg factdeployg IDS large scale. Total cost cludes cost IDS itself, certificatideployment costs, oational costs effectively monitmataIDS. If IDS proly configured, effective means detectg, reactg to, preventg attacks. However, IDS calso sgle pot attack. skill, hackers may able to: • Identify IDS through port scans attacks prevented IDS • Create denial service attack agast IDS • Evade IDS through variety techniques cludg encryption, fragmentation, strg obfuscation/manipulation. issues usg IDS clude: • cost filterg false positives—False positives occur IDS sends alarm reports benign activity malicious requires response • Friendly fire—enablg response actions IDS, high level accuracy required ensure malicious activity blocked legitimate traffic gets through • High bandwidth networks might overrun sensg capability NIDS • Lack standardized testg procedures leads large differences formance IDS dependg traffic profiles used testg. IDS technology startg hertitle security panacea, cpotentially provide false sense security. IDS must looked beg part larger network security approach. Deployg IDS does remove need implement network security best practices, implementg access policy (firewalls), softwcontrols ternal networks (antivirus), pro host security servers (patches, authentication, authorization). Oators must capability easily configure monitIDS effective. Developg effective IDS deployment, monitorg, response actions requires professional specifically traed network security issues well control system network. 8.3.4 Assessment dustrial AutomatiControl System Environment dustrial AutomatiControl System environment, NIDS often deployed between PCN corporate Lconjunctifirewall. HIDS often deployed computers general-purpose oatg systems applications. Proly configured, IDS cgreatly enhance security management team’s ability detect attacks enterg leavg system, thereimprovg security. calso potentially improve PCN’s efficiency detectg nonessential traffic goes network. ISA-TR99.00.01-2007 – 72 – Copyright 2007 ISA. rights . possible deployments clude usg either HIDS NIDS front runng dividual control devices. Issues faced deployg IDS dustrial AutomatiControl System environments clude: • lack IDS products available non-IP based protocols FoundatiFieldbus®, PROFIBUS®, any serial-based network • lack HIDS products available typical controller-based oatg systems found PLCs, RTUs, DCSs • compatibility HIDS products windows® UNIX® control system softw• lack IDS product support dustrial AutomatiControl System applicatilayer protocols CIP Modbus/TCP® • lack exience design IDS policy oatiIDS suitable dustrial applications • Potentially significant overhead required manage IDS widely dissed systems typical SCADenvironments. 8.3.5 Future Directions Future directions clude: • Distried IDS • False positive reducti• Future research development needs focus Host trusiDetection/Preventi(HIDS) technology detectg unauthorized activity without consumg server’s resources, terferg control function, addg latency. Agents run dedicated devices without troducg significant latency examples HIDS configurations should explored. control network traffic static sense communicatitraffic much predictable constraed then standard enterprise system; therefore, R&D needs focus testg devices anomaly detecticapabilities (i.e., unauthorized access attempts failed logons examples events cdetected usg HIDS). Extensive testg needs formed. 8.3.6 Recommendations Guidance IDSs used protect control systems should itially configured so response actions either comg outgog traffic. default configuratishould modified security management team believes IDS hhigh degree accuracy its detectitechniques. 8.3.7 formatiSources Reference Material • SANS stitute trusiDetectiFAQ, SANS stitute Readg Room pa. sans.org/resources/idfaq/dex.php • Bace, Rebecca; Mell, Peter, NIST SP: 800-31, trusiDetectiSystems, csrc.nist.gov/publications/nistpubs/800-31/sp800-31.pdf. • Peterson, Dale, trusiDetectiCyber Security Monitorg SCADDCS Networks, ISA, 2004, digitalbond.com/SCADA_security/ISA%20Automation%20West.pdf. – 73 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Mix, S., Suvisory Control DatAcquisiti(SCADA) Systems Security Guide, EPRI, 2003. • Wooldridge, S., “SCADA/Busess Network Separation: Securg tegrated System,” automation.com/sitepages/pid1363.php. 2005. • “Battlg Cyber Menace,” Power Engeerg ternational. 2005. • Ashier, J. Weiss, J., “Securg your Control System,” controlglobal.com/articles/2004/238.html, 2004. • Network Monitorg System Designed Detect Unwanted Wireless Networks. controlglobal.com/dustrynews/2005/168.html, September 14, 2005. • He, X., Lam, K., Chung, S., Chi, C., Sun, J., “Real-Time EmulatitrusiVictim HoneyFarm,” AWCC. 2004. • Shieh, S., Lee, F., L, Y., “Acceleratg Network Security Services Fast Packet Classification,” Computer Communications 27 (2004) pp. 1637-1646. • Chen, Y., Yang. Y., “Policy Management Network-based trusiDetectiPrevention,” IEEE NOMS, 2004. • “Advantech.” controlglobal.com/vendors/products/2005/208.html, 2005. • “Way Secure Ethernet Networks agast Hackers,” ferret.com.au/articles/ff/0c02e9ff.asp, May 17, 2005. • Rakaczky, E., “trusisights,” isa.org/tech, July 2005. • Kim, H., Choi, Y., Seo, D., “ImplementatiReal-time Management System Control truder Trace-back System,” ternational Conference Advanced CommunicatiTechnology, 2004. • Dzung, D., Naedele, M., VHoff, T., Crevat, M., “Security dustrial CommunicatiSystems,” Proceedgs IEEE. stitute Electrical Electronics Engeers c. 2005. • Lockhart, A. Network Security Hacks. O’Reilly Media, c. Sebastopol, C2004. pp. 55, 261. 8.4 Vulnerability Scanners Vulnerability scanners provide network systems admistrators way detect possible vulnerabilities systems networks before cused malicious truders enter computer system, well control system once enterprise system h compromised. Vulnerability scanners identify three types security issues: adequate policies, misconfigurations, softwflaws. Once weaknesses identified, softwsupplies admistrators detailed formativulnerabilities best means securg them. primary purposes employg vulnerability scanner are: • creasg security across enterprise—Vulnerability scanners used enterprise networks ensure standard level security exists across enterprise network. scanners identify weaknesses across enterprise, generate security reports system security statistics enterprise, deploy patches security configuratichanges vulnerable systems. Enterprise scanng thsort used decrease enterprise risk levels set general level basic security host without sacrificg gredeal functionality. ISA-TR99.00.01-2007 – 74 – Copyright 2007 ISA. rights . • Verifyg security specific high-risk systems—Targeted scans formed agast specific high-risk hosts appliances. Vulnerabilities detected hosts dividually assessed criticality weighed agast functionality requirements system. achieve maximum balance between functionality tight security, targeted scanng requires high level skill knowledge both security admistrator, who forms scans, systems admistrator, who matas system. Targeted scanng designed harden high-risk system, decreasg risk level dividual systems much possible. second purpose greater concern control system environment. Vulnerability scanners usually consist four primary components: • Vulnerability database—Contas vulnerability formatitypically reference Computer Emergency Response Team (CERT®) vendadvisories standard commvulnerabilities exposure identification. • Scanng enge—forms three tasks: 1) detects devices network, 2) identifies oatg systems applications resident computer, 3) tests system vulnerabilities based identified oatg system, applications, security configurations. NOTE: configuratisystem beg scanned design vulnerability scanner determe vulnerabilities misconfigurations detected. • Agent local admistrative privileges—Deployed host, similar antivirus client. Agents allow scadmistrators control scans run, determe whvulnerabilities check for, send results back centralized report repository. Agents generally deployed scans must formed regularly enterprise security priority opposed specific host level security. NOTE: vulnerability scanners agents cdeployed host, scans cstill formed without them although certaports, services, rights required so lieu local admistrative access agent. • Reportg mechanism—Lists vulnerabilities found system, supplies details problem, provides recommendations resolvg identified security issues. formatiuser accounts, open ports, services runng host also cluded reports. 8.4.1 Security Vulnerabilities Addressed thTechnology Scanners check followg three types security issues computer systems: • Security policy weaknesses—Cchanged dividual systems, relate service applicaticonfiguratisoftwflaws. problems cresolved changg policies host. Examples weaknesses clude lack loggg auditg host, bad password policies, pocontrol user access rights. • Misconfigurations—Vulnerabilities based impro configuratiservices, applications, oatg system components. Misconfigurations crectified correctg softwimplemented host. Examples misconfigurativulnerabilities clude stallg unneeded components leavg unnecessary services runng system. • Softwflaws—Actual design glitches oatg systems, applications, firmware. ways resolve vulnerabilities stpatches updates released vendexternal protection, packet scrubber, block access hole. Commexamples clude memory attacks buffer overflows oatg system jectiattacks agast databases. – 75 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 8.4.2 Typical Deployment security sonnel typically scnetworks devices part route vulnerability testg security assessments. scans used determe security posture policy violations, failure apply security patches unsecured configurations. level type security needed (general standard security across enterprise versus highly customized protectihigh-risk hosts) determes type scanner implemented network scans admistered. Enterprise scanners makg host-based agents deployed best networks requirg standard levels security, centralized security management reportg, patch deployment capabilities. Vulnerability scanners run without agent assess verify system’s level security best evaluatg high-risk systems control system components. 8.4.3 Issues Weaknesses greatest limitaticurrent generativulnerability scanners need highly skilled security admistrators systems admistrators. Scanng hosts proly, terpretg scresults, then implementg fixes without disruptg services openg vulnerabilities requires: • Strong familiarity oatg system its networkg components • Good understandg applicatiits environmental prerequisites • Awareness patch should teract applicatioatg system whpossible consequences upgrade may be. Anconcern accidental denial service devices networks. Vulnerability scanners often attempt verify vulnerabilities extensively probg conductg representative set attacks devices networks. Becacurrent scanners customized control system environments, manner scans implemented could casystems shut down fail. False positives negatives could generated report. scanner could correctly report vulnerability exists does not, false positive; system vulnerable really is, false negative. 8.4.4 Assessment IACS Environment Ideally, targeted scans without agents should run agast development test control system networks, isolated productimaches, order evaluate impacts scans. Usg scanners agast productetworks should formed carefully tested backup systems. Threcommendation, though, simply best busess practice scanng any type critical system, regardless whether computer control system computer. Usg vulnerability scanners deploy patches update softwrecommended reasons. , neither users nvendors control systems adequately implemented policies techniques patch management softwdeployment. Until thissue addressed, central deployment patches should formed vulnerability scanng software. Second, vulnerability scanners should verify security host, manage patch deployment, high-risk systems. deployment vulnerability assessment processes should remaseparate computers require high level security. ISA-TR99.00.01-2007 – 76 – Copyright 2007 ISA. rights . 8.4.5 Future Directions Scanner databases published vulnerabilities dustrial devices currently limited regard dustrial AutomatiControl System-specific vulnerabilities. Thlack formatifurther limits effectiveness scanners identify vulnerabilities oatg systems applications. However, given dustry move towards standard oatg systems applications, away airgapped systems, scanners chelp enhance level security those components. Tests control system-specific vulnerabilities ceventually cluded scanners. 8.4.6 Recommendations Guidance Vulnerability scanners should used control system environments deployed standard oatg systems applications. should carefully monitored backup network order mimize chance takg productetwork offle. Additionally, special attentishould paid vulnerabilities discovered order ascertaif false positives negatives generated. Fally, any changes updates made secure hosts should dbackup test systems identify any possible harmful recussions before fixes made producticontrol systems. vulnerability scanners control system networks could significantly improve host-based security environments provide way assessg risk levels network dividual host. 8.4.7 formatiSources Reference Material • Open Source Security Testg Methodology Manual (OSSTM). P. Herzog, stitute Security Open Methodologies. isecom.org/osstmm/ • Nessus nessus.org/ • CommVulnerabilities Exposures cve.mitre.org/ • Nmap secure.org/nmap/ • ISECOM Open Protocol Reference isecom.fo/cgi-local/protocoldb/browse.dsp • Network Computg Review Vulnerability Scanners (January 2001), J. Forristal, G. Shipley, Network Computg. networkcomputg.com/1201/1201f1b1.html • Network Scanners Ppot Problems (February 2002), M. Andress, Network World. nwfusion.com/reviews/2002/0204bgrev.html 8.5 Forensics AnalysTools (FAT) Forensic analystools (FAT) passively gather datnetwork its structure, traffic, users analyzg raw network packets. tools used basele network activity, analyze unusual network traffic, help security researchers control system (CS) network admistrators. three types network analystools addressed thsectiare: (1) packet capture, (2) network monitorg, (3) network forensics analys(NFA) applications. network analystools work basically – 77 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . same way. difference lies reportg management capabilities built network monitorg NFsoftware. • Packet capture tools—Packet capture tools Ethereal, Etherpeek, NetMcapture raw network packets go across wire display packet formatigranular detail analyst review. break out packet fields header formatieasily readable formats cused sreal-time activity network. Custom filters cset allow network admistrators capture packets based protocol type, IP address, etc., allowg admistrators weed out formatiirrelevant task. Packet capture tools cused troubleshoot networkg issues, exame anomalous behaviclosely durg cident response, help admistrators researchers understwhy dividual system events generate network traffic do. • Network monitorg tools—Commercial network monitorg analystools, Hewlett Packard OpenView, extend capabilities packet capture tool enterprise network. Network monitorg applications work similar fashipacket capture software. However, monithealth enterprise networks, extended analysreportg capacity, may allow network admistrators centralize network management functions. • Forensics analystools—FATs, SilentRunner’s SilentStorm, functisimilarly network monitorg tools becaprovide enterprise monitorg enterprise network, centralized network security management functions, extensive reportg capacity. differ network monitorg packet capture tools becadesigned defensive measure rather thnetwork admistratitool. NFapplications monittraffic, also basele normal traffic network security spective cconfigured form certaactions response detected security events. 8.5.1 Security Vulnerabilities Addressed thTechnology Network analysapplications critical detectg unusual network communications, formg CS network admistration, respondg computer security cidents. packet capture network monitorg tools may provide active defensive measures network, provide critical formateeded durg network disruptions computer cident response. Thtype softwaddresses general need control system security rather thspecific vulnerability. relative lack documentatiolder proprietary CS network protocols requires network analystools security researchers. order analyze network protocols CS applications work, security researchers CS applicativendors must tools necessary network protocol analysis. 8.5.2 Typical Deployment control system environment, network analyssoftwcused establish basele normal network communications, task helps facilitate cident response risk assessment. establishment traffic baseles through packet analysCS network necessary detectg anomalous traffic, formg successful cident response. If normal traffic patterns assessed, then verifyg whanomalous becomes much difficult hders cident response capabilities. Once irregular network traffic h captured analyzed network analyssoftware, security sonnel network admistrators datdumps evaluate whactually happeng network. Anomalous traffic compared basele traffic provide critical formatihosts generatg traffic, ports services may volved, network protocols beg used. Packet dumps uncharacteristic traffic cused ascertawhether traffic due network issues, system misconfigurations, compromised system. ISA-TR99.00.01-2007 – 78 – Copyright 2007 ISA. rights . 8.5.3 Issues Weaknesses dustrial automaticontrol environments, unusual protocols (e.g., fieldbus, OPC), network configurations (e.g., SCADA) datconstructs (e.g., OPC-DA, Alarm Event, Batch DCS messages), tfew commercial tools available purchase csatisfactorily cforensics task. system admistratleft creatg localized tools specific protocols cgaps between standard busess network FATs capabilities control system needs. Fortunately, dathistorians cprovide ready-to-capability high-speed capture storage cludg analystools assist system admistrator. Commercial tools tend limited choices based threenvironment current time tool designed. Additionally, commercial tools immature thpot relative virus protectitools, sophisticated commercial licensg database update models. Forensic analystools require systems admistratconfigure tool look collect datgiven set threats. If Flookg datcorresponds attack, captures part attack process, then vestigatleft complete picture attack. does configuratiplay part datcollectiissue, also difference between rate networks process datrelative rate csist datstorage medium. FATs canhope then store every piece datmust work subset complete pathology attack. Thdatreductithen comes either usg form heuristics compressisource message, would demsignificant amounts shared memory buffer datbefore releasg sistence upattack. Thlatter approach same way aircraft ‘black box’ captures datcontuously until serious event occurs, then writes hardened storage time event. case, system admistratneeds apply logic defe datreductirules must effect attacks pattern attacks watch for. Fally, FATs themselves subject same privacy laws control environments busess systems fd themselves workg under. current climate, laws vary considerably country country. 8.5.4 Assessment IACS Environment Forensic analystools yet support dustrial protocols. result, IACS environment now limited workstations connected Ethernet network usg traditional protocols. should used coational IACS network. 8.5.5 Future Directions Tneed FATs adapted commdustrial automaticontrol system protocols, OPC fieldbus protocols. Filterg datreductitools must also adapted kds datflows commmanufacturg environment. kds advanced datanalystechniques dustry hbuilt complex problems, ferential sensg, control system model identification, etc., could applied FATs used IACS environments. example, attack control system could take form field struments beg spoofed duce shutdown piece equipment. Forensic tools statistics, neural nets ferential techniques could then used discern datcombations possible strument readgs identify source attack. advanced tools, onle analytical processg datcubes, need applied Fdatmanage large crease datneed analyzed networks become complex. active IDS cused provide FATs providg triggers real-time configuratichanges Fadapt forensic datcollectiattack gets underway. – 79 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . Fally, directiprivacy counterterrorism laws dictate boundaries obligations system admistrators foreseeable future. 8.5.6 Recommendations Guidance Forensic analystools should always deployed tandem active IDS. logic used configure IDS capplied FAT. threenvironment IDS faces always provide subset datrequired effective Fdeployment. system admistratshould therefore prepFdeployment comprehensive threassessment. usg FAT, hardest decisions manage trade-offs between amount datwcollected from, sistence space required collect enough formatireconstruct attack cident, datreductitechniques used manage rate quality datbeg sisted. collectg storg vital forensic dateither dustrial automaticontrols systems users those systems, awreview privacy laws laws effect datcollected. cconsidered illegal collect too much datcollect too little datdependg dustry, system laws effect time. 8.5.7 formatiSources Reference Material • “Analyze This!,” N. Kg, E. Weiss, formatiSecurity Magaze, February 2002. fosecuritymag.techtarget.com/2002/feb/cover.shtml Note: Weaknesses Network Forensic AnalysTools addressed article cviewed future reference at: dfrws.org/dfrws2003/presentations/Brief-Casey. • “Network Forensics: Tappg ternet” O’ Reilly Network, SimsGarfkel, April 2002 8.6 Host ConfiguratiManagement Tools Host configuratimanagement (HCM) tools systems admistrators manage resources centrally, control access systems, set general level security host network. tools make easier admistrators track whsoftwhardwavailable host set standard softwhardwconfiguration, often results cost time savgs managg computers. fully benefhost configuratimanagement tools, network must enforce strong policies system security, fairly homogenous hardwsoftwenvironment, large very widespread network. dustrial automaticontrol systems typically HCM tools becapolicy-driven nature tools. configuratidthrough IACS applicatiestablished becafunctional needs rather thadmistrative security policies. HCM networks typically limited options: a) controllg user missions access, b) limitg oational capacity strictly formance-based needs. Any standardizatihardwunderlyg oatg system driven functionality requirements IACS application, security concerns. HCM tools applications commused general world becacritical nature admistratisecurity policies play network management. cost havg policies place means monitorg enforcg them gredeal higher becalarge number maches requirg admistratigreater number threats networks. ISA-TR99.00.01-2007 – 80 – Copyright 2007 ISA. rights . 8.6.1 Security Vulnerabilities Addressed thTechnology HCM tools address no specific vulnerabilities related IACSs networks. UtilizatiHCM softwpreventive measure becaprovides means enablg enforcg security admistratipolicies. 8.6.2 Typical Deployment dustrial automaticontrol system oators HCM tools. stead, IACS applicatideterme host configuration. User access restrictions cset oatengeerg workstativiIACS application, user granted certalevel access system resources based hher occupational requirements. Anmethod oators manage host configuratiload specific modules IACS software, dependg purpose mache. example, ladder logic development tools needed oatworkstations, so separate module hloaded allow datgatherg, limited control IACS units PLCs RTUs, alarm monitorg. HCM tools vary dependg oatg systems beg managed. Predomantly Microsoft windows® shops Active Directory third party tools manage resources, track assets, manage policy enforcement. HCM very centralized admistered network whole. LDAP, Network formatiSystem, Network File System similar solutions used Lux® UNIX® world, popularly deployed. HCM tasks Lux® UNIX® managed through customized scripts remote admistratitools. 8.6.3 Issues Weaknesses biggest issue presented HCM tools IACS environment lack standardized softwhardwnetworks. HCM tools cost effective practical if computg environment standardized does need be. Policy could set enforced easily system-by-system basthrough remote admistratitools. adoptiUNIX®/Lux® approach HCM would prove effective. Second, HCM tools designed oversee configuratioatg system its components, manage user access system resources. IACS softwdoes support significant frequent changes oatg system applications web servers databases. Additionally, user access restrictions generally controlled through applicatirather thoatg system. 8.6.4 Assessment IACS Environment Currently, base configuratioatg system its components IACS system closely controlled security admistrative purposes. requirements control applicatidrive host’s configuratibecaapplications oatg system component dependent. Sce HCM tools employed control configuratioatg system related applications, cost effective practical until architecture control applications changes significantly. dustrial automaticontrol system oators vendors should begevaluate current admistrative tasks upcomg changes applicatisoftware, though, tasks procedures need standardized. nature IACS softwchanges tegraticommercial offthe- shelf (COTS) oatg systems applications, need strong admistration, change control, security policies crease. IACS oators vendors should begevaluatg systems, tasks, procedures arewpolicies may enacted strengthen network tegrity. – 81 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 8.6.5 Future Directions IACS networks begng clude COTS software, become standardized, corporate plug-and-play capabilities, focus security. changes occur, HCM base oatg system applicaticomponents web servers databases need updated, subject versicontrol, etc., admistrative tasks currently formed IACS networks frequently. IACS vendors develos should begevaluate need managg host configurations determe customers’ specific HCM requirements. 8.6.6 Recommendations Guidance HCM tools, specifically functionality architecture, likely ported IACS networks COTS softwcommstandards employed. thend, IACS applicativendors develos should understHCM tools used, whrequirements usg them effectively, if justifies cost. until IACS environments become standardized require strong admistratisecurity policies, IACS oators should consider whadmistrative security tasks could benefstandard HCM whpolicies would needed manage them. 8.6.7 formatiSources Reference Material • tech-encyclopedia.com/configuration-management.htm • windowsitpro.com/Files/41097/41097.pdf • luxworld.com/story/47811.htm?DE=1 • las.org/lux/cmvc.html • nwfusion.com/news/2005/012405newboundary.html • microsoft.com/windows2000/techfo/reskit/deploy/CCM/default.asp • bigfix.com/products/products_capabilities.html • configuresoft.com/roi.htm 8.7 Automated SoftwManagement Tools Automated softwmanagement (ASM) tools applications used distrie softwacross network specified hosts groups hosts. kd softwcdeployed ASM tools depends type ASM applicatibeg used. Tcategories ASM applications third formal type, client-side module cluded COTS software. ASM tools becomg popular networks sizes becasignificance play centralizg facilitatg admistrative security tasks. Softwlifecycle management, applicativersicontrol, patch management now priorities networks number reasons, cludg: • credible complexity managg multiple versions enterprise applications softwnetwork • creasg importance softwlifecycle management cost supportg out-of-date products ISA-TR99.00.01-2007 – 82 – Copyright 2007 ISA. rights . • need rapid testg deployment security patches fixes prevent widespread attacks network. ASM applicaticategory enterprise applicatisuite used deploy majsoftwpackages across network. cused manage versions oatg system components, update third party applications, push security fixes patches, control general lifecycle softwrequirements organization. ASM applications cvery expensive resource tensive (time, admistrative, physical), so typically used large networks organizations frequently deploy softwacross enterprise require centralized control systems configuration. Examples thkd ASM softwclude Microsoft SMS, Altiris, ManageSoft, LANDesk products. second category third party applicatiused update very limited range products. Patch management softwprimary example thsort ASM application. used evaluate systems vulnerabilities deploy patches updates fix problems. Due short cycle vulnerability detectipatch stallatinetworks, centralized control distriisecurity fixes critical. Many smnetworks organizations need deploy patches targeted group systems withlarge network patch management applications. Examples kds ASM tools clude Patchlk, Microsoft WUS, Shavlik HFNetChkPro. third formal type ASM tool update components majCOTS softwvendors clude products. client-side modules bundled applicatimake sure applicatiup-to-date both security functional purposes. modules available cluded applications antivirus products, oatg systems, COTS products. Examples applications usg client-side modules updatg softwautomatically RealPlayer, AdoAcrobat, antivirus products, windows® Update services, Red HLux® RHN, DebiLux® apt-get. 8.7.1 Security Vulnerabilities Addressed thTechnology ASM tools facilitate deployment security updates patches oatg systems applications, fixg holes through attackers cpenetrate network. Keepg softwupdated versicontrol lifecycle management purposes important security functional reasons. 8.7.2 Typical Deployment ASM tools currently deployed limited fashiIACS networks. ASM softwmay may used IACS applicativendors handle updates, client-side applications beg employed manage updates antivirus firewsoftware, loaded hosts runng applications. implementaticlient-side agents closely controlled vipolicy implementatiprevent terference application, restrict updates downloaded deployed IACS networks. COTS oatg systems applications become tegrated IACS environments, ASM tools thoroughly evaluated patch management applicativersicontrol purposes. ASM suites designed deploy enterprise applications beg implemented becasuited admistrative security tasks IACS networks thtime. 8.7.3 Issues Weaknesses ASM deployment update processes must carefully examed ensure update process itself does terfere IACS functionality. Becaapplications require admistrative access host dedicated physical resources host, loadg agents any three ASM categories – 83 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . should monitored tested thoroughly before deployg them productisystems. agent softwitself could disrupt system functionality. well-defed testg deployment procedure should developed determe updates should applied should tested before placed productisystem. Testg critical networks, play even greater role deployg softwIACS hosts. Sce ASM tools often pull updates external websites, architecture communications applications should carefully considered before employg them protected networks. tools could troduce paths vulnerabilities onIACS networks need secured removed. tegrity datbeg pulled down updates should also reviewed before beg applied IACSs. troducticorrupted malicious datcould impede IACS capabilities compromise system. 8.7.4 Assessment IACS Environment Client-side agents modules manage applicatiupdates already beg employed IACS environments becaterfere formance IACS. tools beg oatiapplicatiupdates related antivirus softwfirewalls, calso used manage applicativersicontrol web-based console components IACS applicatiupdates. patch management becomes important consideratiIACS vendors, third-party applications designed deploy security updates may evaluated tested use. patch-specific ASM tools well suited IACS networks becanetworks often widespread already centrally admistered. Thtype technology lends itself well networks fewer hosts requirg patches, case IACS environments, very cost-effective. Enterprise ASM suites probably applied IACS networks becadesigned large networks whose systems enterprise applications require patchg. 8.7.5 Future Directions Client-side update agents modules become prevalent COTS softwdeployed IACS networks. patchg becomes important, security-specific ASM applications become common. Widespread employment security-specific ASM tools will, however, occur until applications able handle frequent patch cycles typical network. 8.7.6 Recommendations Guidance dustrial automaticontrol systems oators vendors need review closely potential utility tools COTS softwheavily employed networks. Testg softwmanagement policies should developed support tasks clearly defe whsoftwupdates really needed. Once ASM tools deployed, hosts network should reevaluated case tools troduce security concerns. 8.7.7 formatiSources Reference Material NOTE: Note many references product specific, case studies general formatitools provide good predictive guidance ASM applications IACS networks. • landesk.com/Products/LDMS/dex.aspx ISA-TR99.00.01-2007 – 84 – Copyright 2007 ISA. rights . • altiris.com/products/swdeliverysuite/ • microsoft.com/smserver/evaluation/default.asp • windowsitpro.com/windows/Article/ArticleID/43870/43870.html • shavlik.com/whitepas.aspx • windowsupdate.microsoft.com • techworld.com/features/dex.cfm?RSS&FeatureID=1203 • nwfusion.com/techsider/2005/011705patchma.html • managesoft.co.uk/solution/distriion/dex.xml • emex.com/qunetix/sdwhitepa.pdf 9 dustrial AutomatiControl Systems Computer Softwsoftwused IACS equipment vital factdetermg oversecurity control system. provides certadegree protectimediatg access devices, calso source vulnerability due programmg errors (buffer overflows) attentisecurity issues durg development process. Thsectiexames security three key softwcomponents used IACSs: • Server WorkstatiOatg Systems • Real-time Embedded Oatg Systems • Web Servers ternet Technologies. Thsectidoes discuss security dividual IACS applicatiprograms. oatg system, OS, important program runs computer. Every generalpurpose computer hoatg system forms basic tasks, recognizes keyboard, sends outscreen, keeps track files directories hard disk, runs softwapplications loaded computer. large computers, oatg system also hresponsibility make sure different programs users terfere other. oatg system also responsible ensurg unauthorized users granted access system. Web ternet technologies becomg creasgly popular IACSs becamake easy distrie timely productiformatiusers outside control room. However, also make IACSs susceptible cyber attacks due high number vulnerabilities technology its current stage development. 9.1 Server WorkstatiOatg Systems oatg system foundatisoftwcomputer. typically schedules tasks, allocates storage, provides followg services: • default user terface no applications runng – 85 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • applicatiprogrammg terface softwdevelopment • terface mache’s hardwipherals. 9.1.1 Security Vulnerabilities Addressed thTechnology oatg system last le defense protect applications sensitive formation. typically identifies authenticates user through logpassword mechanism determes whresources (files, applications, communications ports) accessible user. cprovide auditg services record security events actions (logon, logoff, resource access, configuratichanges). OS typically provides mechanism ensures designated sons cmake changes system configurations security policies. 9.1.2 Typical Deployment dustrial AutomatiControl System environment, SCADhosts, plant computers, HMI stations typically same server workstatioatg systems commworld (maly windows® UNIX®). PLCs, RTUs, DCS controllers, datacquisitiequipment typically specialized real-time embedded oatg systems. remader thsectideals server workstatioatg systems, secti9.2 covers real-time oatg systems. 9.1.3 Issues Weaknesses UNIX®, Lux®, windows® oatg systems base security concept discretionary access control (DAC) provide categories user: • admistratwho hfull access system resources • Ordary users who full access applications files need jobs. DAC does enforce system-wide security policy, protective measures largely control dividual users. Any program run user herits missions user free modify any files user caccess. Therefore, DAC-based oatg systems susceptible virus Trojattacks. Additional oatg system weaknesses caused by: • Poorly chosen passwords—passwords easy remember (becashort, dictionary word) also easy crack • Default frequently changed passwords • Unseen security risks caused modern oatg systems stservices automatically connect network • Remote access servers network. 9.1.4 Assessment dustrial AutomatiControl System Environment Server workstatioatg systems widely used dustrial AutomatiControl System environment oatHMI, plant computer, suvisory control levels. oatg systems also used extensively applications, although security policies may require modificatisuneeds control systems. ISA-TR99.00.01-2007 – 86 – Copyright 2007 ISA. rights . Security policies must balance need protectiagast need users easily access required applications. office settg, temporary ability access email run spreadsheet serious issue. dustrial AutomatiControl System environment, contrast, often critical oators immediate access systems applications. Therefore, security policies lockout users certanumber failed password attempts rapidly age passwords requirg them changed frequently likely appropriate. dustrial AutomatiControl System oatg system security policies should also take account physical security (see secti10), access control centers frequently limited authorized sonnel only. Policies regardg applyg patches oatg system components create ansituatiwstandard procedures fIACS environment. patch may remove vulnerability, calso troduce greater risk productisafety spective. 9.1.5 Future Directions High-security versions popular oatg systems, Microsoft Next-GeneratiSecure Computg Base, National Security Admistrati(NSA), Security Enhanced Lux®, Hewlett Packard Secure OS Lux®, begng appear. systems currently corporate followg security concepts: encrypted file systems, disablg unnecessary network ports, client-side firewalls. sophisticated security technologies clude: • Strong process isolation—protectg pages mamemory so applicaticassured modified observed any application, even oatg system. • Sealed storage—ensurg applicatisaved dat(trusted designated applicatientity) copen it. • Secure channels—allowg datmove safely keyboard/moapplications, applications regiscreen. • Attestation—enablg users authenticate softwcombatisoftwhardware, based upcryptographically identified trusted softwstack. • Mandatory access control—providg means central admistratapply very fe-graed access policies enforced oatg system. • Isolated security domas—preventg unauthorized communicatibetween programs limdamage attack. • System event auditg—providg full security audtrail. • File system tegrity—checkg signs tamg. 9.1.6 Recommendations Guidance Recommendations guidance oatisystem security highly dependant both system environment. However, general recommendations are: • Disable unnecessary services • Change vendor’s default passwords. – 87 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 9.1.7 formatiSources Reference Material • Controlled Access ProtectiProfile, U.S. NIST niap.nist.gov/cc-scheme/pp/PP_CAPP_V1.d.html • Labeled Security ProtectiProfile, NSA, U.S. NIST niap.nist.gov/cc-scheme/pp/PP_LSPP_V1.b.html • Microsoft Next-GeneratiSecure Computg Base, Microsoft Corp. microsoft.com/presspass/features/2002/jul02/0724palladiumwp.asp 9.2 Real-time Embedded Oatg Systems Oatg systems form foundatisoftwcomputer those workstations used control environment. typically schedule tasks, allocate storage, provide applicatiprogrammg terface softwdevelopment terface mache’s hardwipherals. real-time oatg system (RTOS) guarantees terrupts handled withcertaspecified maximum time, theremakg suitable control time-critical applications. Typically, RTOS deployed embedded systems severe resource constrats compared conventional desktop workstaticomputers. addititime-based constrats, designed hardwenvironments where: • Tlimited memory capacity • Programs loaded read-memory flash memory device • No disk available datprogram storage • Processpower limited (8 16 bprocessors still commmany embedded applications). 9.2.1 Security Vulnerabilities Addressed thTechnology embedded application, RTOS last le defense protect applications control outputs external attacks somegag unauthorized access remote site wembedded device located. If device huser terface, likely protected simple password mechanism. 9.2.2 Typical Deployment Real-time oatg systems widely used IACSs key softwdatacquisiticontrol equipment RTUs, PLCs, IEDs, DCS controllers. systems typically variety digital, analog, pulse counter outports connected sensors actuators monitcontrol physical process. also least network connectiserves materface device host computers runng HMI, SCADA, control software. Network connections may serial terfaces devices located remote locations usg radio telephlks back central site. devices support specialized dustrial networks, FoundatiFieldbus®, PROFIBUS®, ControlNet®. creasgly, embedded systems provide TCP/IP network connecticorporate ternet services email, FTP file transfers, even Web servers. network connections used to: ISA-TR99.00.01-2007 – 88 – Copyright 2007 ISA. rights . • Request dattransfers device (pollg) • Transmdatevent notifications host computer (report exception) • Download oatg parameters alarm limits setpots • Switch outputs off or, case analog output, adjust its value • Download updated applicatiprograms. 9.2.3 Issues Weaknesses Generally, RTOS designers placed security high priority compared constrats must deal. embedded controllers software, oatg systems, communicatiprotocols commavailable accessible. obscurity may adequate defense past, thgs changed: • majority embedded systems ternet enabled even feature wireless access convenience • nature threhbecome serious. Tcreasg concern cyber terrorists target embedded applications becaoften connected directly physical processes. RTOSs no mechanism denyg access system resources unless ttimg conflict. Embedded systems typically flmemory space available processes. result, malicious programs troduced embedded device (e.g., through its network connection) free read modify any datcahavoc normal oatidevice. issues clude: • Usg default frequently changed passwords devices user terfaces • adequate resources RTOS kernel usg security applications • Appropriate terrupt priorities clude security. 9.2.4 Assessment dustrial AutomatiControl System Environment IACS environment, “edge” devices like RTUs, PLCs, controllers arguably important as, important, thhost computers. form measurement functions, make logic control calculations, issue commands modify oatiprocess. devices embedded computers rely RTOS basic oation. Furthermore, nature dustrial control requires devices accept parameters, commands, even downloads programs through network connection. combatilimited ternal security features, plus requirement devices accept commands sent network, make systems vulnerable cyber attacks unless truly isolated network. problem further aggravated trend ternet enable devices ternet connectivity addg convenience features like web servers remote admistration. – 89 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 9.2.5 Future Directions Derivatives Lux® windows® desktop oatg systems, real-time characteristics, begng appear embedded applications. oatg systems may familiar potential attackers then specialized RTOS, also provide security features. network-connected embedded devices become universal, security features need developed added to, built to, RTOS. 9.2.6 Recommendations Guidance important carefully isolate communicatetworks used IACS applications, especially if TCP/IP used transport mechanism. recommendatiseparate time-critical applicatitraffic formatitraffic (i.e., loadg, diagnostics, resource management) order limvulnerability possibility attack. Thmethod isolatiwould limaccess formatitraffic external users. 9.2.7 formatiSources Reference Material • Enhancg Embedded Security, R. Monkman, EDN Magaze, October 17, 2002 opengroup.org/press/articles/17oct2002-Enhancg%20Embedded%20Security.pdf • Does Obscurity Equal Security , E. Correia, SoftwDevelopment Times, December 15, 2001. sdtimes.com/news/044/special1.htm 9.3 Web Technologies Web technologies beg added wide variety IACS products becamake formatiaccessible, products user-friendly easier configure remotely. 9.3.1 Security Vulnerabilities Addressed thTechnology softwdiscussed thsectiherently designed address security vulnerabilities. stead, cluded becarapidly becomg omnipresent IACS products, its impact control system security needs better understood. Web servers browser clients both support SSL (Secure Sockets Layer), provides encryptidatpassg between components. 9.3.2 Typical Deployment SCADhistorisoftwvendors typically provide web servers product optiso users outside control room caccess current historical productiformation. many cases, softwcomponents ActiveX® controls Java® applets must stalled downloaded onclient mache accessg web server. products, PLCs control devices, available embedded web, FTP, email servers make them easier configure remotely allow them generate email notifications reports certaconditions occur. ISA-TR99.00.01-2007 – 90 – Copyright 2007 ISA. rights . 9.3.3 Issues Weaknesses U.S. Federal Bureau vestigatilists web servers at, near top, its frequent vulnerabilities both windows® UNIX® systems.7 Usg ActiveX® controls cextremely secure way provide feature. controls based component object model, canythg user ccomputer (e.g., readg writg registry accessg local file system). Downloadg ActiveX® control may make computer vulnerable attack becaany Web applicaticcontrol its own ends, whether scere malicious. 9.3.4 Assessment dustrial AutomatiControl Systems Environment Web servers ternet technologies attractive becafeatures convenience add IACS stallation. However, also add risks create security vulnerabilities need addressed. 9.3.5 Future Directions Security appliances (gateways) begng appear applicatiproxies able exame web, FTP, email traffic block attacks prevent downloadg ActiveX® controls Java® applets. 9.3.6 Recommendations Guidance past, IACS somewhsecure becasystems had no connectielectronic systems web. addg connections, gredeal formaticpassed back forth, saves time improves processes. Before implementg connections, particularly those lead web, IACS must made secure. best security protect IACSs cyber attacks through web any connections lead web. may advantageous many IACSs, particularly smones, connect systems cludg web. Unless tsubstantial benefconnectg IACSs web, systems best left standg alone. Obviously, tsubstantial advantages many IACSs connected systems cludg web. Even thcase, access web IACS should greatly limited those connections necessary particular admistrative services. formg connections, latest security appliances need stalled. appliances clude highly defensive DMZs clude firewalls located connectiweb front processfully developed made available. 9.3.7 formatiSources Reference Material • SANS Top 20 ternet Security Vulnerabilities. SANS stitute Readg Room pa. sans.org/top20/ • Designg Secure ActiveX Controls. MSDN. msdn.microsoft.com/library/default.asp?url=/workshop/components/activex/security.asp 7 SANS Top-20 ternet Security Attack Targets (2006 Annual Update) sans.org/top20/, Versi7.0 November 15, 2006 – 91 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . 10 Physical Security Controls Physical security controls any physical measures, either active passive, limphysical access any formatiassets IACS environment. measures employed prevent many types undesirable effects, cludg: • Unauthorized physical access sensitive locations • Physical modification, manipulation, theft removal, destructiexistg systems, frastructure, communications terfaces, sonnel, physical locations • Unauthorized observatisensitive formational assets through visual observation, note takg, photographs, means • Preventiunauthorized troductew systems, frastructure, communications terfaces, hardw• Preventiunauthorized troductidevices tentionally designed cahardwmanipulation, communications eavesdroppg, harmful impact. tent thtechnical report focus security issues, especially electronic security, IACSs. However, physical security must ignored. Physical security always prcipal defense preventg unauthorized access, corruptiformational assets, tentional untentional destructiproty. significant portidocumented attacks agast IACSs elements physical access violated order execute penetration. Tvariety standards materials, reference guides, regulatory requirements documented much detail should referred developg security program. remader thsectibroadly covers topic physical security controls. Tthree general categories physical security devices. • Passive Physical Security Devices—Thcategory cludes physical controls fences, walls, concertwire (barbed wire, razwire, etc.), anti-vehicle ditches, concrete barriers, earthen walls mounds, access limitg devices. Passive security devices typically categorized beg large size mass, used either protect physical entities prevent access specific locations, active times. devices require no manual terventieither engage disengage security activities. • Active Physical Security Devices—devices play active role physical security, clude doors, locks various types, gates, retractable road obstructions, devices tentionally engaged disengaged based either time tervals, autonomous control, specific terventioutside source. devices often coupled additional identificatimonitorg devices enhance functionality. • IdentificatiMonitorg Devices—Thcategory cludes still video cameras, motisensors, vibratisensors, hesensors, biometric authenticatirecordg devices, variety devices. themselves specifically control limaccess physical locatisystem. design tended devices specific detectg, identifyg, recordg physical entities, cludg state physical presence dividuals, vehicles, systems, identifiable physical objects. ISA-TR99.00.01-2007 – 92 – Copyright 2007 ISA. rights . 10.1 Physical Protecti10.1.1 Security Vulnerabilities Addressed thTechnology Tmaapplications physical security controls applied IACS environment: • Access Monitorg Systems—Access monitorg systems clude still video cameras, sensors, various types identificatisystems. Examples systems clude camermonitparkg lots, convenience stores, airle security. devices specifically prevent access particular location; rather, store record either physical presence lack physical presence dividuals, vehicles, animals, physical entities. • Access Limitg Systems—Access limitg systems may employ combatidevices physically control prevent access protected resources. Access limitg systems clude both active passive security devices fences, doors, safes, gates, guards. often coupled identificatimonitorg systems provide role-based access specific dividuals groups dividuals. Vulnerabilities addressed physical security controls clude those tphysical threunauthorized physical access, modification, manipulation, destruction, troduction, theft, removal any formational asset IACS environment. vulnerabilities clude: • Theft and/disclosure confidential formation, trade secrets, physical proty • Destructiproty flict tentional busess loss • Unauthorized access dividuals, vehicles, physical entities • Unauthorized equipment formational assets • Observatiproprietary busess practices activities • Release hazardous materials. 10.1.2 Typical Deployment deployment physical security controls often subject environmental, safety, regulatory, legal, requirements must identified addressed specific given environment. subject deployg physical security controls vast needs specific type protecteeded. • ProtectiMediAssets—Assets clude softwcompact discs, prted reports, documents. Physical security controls should address specific requirements safe matag assets, provide specific guidance transportg, handlg, destroyg assets. Security requirements could clude safe storage fire, theft, untentional distriion, environmental damage. • ProtectiPhysical Assets—Physical entities clude control systems, access termals, scanners, computers, physical formatiassets. Security requirements should address preventiundesirable troductiremoval systems, undesirable destructiexistg systems, physical access controls (knobs, levers, sensitive equipment), undesirable access physical systems. – 93 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Protectisonnel—Protectisonnel applies measures meant prevent jury death any humans animals, either ternal external IACS environment. Examples clude gates doors preventg access movg parts, barricades separate humfoot-traffic movg parts, environmental sensors meant measure presence dangerous chemical releases. • ProtectiPhysical Locations—Classic physical security considerations typically refer rged architecture layered security measures. Creatg several physical barriers, both active passive, around buildgs, facilities, rooms, equipment, formational assets, establishes physical security imeters. Physical security controls meant protect physical locations clude fences, anti-vehicle ditches, earthen mounds, walls, reforced barricades, gates, measures. organizations clude thlayered model preventg access plant fences, guard shacks, gates, locked doors. ternal plant environment, specific locations typically protected access-limitg devices. 10.1.3 Issues Weaknesses Violatiphysical security controls characterized noticeable result, fence beg cut, wbeg destroyed, equipment wremoved. However, tareweakness regardg physical security controls: • Evidence tamg penetration, either attempted successful, either unnoticed ignored. Daily spections audits highly sensitive equipment should conducted ensure adequacy physical security controls. Many physical attacks preceded several hours days “target preparation,” cludg observatiremoval obstacles. potential weakness physical security system failure notice appropriately react patterned behavisuggests imment successful attack. • Security parameters monitorg zones clearly defed. thorough vulnerability assessment must conducted results carefully analyzed ensure adequacy security measures. Many physical security plans fail organizations fail proly notice weaknesses vulnerabilities, fail clearly defe security areas. 10.1.4 Assessment dustrial AutomatiControl Systems Environment physical security plessential protectg IACS environment. potential critical weakness any security plphysical vulnerabilities often go ignored little attentipaid them. well-designed facility carefully mapped secure areaccess control often carries several benefits oversecurity plan, makg many technology physical attacks impractical improbable. Physical security imeters, proly implemented, may reduce need costly matenance-tensive technological options protect sensitive assets. Hardeng communicatiles addg access control access-limitg features fences barriers cprovide significant cost-optimized benefits oversecurity plan. example, consider facilities time-critical applications waddg cumberpassword encryptifeatures protect systems may impractical. Designg security imeter clude physical security controls guards, fences, access control systems ensures authorized users able access necessary formatiassets. Becadesign secure, may help reduce requirements password protectiencryption. majdisadvantage physical security measures often difficult retroactively implement large physical security measures space-constraed areas. Rebuildg structure harden agast physical attacks may impractical once facility already place. Physical security controls should ISA-TR99.00.01-2007 – 94 – Copyright 2007 ISA. rights . considered early design process secure facility, may result substantial costs retroactively improve security facility. 10.1.5 Future Directions Physical security controls much slower change wide field available security tools. Many physical security controls contue viable future. However, technology advances make possible enhance activities access control access monitorg tools contue developed. 10.1.6 Recommendations Guidance followg recommendations provide basic guidance considerg implementg physical security controls: • Physical protectiachieved implementg several physical barriers protectiaround formational assets. barriers must tailored specific threconcern, explosivehicular damage. • Security imeters should clearly defed carefully monitored daily basevidence penetration, penetratiattempt, tamg, particular patterns tamg could dicate imment physical attack. • Security imeters should kept clear vegetatiplaces hidg outside security boundary. • Facilities should protected so difficult observe busess activities side, revealg little possible buildg’s purpose. • document management strategy policy should implemented clearly defes pro procedures storg, handlg, routg, destroyg sensitive documents. • Sensitive documents medimaterial no longer needed should destroyed completely. • Often le defense physical protectimanned receptiarea. • Access facility ternal locations employees, contractors, any visitors should monitored recorded date time entry exit. • iodic vestigations structural soundness physical security measures should conducted. Also recommended followg: • Locate sensitive equipment similar functions segmented areas, apply pro physical security measures ensure access critical systems available tended dividuals. If possible, mix systems various functions. • Harden communications les networkg cables, phles, power les underground conduprevent tamg, destruction, troductilisteng devices. • Isolate delivery loadg areany critical systems. areoften likely sources attack damage potentially hazardous materials. – 95 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • ventory critical assets audiodically identify any missg equipment. • Tag physical ventory tam-resistant labels prevent removal proty. • Implement clear-desk, clear-screen policy prevent sensitive formatibeg observed removed area. 10.1.7 formatiSources Reference Material Tvariety physical security regulatory requirements specific dustry sector. issues should vestigated fully determe any legal regulatory requirements implementg physical security controls. general guides listed below. • ISO/IEC 17799: 2000, formatitechnology -- Code Practice formatiSecurity Management. nssn.org/. • CERT Guide System Network Security Practices, J. Allen, Addison-Wesley Press – 2d prtg December 2001. awprofessional.com. • Security Architecture – Design, Deployment & Oations, C. Kg, C. Dalton, T. Osmanoglu, RSPress, 2001. rsapress.com. • DoD Directive Number 5100.7, dtic.mil/whs/directives/corres/text/p510076m.txt 10.2 sonnel Security sonnel security measures meant reduce possibility risk humerror, theft, fraud, tentional untentional misformational assets. Tthree maaspects sonnel security: • Hirg Policies—Thcategory cludes pre-employment screeng, terview process, hirg policies, complete job descriptions detailg duties, terms conditiemployment, legal rights responsibilities employees contractors. • Company Policies Practices—clude security policies, formaticlassification, document medimatenance handlg policies, user trag, acceptable usage policies company assets, iodic employee formance reviews, any policies actions detail expected required behavicompany employees, contractors, visitors. • Terms Conditions Employment— Thcategory cludes job positiresponsibilities, notificatiemployees termable offenses, disciplary actions punishments, iodic employee formance reviews. 10.2.1 Security Vulnerabilities Addressed thTechnology analyssecurity cidents dicates people ternal knowledge organizaticaoverwhelmg amount tentional untentional harm busess formatiassets. dividuals clude employees, contractors, temporary staff, consultants, delivery sonnel, others (many malicious attacks direct result worker dissatisfactisense beg “wronged” workplace environment). sonnel security seeks limpotential harmful impact busess formatiassets improvg overability organizatimonitpeople teract busess daily basis. ISA-TR99.00.01-2007 – 96 – Copyright 2007 ISA. rights . sonnel security volves many aspects seek improve oversecurity. followg items examples sonnel security management types vulnerabilities may addressed. examples feither partially wholly three categories listed above. • Employee trag particular job function—Seeks mimize potential advertent failure accidents. • Security trag—Ensures dividual awhher responsibility form required security procedures hher day-to-day jobs. • Written job descriptiemployee responsibilities—Detail relationships between employee, contractor, workers busess its formational assets. Seeks mimize accidental impact company. • Written company policies—Establish strict company policy issues employee vacation, disciplary actions, acceptable ternet policies, home-work policies, -hours access, overtime pay, travel reimbursement, policies may become relevant durg tenure employee busess location. polices also necessary reduce potential ambiguity difficult situations, help mimize potential conflicts between managers workers, limschedulg conflicts, prevent miscommunicatimisunderstandg company policies. No policies company should enforced without beg written down made available workers. • Terms conditions employment—Establishes worker’s responsibility company, worker’s rights, legal responsibilities both company worker, policies, procedures, grounds termation. Prevents miscommunications between managers workers establishes clear understandg worker whacceptable busess practice. 10.2.2 Typical Deployment Hirg Policies—Guideles tended managers sonnel responsible hirg employees must followed terviewg potential future workers. policies must clearly communicated structions writg made available any potential hirg manager. Mimally, should detail: • Acceptable terviewg techniques • Company standards employment • Positidescriptions job titles • Pre-screeng requirement, background checks, profiles, etc. Company Policies Practices—Thwidely rangg subject should addressed comprehensively. Company policies enforced should written down readily available workers. Examples company policy clude: • Acceptable formatiassets • Travel policies reimbursement • Medidocument management • Work hours, -hours work, overtime policies – 97 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . • Safety procedures violatotifications • Emergency procedures notificati• Hazardous material handlg • Matenance procedures. Company policies may written employee handbook, distried email notices, located centralized resource area, posted directly worker’s areresponsibility. Terms Conditions Employment—Terms conditions employment typically written formprovided means employee handbooks, posted notices, widely available message boards Web pages. Terms conditions employment should clearly defe worker rights, employment conditions, termable offenses, disciplary actiprocedures, any appeals policies. 10.2.3 Issues Weaknesses • No hirg policies, procedures, background checks chelp organizatideterme certaty if dividual might day caharmful terference busess environments. • Trag programs adequately prepared admistered often difficult recognize. Trag programs should iodically reviewed ternally ensure viability work environment. • Companies often limited legally terms sonal background formatiallowed obtagiven position. Toften claexceptions, however, if positiparticularly high-risk environment tlimitg physical requirements safely conduct assigned work tasks. Legal consultatiadvice highly recommended tryg determe extent formatimay obtaed used dividual hirg. • sonnel security screeng hirg practices highly subjective nature, difficult assign rigid protocol employees evaluated. 10.2.4 Assessment dustrial AutomatiControl Systems Environment Proly designed sonnel security programs help ensure dividuals proly traed jobs thoroughly screened potential issues may affect job formance. difficulty thenvironment sonnel screeng process very subjective highly dependent sonal observation. often necessary volve several people sonnel security issues order obtacomplete picture given dividual. Further, trag effectiveness highly subjective based updividual abilities people conductg class, traee comprehension, current ability knowledge levels traees, overcoherence trag material. Trag programs structors should iodically reviewed evaluated effectiveness. 10.2.5 Future Directions sonnel security often volves practices slow change time. legal aspects sonnel security, however, often subject change should iodically reviewed. ISA-TR99.00.01-2007 – 98 – Copyright 2007 ISA. rights . 10.2.6 Recommendations Guidance followg guidance provided give basic example comprehensive sonnel security program. • Hirg Policies—Job descriptions carefully considered, job requirements established, sonnel pre-screened qualificatigiven job. Job terviews focus clearly identifyg well candidate matches potential job description. employees, contractors, temporary workers subjected background check that, mimum, should clude crimal records check, employment verificaticheck, educational records check. positions high-risk sensitive aremay require tests, appropriate, may subject physical, regulatory, legal, aspects particular job. • Company Policies Practices—employees, contractors, temporary workers should fully traed basic responsibilities jobs, terms conditions employment, disciplary actions appeal process, security requirements, safety requirements. iodic review employee and/retrag should established ensure employees remaawjob functions. Trag programs should carefully developed ensure employee hreceived trag relevant necessary hher job functions. Further, ensure employees demonstrated competence job functions. Sensitive documents, media, corporate formational assets should protected untentional unauthorized disclosure. Determe sufficient length time matapossessiassets, destroy formatisecurely iod. Place routg, classification, authorizatimarkgs csheet documents media, take measures ensure pro handlg. Any company policies governg employee behavior, busess practices, any aspects busess should developed, writg, made available. Thactivity cdthrough centralized knowledge management system, document repository, library, posted signs document lists work stations, any combatiabove. • Terms Conditions Employment—Employees, contractors, temporary workers should notified terms conditions employment. Conditions should clude, mimum: - Acceptable behavi- Physical requirements - Educational annual trag requirements - Termatiemployment both employee providg notice company, obligaticompany notify employee - Termable offenses - Security requirements - Drug alcohol policy cludg iodic random screengs - Dress code. – 99 – ISA-TR99.00.01-2007 Copyright 2007 ISA. rights . company policies regardg employee behaviors, actions, like should writg made freely available. disciplary actions should captured writg stored, no matter severity fraction. 10.2.7 formatiSources Reference Material • ISO/IEC 17799: 2000, formatitechnology -- Code practice formatisecurity management. nssn.org/, iso.ch, iec.ch • CERT Guide System Network Security Practices, J. Allen, Addison-Wesley Press – 2d prtg December 2001. awprofessional.com. • Security Architecture – Design, Deployment & Oations, C. Kg, C. Dalton, T. Osmanoglu, RSPress, 2001. rsapress.com. ISA-TR99.00.01-2007 – 100 – Copyright 2007 ISA. rights . Thpage tentionally left blank. Developg promulgatg sound consensus standards, recommended practices, technical reports ISA’s primary goals. achieve thgoal Standards Practices Department relies technical extise efforts volunteer committee members, chairmen reviewers. ISAmericNational Standards stitute (ANSI) accredited organization. ISadmisters United States Technical Advisory Groups (USTAGs) provides secretarisupport ternational Electrotechnical Commissi(IEC) ternational OrganizatiStandardizati(ISO) committees develop process measurement control standards. obtaadditional formatiSociety’s standards program, please write: ISAttn: Standards Department 67 Alexander Drive P.O. Box 12277 Research Triangle Park, NC 27709 ISBN: 978-1-934394-42-7 NOTICE COPYRIGHT Thcopyright document may copied distried any form manner without missiISA. Thcopy document wmade sole swhom ISprovided subject restrictions stated ISA’s license son. may provided any sprt, electronic, any form. Violations ISA’s copyright prosecuted fullest extent law may result substantial civil crimal penalties. TECHNICAL REPORT ANSI/ISA—TR99.00.02—2004 tegratg Electronic Security Manufacturg Control Systems Environment Approved 10 October 2004 ANSI Technical Report prepared ISANSI/ISA-TR99.00.02-2004 tegratg Electronic Security Manufacturg Control Systems Environment ISBN: 1-55617-889-1 Copyright 2004 ISA—strumentation, Systems, AutomatiSociety. rights . resale. Prted United States America. No part thpublicatimay reproduced, stored retrieval system, transmitted any form any means (electronic, mechanical, photocopyg, recordg, otherwise), without priwritten missiPublisher. IS67 Alexander Drive P.O. Box 12277 Research Triangle Park, North Carol27709 US— 3 — ANSI/ISA-TR99.00.02-2004 Preface Thpreface, well footnotes annexes, cluded formatipurposes part ANSI/ISA-TR 99.00.02-2004. Thdocument h prepared part service ISA--strumentation, Systems, AutomatiSociety, toward goal uniformity field strumentation. real value, thdocument should static should subject iodic review. Toward thend, Society welcomes comments criticisms asks addressed Secretary, Standards Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Teleph(919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org. PublicatithANSI Technical Report h approved Accredited Standards Develo. Thdocument registered Technical Report series publications accordg procedures RegistratiANSI Technical Reports. Thdocument AmericNational Standard material contaed herenormative nature. Comments content thdocument should sent Accredited Standards Develo. ISStandards Practices Department awgrowg need attentimetric system units general, ternational System Units (SI) particular, preparatistrumentatistandards. Department further awbenefits USusers ISstandards corporatg suitable references SI (metric system) busess professional dealgs countries. Toward thend, thDepartment endeavtroduce SI-acceptable metric units revised standards, recommended practices, technical reports greatest extent possible. Standard ternational System Units (SI): Modern Metric System, published AmericSociety Testg & Materials IEEE/ASTM SI 10- 97, future revisions, reference guide defitions, symbols, abbreviations, conversifactors. policy ISencourage welcome participaticoncerned dividuals terests development ISstandards, recommended practices, technical reports. ParticipatiISstandards-makg process dividual no way constitutes endorsement employer dividual, ISA, any standards, recommended practices, technical reports ISdevelops. CAUTI— ISADHERES POLICY AMERICNATIONAL STANDARDS STITUTE REGARD PATENTS. IF ISFORMED EXISTG PATENT REQUIRED DOCUMENT, REQUIRE OWNER PATENT EITHER GRANT ROYALTY-FREE LICENSE PATENT USERS COMPLYG DOCUMENT LICENSE REASONABLE TERMS CONDITIONS FREE UNFAIR DISCRIMATION. EVEN IF ISUNAWANY PATENT COVERG THDOCUMENT, USER CAUTIONED IMPLEMENTATIDOCUMENT MAY REQUIRE TECHNIQUES, PROCESSES, MATERIALS COVERED PATENT RIGHTS. ISTAKES NO POSITIEXISTENCE VALIDITY ANY PATENT RIGHTS MAY VOLVED IMPLEMENTG DOCUMENT. ISRESPONSIBLE IDENTIFYG PATENTS MAY REQUIRE LICENSE BEFORE IMPLEMENTATIDOCUMENT VESTIGATG VALIDITY SCOPE ANY PATENTS BROUGHT ITS ATTENTION. USER SHOULD CAREFULLY VESTIGATE RELEVANT PATENTS BEFORE USG DOCUMENT USER’S TENDED APPLICATION. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 4 — HOWEVER, ISASKS ANYREVIEWG THDOCUMENT WHO AWANY PATENTS MAY IMPACT IMPLEMENTATIDOCUMENT NOTIFY ISSTANDARDS PRACTICES DEPARTMENT PATENT ITS OWNER. ADDITIONALLY, THDOCUMENT MAY VOLVE HAZARDOUS MATERIALS, OATIONS EQUIPMENT. DOCUMENT CANANTICIPATE POSSIBLE APPLICATIONS ADDRESS POSSIBLE SAFETY ISSUES ASSOCIATED HAZARDOUS CONDITIONS. USER THDOCUMENT MUST EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNG ITS APPLICABILITY USER’S PARTICULAR CIRCUMSTANCES. USER MUST ALSO CONSIDER APPLICABILITY ANY GOVERNMENTAL REGULATORY LIMITATIONS ESTABLISHED SAFETY HEALTH PRACTICES BEFORE IMPLEMENTG THDOCUMENT. followg served votg members ISA-SP99: NAME COMPANY B. Sger, Chair Rockwell AutomatiE. Hand, Vice Chair Kraft Foods c. R. Webb, Managg Direct& WG2 Leader Consultant E. Byres, Workg Group 1 Leader British Columbistitute Technology M. Franz, Workg Group 3 Leader Cisco Systems, c. D. Teumim, Workg Group 7 Leader Teumim Technical LLC P. Bayt Primatech c. H. Beum terface Technologies R. Bhojani Bayer D. Brandl BR&L Consultg K. Chambers GE Fanuc AutomatiAmericc. J. ChristmNorthrop GrummformatiTechnology E. CosmDow Chemical Co. J. DalzISFrance T. DavTelvent R. Derynck Verano c. R. Dhaliwal Allstream R. Forrest Ohio State University T. Good DuPont M. Heard EastmChemical Co. M. Lees Scherg-Plough Corp. C. Mastromonico WestghoSavannah River Co. W. Matz vensys-Foxboro G. Morngstar Cedar Rapids Water Dept. A. Nangi3M S. OdYokogawCorp. AmericR. Oyen ABB c. M. Schilt Rockwell AutomatiC. SossmWGI-W Safety Management Solutions LLC L. Steocher FluEnterprises c. B. TaylGeorge WashgtUniversity D. Tdill Matrikc. L. Uden Lyondell/Equistar Chemicals J. Weiss KEMc. Thtechnical report wapproved publicatiISStandards Practices Board 12 April 2004: Copyright 2004 ISA. rights . — 5 — ANSI/ISA-TR99.00.02-2004 NAME COMPANY V. Maggioli, Chair Feltronics Corp. F. Amir DuPont D. Bishop David N. Bishop, Consultant K. Bond Consultant D. Bouchard PapricM. Coppler Ametek, c. B. Dumortier Schneider Electric W. HollConsultant E. IcayACES, c. A. IversIvy Optiks T. McAvew Jacobs Engeerg Group A. McCauley, Jr. ChagrValley Controls, c. G. McFarlEmersProcess Management R. Reimer Rockwell AutomatiJ. Rennie Consultant N. Sands DuPont H. SasajimYamatake Corp. T. SchnaRosemount c. A. Summers SIS-TECH Solutions LLC I. Verhappen Syncrude CanadLtd. R. Webb Consultant W. WeidmParsons Energy & Chemicals Group J. Weiss KEMc. M. Widmeyer Stanford Lear AcceleratCenter R. Wiegle CANUS Corp. C. Williams EastmKodak Co. M. Zielski EmersProcess Management Copyright 2004 ISA. rights . Thpage tentionally left blank. — 7 — ANSI/ISA-TR99.00.02-2004 Table Contents 1 Scope. 15 2 Purpose. 15 3 tended Audience. 15 4 General Terms Defitions. 15 5 Background. 17 6 Developg Security Program. 18 6.1 Leadership Commitment .18 6.2 Develop Busess Case .19 6.3 Develop Charter Scope.19 6.4 Program Tasks .20 6.5 Special Considerations Manufacturg Control Systems.21 6.6 Program Elements.22 6.7 Manufacturg Control System Change Management Plan.31 6.8 Security Lifecycle .34 6.9 Program Step Details .35 7 Defe Risk Goals . 36 8 Assess Defe Existg System . 36 8.1 Form Cross-Functional Team.36 8.2 Pre-Risk AnalysActivities .36 8.3 Update Screeng ventory.42 8.4 Make Prelimary Assessment OverVulnerability.42 9 Conduct Risk Assessment Gap Analys. 42 9.1 Conduct Detailed Risk AnalysVulnerability Assessment Prioritized Assets.42 9.2 Prioritize Systems ImplementatiPhase Risk MitigatiPlan.54 10 Design Select Countermeasures. 55 10.1 Implement Risk MitigatiStrategies Based upDetected Vulnerabilities.55 Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 8 — 10.2 Address Vulnerabilities .59 10.3 Formalize Change Management PlSystem.60 11 Procure Build Countermeasures . 60 11.1 Translate Requirements Design Phase SpecificatiComplete Construction.60 12 Defe Component Test Plans. 60 12.1 Decisions Make Planng Test Program.60 12.2 Sufficient Testg .62 12.3 Component Test Plans .63 13 Test Countermeasures . 63 14 Defe tegratiTest Pl. 64 15 form Pre-stallatitegratiTest. 64 16 Defe System ValidatiTest Pl. 64 17 form ValidatiTest stalled System. 65 18 Falize Oational Security Measures. 65 18.1 Establish Oational Security Basele.65 18.2 Falize Oational Security Policy .66 18.3 Establish Management Change (MOC) Program.66 18.4 Establish iodic AudPl.66 18.5 Establish AudMetrics.66 18.6 Establish AudMetrics Reportg Procedure .66 18.7 Establish Compliance Requirements.67 18.8 Establish Corrective ActiProcedures .67 18.9 Disaster Recovery.67 18.10 Monitorg Loggg .67 18.11 trusiDetecti.67 18.12 cident Response .67 18.13 Contgency Plans .68 18.14 Normal Support.68 Copyright 2004 ISA. rights . — 9 — ANSI/ISA-TR99.00.02-2004 18.15 Formalize AudPlSystem .68 18.16 Implement .69 19 Route Security Reportg Analys. 69 20 iodic AudCompliance Measures . 69 21 Reevaluate Security Countermeasures. 69 22 Work Suppliers Consultants. 69 22.1 System Suppliers .70 22.2 Consultants .70 22.3 tegrators .70 22.4 User Groups.70 23 Participate dustry Forums Development Programs. 71 23.1 ISA—strumentation, Systems, AutomatiSociety .71 23.2 U.S. National stitute Standards Technology (NIST) .71 23.3 North AmericElectric Reliability Council (NERC).71 23.4 Chemical dustry DatExchange (CIDX) .71 23.5 stitute Electrical Electronics Engeers (IEEE).71 23.6 ternational Electrotechnical Commissi(IEC) .71 23.7 ternational Council Large Electric Systems (CIGRE) .72 23.8 U.S. Department Energy National SCADTest Bed Program .72 23.9 Process Control System Cyber Security Forum (PCSRF) .72 24 Bibliography References . 72 Annex — Sample Policies Procedures Document . 75 Annex B — Sample Vulnerability Assessment Procedure . 87 Annex C —tegratg Security Supplier Practices . 87 Copyright 2004 ISA. rights . Thpage tentionally left blank. — 11 — ANSI/ISA-TR99.00.02-2004 Foreword order protect Manufacturg Control Systems environments potential threats probability attacks, site corporate entity should responsible developg electronic security program creatg security plprotect manufacturg control networks. ThISTechnical Report provides framework developg electronic security program provides recommended organizatistructure security plan. formatiprovides detailed formatimimum elements clude. Site entity-specific formatishould cluded appropriate places program. Thtechnical report addresses Manufacturg Control Systems whose compromise could result any followg situations: • endangerment public employee health safety • loss public confidence • violatiregulatory requirements • loss proprietary confidential formati• economic loss • impact entity, local, state national security concept Manufacturg Control Systems electronic security applied broadest practical sense, encompassg types plants, facilities, systems dustries. Manufacturg Control Systems clude, limited to: • Hardwsoftwsystems Distried Control Systems (DCSs), Programmable Logic Controllers (PLCs), Suvisory Control DatAcquisiti(SCADA) systems, networked electronic sensg, monitorg diagnostic systems • Associated ternal, human, network, mache terfaces used provide control, safety, manufacturg oations functionality contuous, batch, discrete, processes. • Basic Process Control System (BPCS), Safety strumented System (SIS), associated systems advanced multivariable control, onle optimizers, dedicated equipment monitors, graphical terfaces. Note reader: ISA’s SP99 standards development committee, developed thISTechnical Report, seekg feedback its content usefulness. If you comments value threport suggestions improvements additional topics, please send those comments email, fax, postal, phto: ISA-SP99 ISStandards 67 Alexander Drive Research Triangle Park, NC 27709 USEmail: fo@isa.org Tel: +1 919 990 9200 Fax: +1 919 549 8288 Copyright 2004 ISA. rights . Thpage tentionally left blank. — 13 — ANSI/ISA-TR99.00.02-2004 troductiThdocument, second series ISTechnical Reports, provides guidance Manufacturg Control Systems users (cludg oations, matenance, engeerg, user services), manufacturers, suppliers, security practitioners, provide adequate electronic (cyber) security systems. focplanng, developg, implementg activities volved comprehensive program tegratg security Manufacturg Control Systems environment. program cludes requirements, policies, procedures, practices arerangg risk analysmanagement change compliance auditg. Implementg thtype program often volves additional changed hardwsoftwmay require trag sonnel technologies (network firewalls). Guidance procedures tharevolve technology-related discussiexamples. Thformatiprovided companiTechnical Report thseries: • ANSI/ISA-TR99.00.01-2004, Security Technologies Manufacturg Control Systems—Provides overview types electronic security technologies currently available Manufacturg Control Systems environment; pros, cons, specific details technology fits environment; list types products currently evaluated ISA-SP99 committee; idewsecurity technology headed future. significant part ANSI/ISA-TR99.00.02-2004, tegratg Electronic Security Manufacturg Control Systems Environment, technology-dependent, tparts rely technology. Refer ANSI/ISA-TR99.00.01-2004 comprehensive formatialternatives available implement security technologies. Please refer both technical reports thseries comprehensive presentatiunderstandg technology, programs, audits testg necessary provide electronic security Manufacturg Control Systems environment. ThIStechnical report provides guidance attag adequate electronic security. should used help identify address vulnerabilities reduce risk undesired trusions could compromise confidential formaticadisruptifailure manufacturg control systems. guidance presented thdocument general nature, must applied system network sonnel knowledgeable manufacturg control systems beg applied. guidance identifies those activities, system attries, actions typically important provide electronically secure control systems, whose applicatialways compatible matenance system’s functions. Guidance cludes suggestions appropriate applicatispecific control systems; however, selectiactivities practices given system responsibility system’s owner. expected thguidance grow change time, exience obtaed system vulnerability security technologies become available. general formthguidance expected remarelatively stable, specifics its applicatispecific solutions expected evolve developments technology, dustry requirements, regulatory requirements. Copyright 2004 ISA. rights . Thpage tentionally left blank. — 15 — ANSI/ISA-TR99.00.02-2004 1 Scope scope thIStechnical report cludes Manufacturg Control Systems whose compromise could result endangerment public employee health safety, loss public confidence, violatiregulatory requirements, loss validatiproprietary confidential formation, economic loss. concept Manufacturg Control Systems electronic security applied broadest practical sense, encompassg types manufacturg process facilities systems dustries. Manufacturg Control Systems clude, limited to: • Hardwsoftwsystems Distried Control Systems (DCSs), Programmable Logic Controllers (PLCs), Suvisory Control DatAcquisiti(SCADA) systems, networked electronic sensg systems, monitorg diagnostic systems; • Associated ternal, human, network, mache terfaces used provide control, safety, manufacturg oations functionality contuous, batch, discrete, processes. Enterprise Resource Management Enterprise Resource Planng Systems withscope thdocument, although tegrity datcommunications Manufacturg Control Systems domas Enterprise Resource Busess Systems should cluded. 2 Purpose purpose thIStechnical report present consistent approach developg, implementg, oatg program addresses security Manufacturg Control Systems. 3 tended Audience audience thIStechnical report cludes users Manufacturg Control Systems (cludg facility oations, matenance, engeerg, corporate components user organizations), manufacturers, suppliers, security practitioners. 4 General Terms Defitions followg terms ctake various terpretations, defitions thsectiused sapply thtechnical report. Component Testg—Testg formed vendor, user’s plant, outside lab assure parties purchased security components meet purchase specifications demonstrate required security formance. Compromise—Any actiauthorized unauthorized sources results undesirable release confidential formation, modificaticritical formation, loss control system component assets, physical endangerment, loss system availability, degraded monitorg capability, decreased reliability Manufacturg Control Systems, formational dependencies. Control System Oations—Control system oations encompass collectiproduction, matenance, quality assurance oations activities manufacturg facility. clude: • facility activities coordate sonnel, equipment, material volved conversiraw materials end products Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 16 — • functions may formed physical equipment, humeffort, formatisystems • managg formatischedules, use, capability, defition, history, status resources (sonnel, equipment, material) withfacility. tegratiTestg—examatitestg several security components, haps different vendors, temporarily connected together test environment see if security components work together correctly before beg placed actual Manufacturg Control System. Manufacturg Control Systems—Systems (sonnel, hardware, software) comprised either standalnetworked configurations, designed control monitspecific aspects productiprocess, cludg safety. Producticludes conveyance, treatment, processg, manufacturg, distriion, engeerg productiprocess any product cludg, limited to, utilities productidistriion, consumer goods, raw materials, component parts, like. Manufacturg Control Systems cclude DCS, HMI, PLC, SCADA, hybrid, any type control system servg any part manufacturg process utility dustries cludg contuous, discrete, batch, processes. Manufacturg Control Systems Electronic Security—Manufacturg Control Systems Electronic Security cludes concepts identification, authentication, accountability, authorization, privacy. objective preclude unauthorized use, modification, disclosure, destructicritical systems formational assets effort reduce risk sonal jury possibility endangerg public health, loss public consumer confidence, disclosure sensitive assets, protectibusess assets. concepts applied any system productiprocess clude both standalnetworked components. Communications between systems may either through ternal messagg any hummache terfaces authenticate, oate, control, exchange datany control systems. Manufacturg Oations—Manufacturg oations encompass collectiproduction, matenance, quality assurance oations activities productifacility. Oations clude: • manufacturg processg facility activities coordate sonnel, equipment, material volved conversiraw materials and/parts products • functions may formed physical equipment, humeffort, formatisystems • managg formatischedules, use, capability, defition, history, status resources (sonnel, equipment, material) withmanufacturg facility. Security Components (also called Security Countermeasures)—Techniques firewalls, authenticatimodules, encryptisoftwpurchased outside security vendors sertiexistg Manufacturg Control System improve security formance system. Security Guideles—Security guideles defe objectives constrats security program. Guideles created several levels, rangg company corporate policy specific oational constrats (e.g., remote access). general, guideles provide answers questions “what” “why” without dealg “how.” Guideles normally stated terms technologydependent. Security formance—Security formance may evaluated terms program’s compliance, completeness measures provide specific threprotection, post-compromise analysis, review changg busess requirements, threvulnerability formation, iodic audcontrol systems ensure security measures remaeffective appropriate. Tests, audits, tools, measures, methods required evaluate security practice formance. Copyright 2004 ISA. rights . — 17 — ANSI/ISA-TR99.00.02-2004 Security Practices—Security practices provide means capturg exiences activities help ensure system protectireduce potential Manufacturg Control Systems compromise. Subject areclude physical security, procedures, organization, design, programmg. Security practices clude actual steps taken ensure system protection. Security Procedures—Security procedures defe exactly practices implemented executed. implemented through sonnel trag actions usg currently available stalled technology (disconnectg modems). Procedures contaed criterialso clude technology-dependent system requirements need careful analysis, design, planng, coordated stallatiimplementation. Security Program—security program brgs together aspects managg security, rangg defiticommunicatiguideles through implementatibest dustry practices ongog oatiauditg. System ValidatiTestg—Testg dentire Manufacturg Control System security components serted, configured, made oational. Manufacturg Control System may non-productimode, turnaround mode, conduct thtestg. purpose system validatitestg assurance see whether entire Manufacturg Control System, security components retrofitted, meet desired security formance still meetg non-security functional formance requirements specifications. Teleworkg—Teleworkg arrangement through employees work locatiaway employer's maoffice. Electronic connections (e.g., telephles, cellular/wireless circuits, ternet access) relied upbulk teractions formatitransfer. 5 Background Durg past several years, process automatisystems support process manufacturg enterprise evolved dividual, isolated computers proprietary oatg systems networks terconnected systems applications employg widely used well understood “open systems” technology (i.e., oatg systems protocols). automatisystems now beg tegrated enterprise systems busess applications through site corporate communicatetworks. Thtegrated architecture provides significant busess benefits cludg followg: • creased visibility shop floactivities (work process, equipment status, productischedules), enablg improved busess analysdecisimakg. • tegrated manufacturg systems direct access enterprise formation, enablg responsive manufacturg enterprise. • Commterfaces reduce oversupport costs mremote support productiprocesses. • Improved dataccessibility provides ability conduct analyses drive out producticosts improve productivity. • Remote monitorg process control systems allows problems solved quickly reduces support costs. ANSI/ISstandards, ANSI/ISA-50 (Fieldbus) series, ANSI/ISA-84 (ApplicatiSafety strumented Systems Process dustries) series, ANSI/ISA-88 (Batch Control) series, ANSI/ISA- 91.00.01-2001 (IdentificatiEmergency Shutdown Systems Controls Critical Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 18 — Matag Safety Process dustries), ANSI/ISA-95 (Enterprise-Control System tegration) series, added considerable value Manufacturg Control Systems community establishg models, terms, formatiexchanges provide ability shformatiopen standardized way (viswww.isa.org/standards/ additional formatistandards). However, thability exchange formaticreases vulnerability misattack dividuals malicious tent troduces potential risks enterprise Manufacturg Control Systems. recent years, electronic security hbecome significant widely acknowledged concern. People knowledge features provided open oatg systems networks could potentially trude console devices, remote devices, databases and, cases, control platforms. impact truders Manufacturg Control Systems may clude: • unauthorized access, theft, misconfidential formati• loss tegrity reliability process datproductiformati• loss system availability • process upsets leadg feriproduct quality, lost producticapacity, compromised process safety, environmental releases • equipment damage • sonal jury • violatilegal regulatory requirements • public health confidence • impact nation’s security. focus unauthorized access hbroadened “hackers” disgruntled employees clude deliberate terrorist activities aimed harmg large groups facilities. Thshift requires structured set guideles procedures defe electronic security applicable Manufacturg Control Systems, well respective connectivity systems. 6 Developg Security Program Effectively tegratg security Manufacturg Control System environment requires defg executg comprehensive program addresses aspects security, rangg identifyg objectives day-to-day oationgog auditg compliance improvement. Thsectidescribes basic process developg security program. detailed formativarious steps provided subsequent sections. 6.1 Leadership Commitment commitment security program begs top. Senimanagement must demonstrate clear commitment cybersecurity. Cybersecurity busess responsibility shared members enterprise especially leadg members busess, process, manufacturg management teams. Cybersecurity programs visible, top-level support “buy-” organizatileaders likely gacompliance, functismoothly, earlier success. Copyright 2004 ISA. rights . — 19 — ANSI/ISA-TR99.00.02-2004 6.2 Develop Busess Case Even general commitment, up management does always recognize understpractical benefits cybersecurity Manufacturg Control Systems. order obtafundg, may necessary build busess case. ISA-SP99 committee recognizes thtopic important address further future revisithTechnical Report. 6.3 Develop Charter Scope imative understood busess case established, next step develop formal charter scope effort. Thcharter should explaclearly whaccomplished (busess terms) when. scope program defes specific entity (busess, site, corporation) focus. charter should owned seniexecutive program champiwho responsible guidg team durg program development. champiultimately responsible makg sure program executed, cludg communications, enforcement, auditg. 6.3.1 Assemble Stakeholders Establish Program Team next step assemble team people responsible developg various program elements, cludg guideles, processes, procedures. team should consist of, limited to, sonnel followg areas: • formatiTechnology (IT) • Telecommunications • Process Control • Oations Producti• Matenance • Security • Management • Trag • HumResources • Fance Programs should developed so cimplemented throughout specific entity (busess, site, corporation). itial program scope defed program team formed, may adjusted team’s knowledge grows. Programs should developed withexistg busess, site, corporatiprogram structures appropriate simplify expedite process. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 20 — seniexecutive program champishould responsible guidg team durg program development. champiultimately responsible makg sure program executed, cludg communications, enforcement, auditg. 6.4 Program Tasks Once team h assembled, its activity plbasic tasks must accomplished developg effective program. tasks briefly described followg paragraphs. detailed formatiprovided sections 7 through 21. 1. Defe Risks task program team defe potential risks Manufacturg Control System. Risks may identified through variety means, rangg corporate governance external regulatory compliance applicatiformal risk assessment methodology. Regardless identified, risks must categorized prioritized. 2. Establish Program Goals Establish specific goals address risks identified. goals form foundatisecurity program must clearly supported senimanagement, well technical exts responsible Manufacturg Control Systems. Goals should clude developg implementatiplschedule cludg aspects program, along recommendations developg awareness trag sonnel. implementatiplcludes transitiphase provides methodology architecture get “as-is” security conditions “to-be” security conditions. also provides details actually formg work required make security changes additions Manufacturg Control Systems. schedule may depend fundg program, should consider priorities defed plan. 3. Identify Program Elements Develop PlSecurity programs consist various combations written guideles, standards, processes, procedures address issues requirements withstated scope program. Written documentatimust clearly state whether actions procedures mandatory recommended practices. program requires specific list elements cluded. elements build existg formatiTechnology (IT) security exience, programs, practices, tailored specific security requirements Manufacturg Control System environment. list possible elements cfound secti6.6. 4. Address ConfiguratiManagement Vital formatiassets must assessed classified based consequences loss, damage, failure. Assign appropriate levels security protectiassess vulnerability Manufacturg Control System formatiloss compromise. 5. Establish formance Considerations developg electronic security program, important consider various aspects Manufacturg Control System formance ensure element applied without adversely impactg systems applied. However, also essential review consider required formance oversystems level ensure security Copyright 2004 ISA. rights . — 21 — ANSI/ISA-TR99.00.02-2004 features taken together, adversely affect required time-critical formance characteristics systems. Successful completithtask requires detailed understandg factors make Manufacturg Control Systems different typical busess formatitechnology systems. Special considerations Manufacturg Control Systems examed detail secti6.5. 6. Execute Program complete program cludes plans defe approach criteriManufacturg Control Systems electronic security. Plans defe necessary security provided, usually clude functional requirements, well certaspecific technical requirements. provide system’s electronic security, ensurg basic manufacturg control functionality fully met. Plans encompass aspects program; defe program its entirety, even though plans may formed implemented throughout organization, (e.g., design, engeerg, services, oations, matenance, procurement). 6.5 Special Considerations Manufacturg Control Systems Manufacturg Control System electronic security plans programs consistent with, build on, existg (formatitechnology) security exience, programs, practices. However, tcritical oational differences between Manufacturg Control Systems fluence specific measures should applied. Key differences clude: • Differg risk management goals—Humsafety fault tolerance prevent loss life endangerment public health confidence, loss equipment, loss tellectual proty, lost damaged product. • Differg architecture security focus—typical system, primary focus security protectg formatistored central server. manufacturg systems, situatireversed. Edge clients (e.g., PLC, oatstation, DCS controller) typically important thcentral server. • Differg availability requirements—Many manufacturg processes contuous nature. Unexpected outages systems control manufacturg processes acceptable. Exhaustive pre-deployment testg essential ensure high availability Manufacturg Control System. additiunexpected outages, many control systems caneasily stopped started without affectg production. cases, products produced equipment beg used important thformatibeg relayed. requirement high availability, reliability, mataability reduces effectiveness strategies like rebootg. • Untended consequences—Manufacturg Control Systems cvery complex way teract physical processes. security functions tegrated process control system must tested prove troduce unacceptable vulnerabilities. Addg any physical logical component system may reduce reliability control system, resultg reliability should kept acceptable levels. • Time critical responses—systems, automated response time system response humteracticritical. example, emergency actions regulatory process control systems should hamed requirg password authenticatiauthorization. formatiflow must terrupted compromised. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 22 — • Differg response time requirements—Manufacturg Control Systems generally time critical; delay acceptable delivery formation, high throughtypically essential. • System software—Differg “custom” oatg systems applications may tolerate typical practices. Networks often complex require different level extise (e.g., control networks typically managed control engeers, sonnel). Softwhardwapplications difficult upgrade control system network. Many systems may desired features cludg encrypticapabilities, errloggg, password protection. • Resource constrats—Control systems real time oatg systems resourceconstraed systems clude typical security technologies. Tmay available computg resources retrofsecurity technologies. • formatitegrity—-bound formatihighly essential control system oation. important take practical precautions elimate malicious -bound formatieffort matacontrol oation. • Communications—Communicatiprotocols mediused control systems environments typically different generic environment, may proprietary. Examples clude radio telemetry usg asynchronous serial protocols proprietary communicatetworks. • SoftwUpdates—Security patches canalways implemented timely basbecasoftwchanges need thoroughly tested vendmanufacturg control applicatiend user applicatibefore beg implemented. Change management control necessary matategrity control systems. differences require careful assessment Manufacturg Control System exts workg conjunctisecurity sonnel. Thteam people should carefully evaluate applicability specific Manufacturg Control Systems electronic security features, cludg thorough testg before application, wnecessary. 6.6 Program Elements Tseveral specific elements delivered part comprehensive security program. elements should carefully documented. Written records should kept policies procedures, well results application. Backups archives should mataed so failures compromise systems destroy records. followg paragraphs descriseveral elements commcluded program. 6.6.1 Defitions Provide set defitions key words phrases, especially apply Manufacturg Control Systems. 6.6.2 Scope Purpose descriptiprogram’s scope purpose typically taken itial charter. security imeter hardwsoftwprogram applied should also defed. Defg security imeter supports clear understandg connections terfaces must secure. Copyright 2004 ISA. rights . — 23 — ANSI/ISA-TR99.00.02-2004 6.6.3 OrganizatiResponsibilities Defe roles responsibilities entire organization, along terfaces between part organization. Thstructure allows participants clearly understrole role others whom must terface levels. organizatiresponsible Manufacturg Control Systems may different responsible systems. organizatimay different priorities established trag procedures focused legal compliance, preventg accidents, controllg cidents, matag product quality, preventg loss revenue. 6.6.4 Prciples security program should develop identify prciples process control security balance needs both producticorporate security. Examples wprciples may required clude: • Ownership accountability—assigned withorganization? • Oatiproductirequirements. • Support needs strategies. • Access control. • Physical security. • Monitorg controllg physical features. • Physical access control, lockg, protection. • Matenance management. 6.6.5 Vulnerability Assessment Every busess organizatishould identify its vital formatiassets, classify them based consequences loss failure, assign appropriate levels security protection, assess vulnerability its Manufacturg Control Systems formatiloss compromise. Once system vulnerabilities understood, security program cdesigned take appropriate actions ensure levels security protectiachieved through both system design admistrative controls. 6.6.6 Policies response prciples management direction, program team must identify develop series polices determe exactly security managed. policies exist several levels, rangg basic organizational policies established management detailed policies taspecific aspects program. appropriate level management must understapprove policies. Potential arerequirg policies clude: • Legal regulatory compliance • Trag certificatiCopyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 24 — • Hirg, evaluatg termatg sonnel • Assignment appropriate security clearance levels • Authenticati• Authorizati• Logical rights • Change control • Loggg • Passwords • Accounts • Modem access • remote access • Unused resources Annex provides example set security policies practices developed support security risk goals oversecurity program company’s Manufacturg Control Systems environment. examples provided illustrate level policy practice decisions need made support meetg risk goals. 6.6.7 Standards additiprciples policies, specific standards must identified established security program. Arewstandards may exist required clude: • Communicatiprotocols • Network architecture • Oatg systems • Databases • Safety • Physical stallations • Matenance • Security clearance parameters cases, standards selected may same those applied busess systems. However, tsituations wdifferent standards selected meet specific needs manufacturg systems. Copyright 2004 ISA. rights . — 25 — ANSI/ISA-TR99.00.02-2004 6.6.8 Design Models security program may clude developg design models descrimimum acceptable recommended practices used constructg secure system. Topics could addressed through models clude: • System hardwsoftwdesign implementatirequirements, firewalls, routers, switches • missible datflows • Management activities ensure compliance requirements focus models meetg functional requirements, technology suggested discussions guidance provide examples ensure understandg. ANSI/ISA-TR99.00.01-2004, Security Technologies Manufacturg Control Systems, provides comprehensive listg available technologies meet requirements, along recommendations Manufacturg Control System environment. ANSI/ISA-TR99.00.01-2004 should used conjunctirequirements solutions developed accordance thtechnical report. Several models required any program. Network Segments network modern manufacturg facility typically comprised series logical physical network segments represent “layers protection” approach design. specific names used segments vary, general arrangement similar followg: • Enterprise Network Segment—Enterprise system computers, Enterprise Resource Planng (ERP), Supply ChaManagement (SCM), Customer Relationship Management (CRM) computers connected thsegment. General-purpose ternal client systems (desktops laptops) also typically connect here. • Process formatetwork Segment—Manufacturg ExecutiSystem (MES) computers connected process formatetwork segment. Thnetwork segment connected enterprise network virouters, sometimes shares network enterprise network segment. • Control Network Segment—Controllers HumMache terface (HMI) devices manufacturg control connected thsegment. Mediprotocols may proprietary general-purpose. Primitive, essential, formaticontrol exchanged, measured variables manipulatg variables; sometimes controller configuratiformatiexchanged matenance purposes. Communicatiframes designated field network may also thnetwork. control network usually connected formatetwork vigateway similar device may further isolated means firewall. • Field Network Segment—Field devices, sensors actuators, connected thnetwork segment. Usually proprietary protocols and/mediused communicaticonnected devices usually less computg capability. Primitive, essential, formaticontrol exchanged, measured variables manipulatg variables; sometimes controller configuratiformatiexchanged matenance purposes. field network usually connected control network vicontroller gateway. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 26 — • Process Segment—elementary segment consists pipe, valves, vessels, transport belts, vehicles contag productifluid product devices. segments entirely physical provide means attach primary element sensors mentioned field network segment. Although thsegment directly impacted formatisystem vulnerabilities, could impacted directly control systems tentional humteraction, thus must also considered. Thtechnical report focprocess formatetwork, control network, field network security. enterprise network should protected busess policies; process segments physical plshould protected physical security plbeyond scope thdocument. Access Control Model Access Control Model describes recommended practices accessg Manufacturg Control Systems. Becatvarious segments network model, tmay varyg access control practices devices different network segments. applyg access control, make sure recognize unique aspects Manufacturg Control Systems. example, oators control room typically need able oate plant take control actions, often immediately, without any hdrance passwords. Physical security trustworthy sonnel assumed ensure oators cform needed actions immediately. However, need modify reconfigure system immediate baslikely required, therefore stronger access controls could used ensure sauthorized form thfunction. User Access Management Access Management addresses policies practices managg user accounts different network segment levels. Develop policies followg aspects managg user accounts. Follow ISO 17799:20001, 9.2 appropriate regardg user account management. • User registrati• Privilege management • User password management • Review user access rights User Responsibilities Users different network segments may different responsibilities. vulnerabilities risks different network segment levels require different policies practices created followg aspects formatetwork. Develop policies followg aspects user responsibilities. Follow ISO 17799:2000, 9.3 appropriate. 1 ISO 17799, formatiTechnology—Code Practice formatiSecurity Management, wdeveloped traditional systems. Many recommendations, cludg password policies, may appropriate control system applications. Copyright 2004 ISA. rights . — 27 — ANSI/ISA-TR99.00.02-2004 • Password • Unattended user equipment Network Access Control security program must clude policies practices followg aspects formation, control field network segments devices connected them. Develop policies followg aspects network access control. Follow ISO 17799:2000, 9.4 appropriate. • Policy network services • Enforced path • User authenticatiexternal connections • Node authenticati• Remote diagnostic port protecti• Network connecticontrol • Network routg control • Security network services Control Networks Field Networks should physically secured. Refer secti6.6.8.3, “Physical Environmental Security.” Oatg System Access Control Develop policies followg aspects network, cludg gateways connect network segments. Follow ISO 17799:2000, 9.5 appropriate. • Automatic termal identificati• Termal log-procedures • User identificatiauthenticati• Password management system • system utilities • Duress alarm safeguard users • Termal time-out • Limitaticonnectitime ApplicatiAccess Control Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 28 — Develop policies followg aspects network, cludg gateways connect network segments. Follow ISO 17799:2000, 9.6 appropriate. • formatiaccess restricti• Sensitive system isolati6. Monitorg System Access Develop policies followg aspects network. Also develop policies external equipment if control network field network hexternal access pots. Follow ISO 17799:2000, 9.7. • Cyber event loggg • Monitorg system followg events should logged monitored control networks: • Dataccess • events related system security and/network-based trusion, appropriate. Remote Access Teleworkg security program must address remote mobile user who attempts access network. Policies practices required address type connecti(wireless-based, ternet-based, dial-modem-based, LAN, WAN), well functions may formed remote mobile user. Follow ISO 17799:2000, 9.8 appropriate. Mobile computg access manufacturg systems should closely controlled. security program should clude developg security policies practices usg mobile access pots. Examples possible directiclude: • User accounts mobile computg should shared non-mobile use. • Password agg lockout should used mobile user account management. • activities through mobile access pots should logged monitored. • Access pots should accessed viclosed network connections only. Closed network connections clude IP-VPN service. Physical Environmental Security control field network segments should strictly physically secured. Based results security assessments formed date, security imeter may defed case-by-case basis. Durg security program implementation, security imeter Manufacturg Control System should defed, specifyg components make up security boundary system. security boundary usually provides several layers protectitypically extends beyond immediate Manufacturg Control System design clude external applications communications networks. Copyright 2004 ISA. rights . — 29 — ANSI/ISA-TR99.00.02-2004 Tseveral possibilities defg physical imeter, dependg circumstances company practice. example, large tegrated manufacturg site cludes multiple oatg units, may practice establish imeter fence le, treatg units part physical facility. Thdesign would clearly appropriate cases wmultiple companies shphysical site, case typical dustrial park. situation, physical imeter could defed unlevel. general terms, physical imeter defed terms contiguous areowned sgle entity. Develop policies followg aspects physical security. Follow ISO 17799:2000, 7 appropriate. • Security are• Equipment security • General controls Communications Oations Management Develop policies followg aspects formatetwork. Follow ISO 17799:2000, 8 appropriate. • Oational procedures responsibilities • System planng acceptance • Protectiagast malicious softw• Housekeepg - formatiback-up - Oatlogs - Fault loggg • Network management • Medihandlg security - Management removable attachable computer medi- Disposal medi- formatihandlg procedures - Security system documentati- Exchanges formatisoftw6.6.8.5 formance Considerations Every element policy provides considerations Manufacturg Control System formance ensure element applied without adverse impact systems Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 30 — applied. However, also essential review consider required formance oversystems level ensure security features, taken together, adversely affect required time-critical system formance functions. Functions consider regardg formance clude: • Overhead time reliability firewalls authenticati• Overhead time reliability authenticatiauthorizatifunctions • Overhead time reliability encryptg decryptg • teroability 6.6.9 Development Systems Manufacturg Control Systems employ models development configuratichange: • Onle development (run-time changes) • Offle development tools systems Onle development tools may allow mchanges made currently executg applications. thapproach may valuable reducg productiterruptions optimizg product parameters, also adds degree risk, especially development formed remotely. Cybersecurity-associated risks unsecure connections weak authenticated users create type risk, tsignificant risks associated beg physically present Manufacturg Control aremakg onle changes. Good security practices must followed offle development tools systems well. Becasystems may directly load configuratiapplicatifiles onle runng Manufacturg Control Systems, special cmust taken ensure good security practices followed. oversecurity policy must consider creased potential Manufacturg Control Systems compromise failure associated development configuratitools used shpreclude features connections wrisks acceptable. 6.6.10 Livg Program overcorporate security program must corporate iodic reviews security itiatives processes order verify place workg. Corrective actimust taken appropriate adapt changg threats, legal requirements, user needs corporate electronic security technology improvements. 6.6.11 dustry Participatigood security program should corporate knowledge outside company supplement ternally developed program elements, security polices, security practices. Key security program participants should participate appropriate dustry groups forums. groups clude sectorlead organizations, standards organizations, vendorganizations, groups provide knowledge sharg systems compromised, response approaches, successful programs, policy, technology. Copyright 2004 ISA. rights . — 31 — ANSI/ISA-TR99.00.02-2004 6.7 Manufacturg Control System Change Management Pl security program designed, Manufacturg Control System change management plshould developed implemented. change management plrequired establish methods, activities, roles, responsibilities matag required levels oation, safety, security protectithroughout life cycle phases system. Modifications upgrades should made clude manufacturg oations replace add control equipment. changes occur, Manufacturg Control System should repereview required levels security protectithroughout life cycle phases system. Typical life cycle phases clude requirement specification, design, implementation, testg, stallation, oatimatenance, retirement. change management plneeds defe steps followed ensure oations, safety, security compromised. security boundary scope Manufacturg Control System should defed broadest sense. change management plshould identify component security boundary. security boundary typically cludes those items identified security vulnerability risk assessment identified source vulnerability those credited providg required level protectivital formatisources assets. items may volve hardw(physical), softw(electronic) admistrative (procedures, policies, trag) components, cludg items specified below. 6.7.1 HardwAssets Components (Physical) class assets clude change management plvolves hardwdevices withsecurity boundary. examples follows: • Computer hardw(workstations, servers, struments, controls, power supplies, disk drives, tape backups) • Network equipment, routers, switches, hubs, firewalls, physical cables • Communications lks (buses, lks, modems, network terfaces, antennas) • Access authenticatiauthorizatiequipment, domacontrollers, radius servers, readers, scanners • Development system hardw• Simulation/trag system hardw• External system hardw• Spparts ventories. 6.7.2 SoftwAssets Components (Electronic) Additional assets clude change management plsoftwcomponents withsecurity boundary. examples follows: • Computer system softw(applications, oatg systems, external application, communicatiterfaces, configuratitables, development tools, analystools, utilities) • Patches upgrades oatg systems applicatitool sets Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 32 — • Change management softwpatch distriiapplicatiupgrades • Development system softw• Simulatisoftw• External system applications • Databases • Datarchives • Network equipment configuratifiles • Access authenticatiauthorizaticontrol applications • Backup recovery medi(CDs, disks, tapes) • Design basdocumentati(functional requirements cludg formation/assets, security classification, levels protection, physical softwdesign, vulnerability assessment, security imeter, benchmark tests, assembly/stallatidocuments) • Supplier resources (product updates, patches, service packs, utilities, validatitests). 6.7.3 Admistrative Components (Procedures, Policies, Trag) admistrative components equally important manufacturg oatihardwsoftwcomponents identified above. examples follows: • Admistrative procedures (oations, matenance, design change control, access control, configuratimanagement, system/datbackup, reconfiguration, disaster/datrecovery, ternal audit/assessment) • sonnel access lists • User supportg sonnel policies procedures • Trag modules • Audits/reviews • Secure public formation—control system formatiprotected public access. 6.7.4 Methods Responsibilities change management plelements identified, time establish methods, responsibilities, control steps used mataoation, quality, safety, security levels durg lifecycle phases Manufacturg Control System. Becascope security boundary may extend well beyond traditional softwhardwManufacturg Control System systems applications, change management plmay require coordated effort across organizational physical boundaries. Methods used enforce change management plmay clude, limited to: Copyright 2004 ISA. rights . — 33 — ANSI/ISA-TR99.00.02-2004 • Matag documentatisecurity aspects system requirements, vulnerability, system design, security boundary, benchmark/validatitests, procedures, sonnel access lists. • Reviewg proposed changes Manufacturg Control System external systems impact security boundary. Changes could volve design, upgrades, patches, spparts, procedures. • Identifyg, controllg, limitg access sources hardware, software, spparts, patches, service packs used system development, testg, stallation. Thprocess may volve placg requirements suppliers. • Matag system recovery sources rebuildg existg system previous versions. • formg verification/validatitestg security requirements design changes, upgrades, matenance, reconfiguration, durg system startup/recovery. • iodically assessg testg vulnerability security boundary commensurate level security protectirequired. • iodically contuously monitorg user access, access lists, failed/unauthorized access attempts. • iodically backg up vital datoatg parameters. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 34 — 6.8 Security Lifecycle above tasks caccomplished applyg systematic approach similar used management safety-related systems described IEC 61508 standards, Functional Safety Electrical/Electronic/Programmable Electronic Safety-related Systems, descri“safety lifecycle.” similar lifecycle wdefed ANSI/ISA-TR99.00.01-2004 (“TR1”) ANSI/ISA-TR99.00.02- 2004 (“TR2”) shown followg diagram. Faliz OationSeculrMeyasure s ExistDegf iSneystem | form Pre Intsetaglrlaattiioonn 1. 3. 4. 6. 5. 7. 8. 9. 10. 11. Route Security Reportg AnalysCMomeapsliaunrece s Defe Risk Goals Procure Build Security Countermeasures Falize Oational Security Measures Assess & Defe Existg System Conduct Risk Assessment & Gap AnalysDesign Select Countermeasures Defe Component Test Plans Defe tegratiTest PlDefe System ValidatiTest Plform Validatitest stalled system form - Pre-stallatitegratitest Test Countermeasures System goes oational TR2 Security Lifecycle iodic AudCompliance Measures ReevaluateSecurity Counter-measures (Break-MajPlant Change Copyright 2004 ISA. rights . — 35 — ANSI/ISA-TR99.00.02-2004 Thmodel security lifecycle identifies specific steps must taken assemble complete security program. followg table provides brief descriptistep, well reference sectithdocument contas detailed description. DescriptiSectiDefe Risk Goals 7 Assess Defe Existg System 8 Conduct Risk Assessment Gap Analys9 Design Select Countermeasures 10 Procure Build Countermeasures 11 Defe Component Test Plans 12 Test Countermeasures 13 Defe tegratiTest Pl14 form Pre-stallatitegratiTest 15 Defe System ValidatiTest Pl16 form ValidatiTest stalled System 17 Falize Oational Security Measures 18 Route Security Reportg Analys19 iodic AudCompliance Measures 20 Re-evaluate Security Countermeasures 21 6.9 Program Step Details remag sections thdocument describasic steps security lifecycle detail, cludg givg specific guidance references. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 36 — 7 Defe Risk Goals Risk goals defe company’s tolerance level risk. Defg acceptable level risk key begng security program. Once goals articulated agreed to, tactical implementation/oational policies cdeveloped adequately address mitigate various risks identified durg risk assessment phase. types risks anticipated identified appropriate level response determed, based nature system environment. Factors consider clude busess impact, nature materials beg handled, regulatory controls, cost constrats. goals must clearly defed approved appropriate management level becadeterme amount effort expended address specific risks arise. example, goal addressg risk sonal health safety may virtual elimation, similar goal addressg risk release non-toxic materials may somewhlower. Types risks may identified through variety means, rangg corporate governance external regulatory compliance applicatiformal risk assessment methodology. Specific goals identified address them, form foundatisecurity program. Oational policies defe security applied control systems should also developed. policies address issues remote access, direct connections corporate systems, ternet control systems. Annex provides example set security policies practices developed support security risk goals oversecurity program company’s Manufacturg Control Systems environment. examples provided illustrate level policy practice decisions need made support meetg risk goals. 8 Assess Defe Existg System Once basic program risk goals established, next step conduct assessment existg system. Thstep cludes obtag developg thorough system description. 8.1 Form Cross-Functional Team networks hardwmakg up today's systems fairly complicated require high degree knowledge sophistication. Settg up security system providg ongog support cno less dauntg. skill level required form tasks typically found withsgle organization. Therefore, cross-functional team cquite valuable accurately characterize stalled systems, design best security architecture, accomplish task quickly. Plant sonnel would normally expected lead theffort, cludg site manufacturg, process control, IT. Others considered corporate engeerg organization, corporate security organization, support organization, network engeers, and/hardwvendors. 8.2 Pre-Risk AnalysActivities 8.2.1 form Screeng ventory Identify Characterize Manufacturg Control Assets Meet process control manufacturg sonnel identify different process control systems used throughout site. focus should systems rather thjust devices should clude Copyright 2004 ISA. rights . — 37 — ANSI/ISA-TR99.00.02-2004 PLC, DCS, strument-based systems central humterface monitorg device. clude manufacturg areas, well utility arepowerhowaste-treatment facilities. Record formatistandard formyou identify process control systems. example standard formshown followg ceasily created form spreadsheet. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 38 — Manufacturg Control Network CharacterizatiSBU Busess Site Oatg UnSite Contact Ph# Site Process Control Contact Ph# Last Updated PLEASE ANSWER FOLLOWG QUESTIONS : manufacturg control systems currently terfaced site corporate LANs? manufacturg control systems remotely accessed outside manufacturg control doma? Process Control DomaTotal Number IP addressable Nodes Number IP addressable nodes accessed outside process control domaNumber Concurrent Users side Manufacturg Control DomaNumber Concurrent Users side Manufacturg Control Domarequirg access external resources Number Total Users outside Manufacturg Control Domarequirg access Process Control Resources Number Concurrent Users outside Manufacturg Control Domarequirg access Process Control Resources IP Addressg (check apply) DHCP Public addresses used (i.e. 49.x.x.x) Static Private addresses used (192.168.x.x) Control Platforms Number Control Platforms Control Platform Type (PLC, DCS, PC) Control Platform Manufacturer(s) Control Platform Model(s) OatConsoles & HMI Devices Number OatConsoles OatConsole Manufacturer(s) OatConsole Model(s) OatConsole Oatg System(s) Applicatodes (check apply) PM&C Server SCADOPC Server EWS PDC BDC Batch Server Network Security Barriers -Type (Firewalls, routers, VLANS, etc.) Anticipated Network Security Support (check apply) Site Resources External (CSC, 3rd party) Site Network (answer Yes / No) Current site network topology diagrams available & up date ? process control nodes isolated Lsegment ? Site formatisecurity policy place? Security office audcompleted (if Yes, date completed _________ ) Does site two-factauthenticati? Security office risk assessment completed ( if Yes, date completed ________ ) Remote Access Requirements (check apply) visite / corporate Lvidial-up modem viternet vilocal dial-up modem directly tied manufacturg control node(s) Local Egress Requirements (check apply) site applications & resources (document management systems, quality systems, busess systems) corporate applications & resources (document management systems, quality systems, busess systems) ternet sites Copyright 2004 ISA. rights . — 39 — ANSI/ISA-TR99.00.02-2004 If ventory beg formed part corporate-wide security program, may beneficial record formatisearchable database. Take cidentifyg ventoryg process control systems focus attentibeyond devices form direct control. system network may thPLC DCS. tegrated manufacturg productifacility, Manufacturg Control Network comprised devices directly used manufacture, spect, manage, ship product may clude followg components: • DCS controllers • DCS oatconsoles • DCS configuratiworkstations • Special DCS applicatodes form functions alarm loggg, historical loggg, run models, act communicatiterfaces • DCS domacontrollers • PLCs • PLC humterface stations • Shop flo(special purpose) computers • Shop flo(special purpose) oatstations • Process formatimanagement systems • Process control modelg systems • Ext systems • spectisystems • Barcode scanng devices systems • Barcode labelg devices systems • Analyzers • Network communicatigateways • Gaugg systems • Batch systems • SOC (Standard Oatg Condition) SOP (Standard Oatg Procedure) systems • Document management systems • Program development computers Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 40 — • HVAC control systems • Network protectidevices (e.g., existg firewalls, IDS devices) Consider cludg computer processor-based networked devices critical sustag production. objective thventory step discdevices clude risk analysmake your process vulnerable network-based attacks. NOTE Thtime decisipot decidg devices should isolated separated LAN. Err side cludg devices rather thfewer. you form Risk Analysbetter understandg your overvulnerabilities, you should decide if firewtruly necessary wvarious devices should located. 8.2.2 Develop Network Diagrams Before conductg risk assessment, important clear understandg scope boundaries system assessed set boundaries systems analyzed. good startg pot develop network diagram manufacturg computer system. network diagram graphical representatidevices identified Manufacturg Control Network ventory Assessment form discussed previous section. diagram should attempt capture basic logical network architecture, connectivity approaches, combed physical network architecture basics like locatidevices. diagram tool help visualize network aid formg risk analysis. example shown below. Copyright 2004 ISA. rights . Copyright 2004 ISA. rights . LmotLight Tower HMI DatPrter Modem OPC Client/Server Workstations ApplicatiServer Primary DomaController Backup DomaControlle r Wireless Device Peer peer network Sgle Loop Controller Modem Process Controller Solenoid Valve Temp SensPressure RegulatPressure SensServo Valve I/O I/O Fieldbus Modem Programmable Logic Controller (PLC) Phoeye Variable Freq Drive AC Drive DC SeDrvriove Proximity Sensors Fieldbus Modem motmotServo Drive S erv oDrive Servo Drive Modem HMI Mache Controller MotiControl Network Logic Control Pressure SensPressure RegulatSolenoi d Valve ternet/WEnterprise/ Distried Outside Plant World FirewControl Server Redundant Control Server DatHistoriEngeerg WorkstatiHub/Switch HMI sensactuat— 41 — ANSI/ISA-TR99.00.02-2004 ANSI/ISA-TR99.00.02-2004 — 42 — 8.2.3 Automated ventory Tools Tseveral ventory tools work across networks identify document hardware, systems, softwresident network. Conduct assessment tools work whimpact might connected control equipment before usg any them. Tool evaluatimay clude testg similar, non-producticontrol system environments ensure adversely impact productisystems. non-productisystems may no impact productisystems, may send formaticould (hpast) cacontrol systems failures impairment. Impact could due nature formatiand/system traffic loadg. thimpact may acceptable systems, acceptable Manufacturg Control Systems. 8.3 Update Screeng ventory developg network diagram defes scope your manufacturg computer system, go back update formatiyour ventory Assessment form. 8.4 Make Prelimary Assessment OverVulnerability Plconduct full risk analysif you: • determe your process control system presently connected your site network outside networks (e.g., ternet, modems). risk analyshelp you better understyour vulnerabilities appropriate mitigatistrategy reduce risk. • determe your system currently supported remotely. • anticipate meetg either criteriabove near future. form risk analysbefore takg steps place you thhigh-vulnerability position. Make decisiwdevote your time further risk analysmitigatibased upyour analyssystem vulnerability risk. Develop itial prioritizatibetter channel your efforts. 9 Conduct Risk Assessment Gap Analys9.1 Conduct Detailed Risk AnalysVulnerability Assessment Prioritized Assets plprovides system security assessments determe vulnerabilities weaknesses need addressed. assessments cassets identified classified previous activity. range simple review systems design configuraticomprehensive assessment begng design configuratireviews cludg field walk downs identify undocumented network connections, modems, wireless terfaces, penetratitestg determe if existg security measures adequate. Considerateeds given aspects Manufacturg Control Systems beg assessed, cludg untended changes system configuratibrought matenance, “temporary” supplier connections system support, even subtle changes supplier design could troduce vulnerabilities through spparts upgrades, should considered and/tested same manner origal system components. plneeds address systems terface Manufacturg Control System ensure cancompromised Manufacturg Control System security lack thereof. Copyright 2004 ISA. rights . — 43 — ANSI/ISA-TR99.00.02-2004 Examples clude development systems provide on-le development capabilities environmental power systems whose compromise could create unacceptable risks. cases, vulnerability may lie vendor. Vendquality assurance design control may require vulnerability assessment. Thstep particularly important orderg spparts upgrades; spparts testg may required. Typical aremay vulnerable ( previously identified weaknesses certasystems) should identified examed, as: • Wireless access pots, particularly IEEE 802.11b. • Modem connections, particularly those dial back provide encryption. • remote access softw(e.g., pcAnywhere®, Timbuktu®) programs typically used access exts withoutside entity support systems oations. applications cprovide significant control configuratiaccess unauthorized dividual. • remote wdowg technologies X windows®. • ternet connections. • tranet connections. • Telemetry networks. • Any network connections systems direct part Manufacturg Control System. • Any network connections used couple parts SCADcontrol system together part physically secure, dedicated Manufacturg Control System network. words, any network extends beyond boundary sgle physically secured imeter, across secure areas, used both manufacturg control functions same time. Equipment cluded network connections cludes radio telemetry outsourced services frame relay used communicate between geographically separated areas. 9.1.1 Overview Process Tseveral different methodologies cused form security vulnerability assessment your Manufacturg Control Systems. Assessments cdivided asset-based threat-based methodologies, should lead you same conclusion—identifyg formatiparticular devices vulnerable must addressed appropriate risk-mitigatistrategies. particular methodology cluded thdocument falls asset-based category, h found fairly straightforward implement effective manufacturg environment. examples thsectibased usg thmethodology. 1) Identify your assets record them asset tables. 2) Exame asset vulnerabilities assign quantitative value vulnerability based probability cident occurrg potential criticality result cident. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 44 — 9.1.2 Identify Assets you did pre-risk analysactivities, you identified several process control devices "Manufacturg Control Network ventory Assessment form" spreadsheet network diagram. next step begidentify assets protected. Becadatdevices typically different types security issues, best sort assets lists—DatAssets Network ApplicatiDevice Assets. DatAssets Examples • Control algorithms • Productischedules • Process variables • Set pots • Tung dat• Account names, passwords, file names, host names • Recipes • Standard oatg conditions • Control configurations Tabulate datassets DatAsset Table (see table 1 example). Table 1 — DatAsset Table Example DatAssets thretheft, corruption, falsification, loss followg data: Probability Criticality Remote Access Local Egress Comments Process variables Set pots Tung datAccount names, passwords, file names, host names Control configurations/programs ApplicatiDevice Asset Examples • Oatcontrol stations Copyright 2004 ISA. rights . — 45 — ANSI/ISA-TR99.00.02-2004 • Engeerg workstati• Email console • ternet access console • Control room prter • Computer gateway • Process measurement control system • Process controller • Programmable field devices Tabulate applicatidevice assets ApplicatiDevice Asset Table. example shown table 2. Table 2 —Application/Device Asset Table Example Application/Device Assets threcorruption, denial service, destructifollowg MCN applications/devices: Probability Criticality Remote Access Local Egress Comments E-mail oatconsole ternet access oatconsole Engeerg configuratiworkstatiComputer gateway Control room prter 9.1.3 Identify Rate Threats next step classify threat, three-step process: 1) Identify type threasset susceptible. 2) Assign threratg asset. 3) Determe quickly compromise needs detected long threcexist without mitigation. threratg based upprobability cident happeng criticality resultg action. quantitative ratg scales discussed detail later. Classifyg threats helps identify vulnerabilities encourages thought awareness. Additionally, classificatiused recommended mitigatisteps. steps important becaprovide guidance implementg certasecurity measures justificatidog so. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 46 — Descriptions type threats may encountered shown below. • formatiDisclosure—Exposg formatidividuals who authorized. formatidisclosure threats clude user's ability read file he she wgranted access truder's ability read dattransbetween computers. • Tamg Data—malicious accidental modificatidata. Examples clude makg unauthorized changes sistent data, formatidatabase, alterg datflows between computers open network, ternet. Altered datcould take form altered commands process controllers. • Spoofg Identity—Illegally accessg then usg user's authenticatiformation, user's username password. Once side system, hacker could take issue unwanted commands/messages control devices. • Identity Repudiation—Threats associated users who deny formg actiparties no way provg otherwise. example user formg illegal oatisystem ctrace prohibited oations. • Denial Service (DoS)—Attacks deny service valid users makg Web server temporarily unavailable unusable. You must protect agast certatypes DoS threats simply improve system availability reliability. • ElevatiPrivilege—Threats associated unprivileged users gag privileged access thereability compromise destroy entire system. Ththrecludes situations wattacker heffectively penetrated system defenses hbecome part trusted system itself—extremely dangerous situation. Once you understtypes threats you could subjected, task exame assets listed network asset tables attempt rate vulnerability assets types threats. quantitative ratg scale below (table 3) help you thprocess. Threats classified probability (likelihood) criticality (impact consequences). Table 3 — Probability/Criticality Example Probability Criticality = Very likely 1 = Severe impact B = Likely 2 = Majimpact C = likely 3 = Mimpact D = Remote chance 4 = No impact Probability Ratg Scale Tfactors consider determg threprobability: source threnetwork segment exposure. Copyright 2004 ISA. rights . — 47 — ANSI/ISA-TR99.00.02-2004 Likely sources threats from: • Outsiders—truders outside your network who come ternet, dial-up les, physical break-s, partner (supplier customer) networks lked corporate network. Outsiders often called hackers, could possess very detailed knowledge control system based upexience same brcontrol system anstallation. Outsiders may launch very directed attacks form break-specific actitaken designated system device, corruptiprogram manipulatifield control device. Anform outsider attack non-directed malicious code like virus worm. malicious code’s impact system may quite large outcome very unpredictable. • siders—Legitimate users your ternal network who misprivileges imsonate higher-privileged users. Manufacturg Control Systems environment, sider cwork manufacturg company, control system supplier, consultant, ancompany. Anthresiders comes those who, through non-malicious behavior, caaccidental breaches security policy either mis-trag mis-typg. siders may launch same sort directed non-directed attacks systems described above. followg classifications explahackers cclassified threpotential. • A—very likely: moderately skilled hacker could easily pose threasset, stealg datfectg hard drive. • B—likely: moderately skilled hacker could pose same thregredeal effort. • C—likely: ext hacker could pose thregredeal effort. • D—remote chance: ext hacker would expected pose threyour asset. example methodology used thsection, simplifyg assumptions made reduce complexity analysdecrease time form analysis. • Oators support engeers who -depth knowledge manufacturg systems manufacturg process trusted safely oate facility. • opportunity launch cyber attack withmanufacturg areless thoutside facility. Physical controls place limaccess control devices network connections withphysical boundaries control aremanufacturg oation. • disgruntled oatsupport engeer tent causg harm haccess knowledge physically hijack process far easier thdog so cyber means. • number non-directed malicious code attacks hackers exceeds number precisely directed terrorist hacker attacks. • Overridg safety terlock systems, emergency shutdown systems, auxiliary-dependent backup devices fully functional guard agast foreseen accidents. Therefore, assumptihighest probability cyber threcomes outside simplifies assessment basg risk network segments dattransgress locatiapplicatidevice. Threprobabilities become functimethod access type communications medium thskill hackers. If dattravel less secure network segment like ternet, Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 48 — threprobability very likely becadatpotentially accessible everyworld. Threprobability also considered very likely if datbeg sent wireless device does employ adequate security techniques. See table 4 threprobability example. Thsimplificatitended say hackers real threat, attentishould focused understandg much opportunity vade your system. up user determe whether simplifyg assumptions thexample make sense hher particular manufacturg facility. assumptions likely different nuclear weapons facility, chemical facility, pharmaceutical oation, packagg oaticommercial parts. user may wish employ classical approach quantitatively assessg probability examg “difficulty attack” “attractiveness target.” Tmany additional texts subject risk assessment cconsulted if simplified approach cluded does address your site issues. Table 4 — ThreProbability Example Probability Criticality = Very likely 1 = Severe impact B = Likely 2 = Majimpact C = likely 3 = Mimpact D = Remote chance 4 = No impact Network Segments ternet, Wireless, Direct Dial-Corporate tranet, Two-factor, token-based authenticatidial-connectiSite LAN, tegrated LIsolated Manufacturg Control Network Copyright 2004 ISA. rights . — 49 — ANSI/ISA-TR99.00.02-2004 diagram below further clarifies network segment identified ternet, Wireless, Direct Dial. thre e network connectitypes similar security risk levels. 1. ternet connectivity volves communications between MCN client PC reachg corporate tranet through ternet. 2. Wireless connections employ radio frequency communicatitechnology MCN PC located either withoutside site boundary. 3. Direct dial-defed dialg modem system does employ secondary method confirmg identity caller, tokenbased authentication. ternet Modem Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 50 — diagram below further clarifies network segment identified corporate tranet, two-facttokenbased authenticatidial-. Modem Corporate tranet two-facttokenbased authenticatidial-connections network connectitypes similar security risk levels. Modem 1. Corporate tranet connectivity addresses connecticlient PC withcorporate tranet, outside LAN. 2. Two-factauthenticatidial-connections employ token authenticatistrong user authentication. Site Site B Copyright 2004 ISA. rights . — 51 — ANSI/ISA-TR99.00.02-2004 diagram below further clarifies network segment identified Site LAN, tegrated Manufacturg Control Network. Site Ltegrated MCN Thconnectitype describes PCs connected site Lcommunicatg devices withMCN. Manufacturg Office Site diagram below further clarifies network segment identified Isolated Manufacturg Control Network. Isolated MCN MCN hno connectivity site Lcorporate tranet. PC clients located directly MCN. Manufacturg Office Site Usg network segment meditype determe probability ratg simple assumptiused thexample analysmethodology. rigorous methods cemployed determe probability. Any simplificatiused must match overrisk goals risk-mitigatipolicies practices your company establishes Manufacturg Control Systems environment. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 52 — Criticality Ratg Scale additiassessg probability threasset, important understcriticality asset. Criticality dependent type probability threat. followg supportg table presents several impact areexame choose appropriate criticality ratg. ratg categories very similar those used Process Safety Management. If threcclassified usg thcategory, select criticality ratg severe. example, if certathrewould cahours terrupted producti(impact/criticality=2) cadeath (impact/criticality=1), overcriticality threrated 1. Busesses sites may different terpretations criticality. example, sites may defe "hours" terrupted productimajimpact stead mimpact. Taildefitions suyour corporate risk goals any site-specific values environmental needs. Thprocess tended help people understsecurity requirements site. Becaprobability criticality results somewhsubjective, possible shape defitions classifications produce desired result. Thactimay produce results represent false sense security. important realistic objective defitions classifications order get accurate sense security requirements. user must select ratg scale attries reflect hher company’s tolerance risk. Copyright 2004 ISA. rights . — 53 — ANSI/ISA-TR99.00.02-2004 graphic below depicts probability criticality ratgs cquantitatively assessed based updescriptions supportg tables. Probability Criticality = Very Likely 1 = Severe Impact B = Likely 2 = Majimpact C = Likely 3 = Mimpact D = Remote Chance 4 = No impact Impact Category 1 = Severe 2 = Maj3 = M4 = Njury Loss life limb Requires Hospitaliz-tiCuts, bruises requirg aid Network NSegment ThreProbability ternet, Wireless, Direct Dial-= Very Likely Fancial loss Millions $100,000 $1,000 NEnvironmental release manent damage/ off-site damage Lastg damage Temporary damage ternet, Secure NDial-B = Likely tegrated MCN C = Likely terruptiProductiIsolated MCN D = Remote Week Days Mutes NChance Public Image manent damage Lastg blemish Temporary tarnish NCopyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 54 — Ratg Probability Criticality Assets Exame assets listed both DatAsset Device/ApplicatiAsset tables (see tables 5 6). Note whether thasset accessed remotely (outside process control area) whether thasset must supplied users who located outside manufacturg control area. probability/locaticriteridiscussed earlier assign probability ratg asset. Record ratgs Asset tables. Exame assets listed both DatAsset Application/Device Asset tables. criticality ratg guidance table discussed above assign criticality ratg asset. Record ratgs Asset tables. Table 5—DatAsset Ratg Example DatAssets thretheft, corruption, falsification, loss followg data: Probability Criticality Remote Access Local Egress Comments Process variables B 1 Yes Yes cludes regulatory datSet pots B 1 Yes Yes Tung datD 1 Yes No loop fo, etc. Account names, passwords, file names, host names B 2 Yes No Control configurations/programs C 1 Yes Yes document control? Table 6—Application/Device Asset Ratg Example Application/Device Assets threcorruption, denial service, destructifollowg MCN applications/devices: Probability Criticality Remote Access Local Egress Comments E-mail oatconsole 1 Yes Yes ternet access oatconsole 1 Yes Yes Engeerg configuratiworkstatiC 1 Yes Yes Computer gateway B 1 No Yes need better understcapability terface Control room prter B 4 Yes No 9.2 Prioritize Systems ImplementatiPhase Risk MitigatiPlOnce vulnerabilities identified, important assess them terms relative priority becaunlikely caddressed immediately. Copyright 2004 ISA. rights . — 55 — ANSI/ISA-TR99.00.02-2004 10 Design Select Countermeasures defed prioritized set vulnerabilities, you cbegidentify specific countermeasures those immediate. 10.1 Implement Risk MitigatiStrategies Based upDetected Vulnerabilities 10.1.1 Risk MitigatiStrategies Tnumber steps you ctake reduce cybersecurity risk vulnerability your Manufacturg Control System. commstrategy volves separatg busess LManufacturg Control Network. thstrategy consider, does form foundatistrategies. MitigatiStrategy Matrix Tables must developed support company’s risk goals risk mitigatipolicy. tables provide guidance reducg level risk associated your Manufacturg Control Network. Based upthreclassificatiratgs, tables recommend employ firewsecurity technology way reduce risk your process. Exame ratgs Device/ApplicatiAsset table (see table 7). Determe highest threratg application/device asset (e.g., A1). Locate A1 MitigatiStrategy Matrix table (table 8) Device/ApplicatiAssets determe security level required your process control network (i.e., firewrequired). Table 7— Manufacturg Control Network Application/Device Asset Ratg Example Manufacturg Control Network Application/Device Assets threcorruption, denial service, destructifollowg MCN applications/devices: Probability Criticality Remote Access Local Egress Comments E-mail oatconsole 1 Yes Yes ternet access oatconsole 1 Yes Yes Engeerg configuratiworkstatiC 1 Yes Yes Computer gateway B 1 No Yes Need better understcapability terface Control room prter B 4 Yes No Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 56 — Table 8—MitigatiStrategy Matrix Table Application/Device Assets Manufacturg Control Network Criticality ApplicatiDevice Assets 1 Severe 2 Maj3 M4 N– Very Likely Firewrequired Firewrequired Firewrequired B – Likely Firewrequired Firewrequired Firewrecommended C – Likely Firewrequired Firewrequired Firewrecommended Probability D – Remote Chance Firewrecommended similar manner, review threratgs DatAsset table (see table 9) locate values MitigatiStrategy Matrix table DatAssets (table 10). Thformatiprovides guidance protect thdatasset. Durg implementatidesign, you may choose adopt different mitigatistrategies different kds datassets. example below, control configuratiprograms ratg C3. matrix table suggests mitigatirecommended protect thdatasset. Table 9—DatAsset Ratg Example DatAssets thretheft, corruption, falsification, loss followg data: Probability Criticality Remote Access Local Egress Comments Process variables B 1 Yes Yes cludes regulatory datSet pots B 1 Yes Yes Tung datD 1 Yes No Loop fo, etc. Account names, passwords, file names, host names B 1 Yes No Control configurations/programs C 3 Yes Yes Document control? Copyright 2004 ISA. rights . — 57 — ANSI/ISA-TR99.00.02-2004 Table 10—MitigatiStrategy Matrix Table DatAssets DatAssets Criticality 1 Severe 2 Maj3 M4 N– Very Likely Mitigatirequired Mitigatirequired Mitigatirequired (tranet imeter) Mitigatirequired (tranet imeter) B – Likely Mitigatirequired Mitigatirequired C – Likely Mitigatirequired Probability D – Remote Chance 10.1.2 MitigatiDesign If you decide stfirewseparate your LManufacturg Control Network, may helpful develop chart lists assets categorized type (device/applicatidata), network segment, logical locatirelative firewbarrier. example thtype matrix shown table 11. Remember, assets your system probably different. you develop thlogical design, ask yourself followg questions: • tvalue derived asset's connectetwork, should asset simply removed isolated? • Cassets moved network connections rerouted mimize number firewalls required? • If sub-unlarger site beg assessed, cprotected efficiently combatiparts site? • Whalternate steps should taken reduce vulnerability thasset? example, frequent backups reduce potential datloss, employg RAID (redundant array dependent disks) disk image clong management technologies reduce potential datloss, redundant hot devices reduce downtime potential, -place cold duplicate devices manual switchreduce downtime potential, like. Transform thlogical network layout actual physical network design. Produce Manufacturg Control Network design documents showg nodes process control network, applications teract process control systems, firewlocation, tent site architecture, routg frastructure. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 58 — Table 11—ApplicatiDatAsset Topology Example ApplicatiDatAsset Topology DatApplications Devices ternet Remote access softwsimilar client Historiclient Matenance client Plant optimizaticlient Corporate WProductidatQuality datNetwork applications (LIMS, SAP) Remote access softwsimilar client Historiclient Site LProductischedules SOCs AOPs Historical datFile server Applicatiserver (read only) Network prter Historiclient E-mail ternet access Remote access softwsimilar client Remote dial-Remote access softwprogram Applicaticlient Manufacturg Control Network Process variables Set pots Control configuration/programs Historical datWork statiaccount names passwords Applicatodes (future) Oatcontrol statiEngeerg workstatiComputer gateway DCS PLC CEMs Remote access server FTIR Analyzer Remote access softwserver Browser HMI MS Office HMI PLC workstatiPrtg HMI Prtg DCS FirewCopyright 2004 ISA. rights . — 59 — ANSI/ISA-TR99.00.02-2004 10.2 Address Vulnerabilities ISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. 10.2.1 Physical Security ISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. 10.2.2 CommProblems Solutions ISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. 10.2.3 Address CommProblems Immediately • problems caddressed through applicatipolicy procedures “systems management” area. • Establish secure default state stead “open” default state (isolation, passwords, missions). Keep md usg secure default settg could impact system oation. • Establish connections needed - existg approaches make connections secure - Add special features wneeded • Limaccess functionality - Configure provide whneeded form job • appropriate access controls - passwords wpractical • Encrypt wappropriate - Avoid wtime-critical requirements allow wnecessary - Consider streamg encryptiapproaches time-critical requirements 10.2.4 Additional Activities Address additional arewimpact system functions wconfirmed acceptable: • Configure manufacturg control network frastructure electronic security • Configure HMI workstations, servers, network computers electronic security Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 60 — • Configure DCS PLC terfaces controllers telligent Electronic Devices (IEDs) so secure, still practical capable beg used • stconfigure virus protectisoftwmake sure kept current • Provide trusidetecti• Complete vulnerability scans (phone, tranet, ternet) • Wireless—don’t so recognitisecurity less robust. Mitigatg controls should place contarisk. • Firewalls - Configuratiscans control 10.3 Formalize Change Management PlSystem plshould corporate strong change evaluaticontrol. Many procedural configuratidetails discussed above simple implement, provide creased security. However, cunexpected, undesired, profound consequences systems beg managed, if well thought out, carefully planned, rigorously tested before application. plshould provide controls preclude undesired impacts security “enhancements.” 11 Procure Build Countermeasures 11.1 Translate Requirements Design Phase SpecificatiComplete Constructiresource available future rigorous defitisecurity formance requirements component system beg generated U.S. NIST-sponsored Process Control Security Requirements Forum (PCSRF). Thgovernment forum developg guideles usg ProtectiProfiles means rigorously defg security functions/ formance requirements way removes ambiguity. developed, ProtectiProfiles may used purchaser part purchasg specifications, would also clude any additional security functionality, assurance testg requirements, non-security (oational) requirements components beg purchased. descriptature goals PCSRF forum given Secti23. 12 Defe Component Test Plans 12.1 Decisions Make Planng Test Program Ultimately, stalled system needs meet both oational objectives security goals. good component, tegration, system validatitest program needs clude security formance testg, well oational (non-security formance) testg fal configured system. security functions just anaspect overformance capabilities system must provide. base security capabilities component makg up system reside low enough level component’s architecture creadily separated oational functions tested dependently achieve reasonable assurance acceptable security formance. discussifollows focboth security capabilities non-security (oational) formance components. Copyright 2004 ISA. rights . — 61 — ANSI/ISA-TR99.00.02-2004 Tmany aspects test program consider, ideally before fal purchase order equipment signed. Decisions clude: • Degree Testg Assurance—Whsort assurance does buyer want specify (pay for) so purchased security components meet security non-security functional requirements specifications? Does vend(customer) laboratory test bed facilities form thtestg, outside/dependent lab necessary? thdocument, we may classify degree assurance specified required categories: low assurance high assurance. • Security component type test—security component (countermeasure) hardware, software, does contaboth? • Whsort security non-security (oational) formance should cluded test program? followg chart lists typical security non-security formance issues might tested. Security formance ??Through oational lifecycle (secure state mataed throughout startup, normal oation, shutdown, standby, matenance)? ??Authenticaticapability tegrity ??Audtrail audtrail tegrity ??tegrity violatotificaton-security (oational) formance ??Environnemental conditions (temature, humidity, vibration, EMI, etc.) ??Usability ??Safety formance ??formance stress ??Reliability ??Mataability • Type testg appropriate versus assurance level: - low assurance level—type testg appropriate generally “black box” testg, means you trecomponent test complete entity, testg its external security non-security proties only. No effort made fd out wh“hood,” (go back see product wdeveloped, engeered manufactured). item concern durg test thitem form its security non-security functions stalled system. - high assurance level test program, belief pro security, haps also non-security formance component, cassured examg component’s “pedigree” (research process security component evaluatiwdesigned manufactured). Thprocess called “white box” testg, volved, time-consumg, costly, may justified security/non-security formance must verified high level. belief through engeerg security, usg spection, testg every step manufacturg process cyou absolutely certasecurity component form required security critical application. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 62 — possible security component hvery critical non-security (oational) functions. stance, if component hsafety functions well security, conceivable safety functions critical need testg assurance thsecurity functions. Component, tegration, System Validatitestg sections follow, complete testg might volve separate combed hardwsoftwtestg. important factconsider formulatg test plans necessity non-productifacility, test bed, run acceptance tests dividual components combe them together, if possible, tegratitest. Development test activities ccaserious problems (e.g., unwanted modificatifiles system environment system failure). Carefully consider level separatecessary between oational, test, development environments order prevent oational problems. similar separatishould also implemented between development test functions. Separatg development, test, oational facilities recommended reduce risk accidental change unauthorized access oational softwbusess datprevent appropriate develo access. If development test staff access oational system its formation, may able troduce unauthorized untested code alter oational data. systems, thcapability could misused troduce untested malicious code. Develos testers also pose threconfidentiality oational formation. Development testg activities may cauntended changes softwformatiif shsame computg environment. component testg may formed offsite, vendsecurity control equipment, third party. Rarely outside parties exact configuraticontrol system exists plant. simplified replicsystem development laboratory system near site productisystem best suited component tegratitest phases. component tegratitest plans would then designed around thtest bed facility. Security control components should stalled productisystem if dividual components successfully pass dividual and, if possible, tegratitests. full-scale validation/acceptance test should take place components stalled commissioned. important emphasize “security countermeasures” may volve people oatg through policies procedures, well manual checks security. countermeasure, stance, may consist control engeer stallg security patch issued hardwsoftware. test plmight go through sequence “dry run” patch stallation, notg factors fluences. Unlike traditional system testg, missisecurity testg corrupt either component tegrated features system attempt meet test plgoals. 12.2 Sufficient Testg Ideally, system would tested possible states ensure every security contgency met, least so residual risk differential becomes known. difficulty “complete” system testg theoretically possible, unobtaable specifications given time resource constrats. Therefore, challenge security tester form “sufficient testg.” Whmay defed sufficient testg made easier referrg gap analysformed stage 3 Security Lifecycle (see secti9, Conduct Risk Assessment Gap Analysis). Gap analysprovides method prioritize threats system segments. However, becafault class goals known, 100% security cnever assured. Copyright 2004 ISA. rights . — 63 — ANSI/ISA-TR99.00.02-2004 Testg may clude variety approaches boundary value analysis, stress testg, regressitestg, root caanalysis, haps cha-of-events modelg, hazards analysfault trees adapted security. variety testg tools test scripts, databases variables, basele configuratiassumed start state, metrics, calibratitools, available. Commercial freewtools available pre-configured form diagnostic routes simulate gateways connected devices. 12.3 Component Test Plans Component testg testg formed vendor, user’s plant, outside lab assure parties purchased security components meet purchase specifications demonstrate required security formance. component testg may formed offsite, security control equipment vendor, third party. Rarely outside parties exact configuraticontrol system exists plant. simplified replicsystem development laboratory system near site productisystem best suited component tegratitest phases. component tegratitest plans would then designed around thtest bed facility. mentioned above, security component may software, hardware, combatitwo. followg example shows component test stallatisoftwguard telligent Electronic Device (IED). process formg component test is: 1. PrepComponent Test Pla. clude Purpose, Scope, Time Constrats 2. PrepVerify Test Procedures a. Defe Tests to: i. clude component segments, puts, & outputs; simulatistump connectg terface components. ii. accepted security testg techniques Hazards Analysis, Fault Trees, ChaEvents, Root CaAnalysb. Defe prepadequate Test Cases to: i. clude possible decisioutcomes. ii. Test data, component logic, timg, environmental constrats; 1. normal oatg conditions, 2. component boundaries, 3. outside system boundaries withpredetermed confidence range. iii. clude hypothesized errconditions. 13 Test Countermeasures form test plcomponent test pldefed above. Create review test report cludes followg items: • Lists actual hardware, software, processes, sons cluded • summary tests formed, testg methods, tools • date timg activity • Versions relevant documents Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 64 — • Summarizatiexpected results • Identificatidiscrepancies, if any, between expected test results • plcorrective actiif necessary 14 Defe tegratiTest Plstances, possible form non-productitegratitest see security countermeasure components work together. example, security countermeasures consist discrete hardware/softwmay connected vilab test bed network. cases, thtegratimay possible. tegratitest plshould take advantage any test bed scheme cconfigured test combations oatg conditions may present productisystem. tegratitestg assurance volve examg testg several security components, haps different vendors, temporarily connected together workbench auxiliary test bed effort see if security components work together correctly before beg placed Manufacturg Control System environment. followg example shows connectiIED, recently stalled tested guard, local arenetwork: 1. PreptegratiTest Pla. clude Purpose, Scope, Time Constrats 2. PrepVerify Test Procedures a. Defe Tests i. formed previous component tested units. ii. clude resources used tegrated subsystem. 3. Defe prepadequate Test Cases to: a. clude functional formance attries modes oatib. attempt create faults subsystem terfaces, subsystem components modules usg hardware, softwdaterrors c. subvert security functionality d. stress timg, failsafe defaults, errconditions, errrecovery. 15 form Pre-stallatitegratiTest form pre-stallatitegratitestg security countermeasure components, many possible test-bed hookup, previously described. 16 Defe System ValidatiTest PlSystem Validatitestg testg formed entire Manufacturg Control System security components serted, configured, made oational tegral part security lifecycle. objective validatitestg ensure security countermeasures, procured stalled, meet followg criteria: • stalled correctly. • reconfigured correctly. Copyright 2004 ISA. rights . — 65 — ANSI/ISA-TR99.00.02-2004 • meet completed security controls specification. • important, testg fulfilled user’s documented security requirements. Additionally, completed system should meet origal tent user respect security. followg example shows testg oatg SCADconsole measurement devices IED contag recently stalled tested guard. 1. PrepValidatiTest Pla. Purpose, Scope, Time Constrats 2. PrepVerify Test Procedures a. Defe Tests i. clude entire system states clusive HMI b. Defe prepadequate Test Cases to: i. clude segments tested tegratitest ii. dynamic simulatisignals, demonstrate subsystem capabilities steady state conditions, changg conditions, abnormal conditions, accident conditions. test cases shcmodes oation. iii. exercise capabilities needed users 17 form ValidatiTest stalled System System validatitestg hdual purpose to: • Demonstrate through appropriate verificatitechniques, verificatiprocedures, procedure refements (needed) management, oational, technical security controls Manufacturg Control System implemented correctly effective application. • Prepfal Manufacturg Control System test report(s) based results activities carried out durg testg phase. form system validatitest stallg commissiong security controls system pro configuration. Prepreport contag same elements secti12, Defe Component Test Plans. 18 Falize Oational Security Measures Thprocess cludes usg test results conductg fal review confirm previously developed procedures standards achievable, then implementg procedures. 18.1 Establish Oational Security Basele test results fal setup validatitestg security countermeasures stalled system defe productioatg parameters stalled security controls. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 66 — 18.2 Falize Oational Security Policy Comppreviously prepared oational security policy set (consistg high-level policy, standards, procedures) results validatitestg oational security basele. If previously prepared policy set agreement, thpolicy set may then issued enforced. 18.3 Establish Management Change (MOC) Program management change (MOC) program, used safety context, reviews any future process control strumentatichanges wide variety stakeholders see if proposed change caunforeseen negative safety side effects. management change security program similar, except prospective changes reviewed unforeseen negative effects process control strumentatichanges security system. important note implementg security management change program, changes control systems must examed possible effects safety, vice versa. security management change program should tegrated Process Safety Management program site so holistic assessment made any changes Manufacturg Control System. management change program should employed any manufacturg process change Manufacturg Control System change result changes system hardwsoftware. 18.4 Establish iodic AudPl security controls validatistep, audplshould implemented form followg audits: • Validate origal security controls present durg itial system validatistill stalled oatg correctly productisystem. • stalled security controls formg tended functions, verify productisystem free security compromises provide formatature extent compromises, should occur. • Verify management change program beg rigorously followed audtrail reviews approvals changes. • Establish set frequency iodic audits re-audits 18.5 Establish AudMetrics Results iodic audshould expressed form formance agast set predefed appropriate metrics display security formance security trends. 18.6 Establish AudMetrics Reportg Procedure Security formance metrics should sent appropriate stakeholders, along view security formance trends. Copyright 2004 ISA. rights . — 67 — ANSI/ISA-TR99.00.02-2004 18.7 Establish Compliance Requirements Compliance criterifalized upvalidatitestg/security basele establishment. Stakeholders appropriate level should receive audresults, weigh them agast compliance criteria, either accept results confirmg security formance beg mataed, start corrective acticycle remedy security deficiency. 18.8 Establish Corrective ActiProcedures appropriate stakeholder should specify whcorrective actirequired remedy out-ofcompliance situation. 18.9 Disaster Recovery noteworthy element management change program disaster recovery plcomponents system. disaster recovery plmust address detailed process restore both oational security aspects manufacturg control system. plan’s backup recovery strategies procedures must documented tested iodic basensure ability recprifunctional secure state. 18.10 Monitorg Loggg available system logs should examed monitored both iodic basabnormal activities may dicate problems. 18.11 trusiDetectiplshould provide trusidetectiappropriate level system, crange detectg hardwphysical trusions detectg unauthorized remote access activities. trusidetectimay corporate process models, cross correlatibetween redundant diverse data, techniques assess validity data. trusidetectisystem should also provide appropriate notificatiand/response trusions detected. 18.12 cident Response plprovides respondg security cidents through followg activities: 18.12.1 DetectiResponse Assign event trusidetecti(see section18.11) notificatialerts so sonnel respond to, termate, resolve accidental malicious cidents. 18.12.2 Reportg Document events cidents report them appropriate management any reportg system entity belongs. 18.12.3 dustry Event Monitorg Monitapplicable dustry groups and/alert notificatiorganizations. plprovides appropriate actions based event notifications. Potential sources alerts clude: Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 68 — • supplier user groups security event notificatibodies • event databases (British Columbistitute Technology) • dustry formatiSharg AnalysCenters (ISACs) • CERT (U.S. Computer Emergency Readess Team) 18.13 Contgency Plans plprovides contgency plans coverg full range failures problems could caused failures Manufacturg Control System electronic security program. Contgency plans should clude procedures restorg systems good backups, separatg nonessential terfaces connections could melectronic security trusions, alternatives achieve necessary terfaces coordation. Contgency plans should iodically tested ensure contue meet objectives. 18.14 Normal Support Normal support cludes day-to-day activities organizatimatasecurity control (e.g., implementg patches, virus updates, reports, configuratichanges, password sonnel matenance). 18.14.1 Reports plprovides iodic reports management detailg oatiplan, along recommended changes program so effectively meets objectives. Reports could clude: • PlProgram Status—overview plan, effective h, audresults, plans improvement. • Vulnerabilities Identified Addressed—list vulnerabilities identified recommendatiaddressed. • trusions Detected Addressed—list trusions detected recommendatiaddressed. • Recommendations Based Exience Date—list recommendations improvg plprogram so addresses vulnerabilities detected better meets objectives security program. • Next Activities Report Schedule—detailed list activities formed conform pladdress vulnerabilities identified previous audits schedule future reports. 18.15 Formalize AudPlSystem plprovides guidance auditg plits implementatiensure effective meetg its objectives. audits would normally clude followg items: Copyright 2004 ISA. rights . — 69 — ANSI/ISA-TR99.00.02-2004 18.15.1 Policies Review policies, standards, procedures confirm established provide appropriate consideratithose items listed here, well items applicable entity question. 18.15.2 ventory Verify ventory formatipotentially vulnerable systems h developed up-to-date. 18.15.3 Risk Assessment form risk assessment identify systems require vulnerability assessments. 18.15.4 Vulnerability Assessments Verify systems identified risk assessment assessed determe vulnerability. Make sure typical problem are assessed addressed necessary. 18.15.5 Vulnerabilities Addressed Verify vulnerabilities identified addressed appropriate manner system functionality h mataed. 18.16 Implement program details completed planned sonnel traed, security program implemented. 19 Route Security Reportg AnalysISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. 20 iodic AudCompliance Measures ISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. 21 Reevaluate Security Countermeasures ISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. 22 Work Suppliers Consultants developg applyg security plan, commpractice adopt largely ternal focus. Thapproach overlooks significant benefits cgaed collaboratg various external Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 70 — parties groups. Sharg exiences others creases general body knowledge control systems security, improves quality thformatieveryone. majcontrol system suppliers offer support security area; offer significant support. knowledge services offered creasg time. Contact your suppliers solicadvice relative systems csecured, support provide, recommendations makg changes your existg system. suppliers also offer user group exience benefits identify address vulnerabilities. Hardwsoftwsystem tegrators users groups key source providg support conductg careful analystestg necessary before makg hardwand/softwchanges upgrades tended enhance security. Talso several consultants who offer significant extise arepldevelopment, assessments risk analyses, vulnerability reduction. source hpotential benefits opportunities. 22.1 System Suppliers System suppliers obvious source detailed technical formatifeatures functions products. Thformatitypically takes form detailed reference documents user manuals, may subject formal trag courses. However, manuals courses may adequately address questibest practices apply configure products security considerations. Often thformatibest obtaed through collaboratiprojects services organizatisupplier company. Executg project partnership members thgroup excellent way learn effective applicatisupplier’s products. 22.2 Consultants similar manner, dependent consultants cprovide excellent source formatiimprove security program. often range exience spans many products technologies, had opportunity observe whworks doesn’t work various environments. Take cselect consultant who hrelevant exience similar related dustry situation, becathexience csignificant fluence nature fal plan. 22.3 tegrators tegrators brg knowledge derived practical exience variety projects. Similar projects services people withsupplier organization, excellent source formatianswerg various types “to” questions. Verify tegrators used exience cybersecurity issues details. 22.4 User Groups Various types user groups often overlooked sources knowledge exience. Participatg customer user group sponsored your system supplier cquickly provide access people similar terests, needs, challenges. groups based implicprciple open sharg knowledge require modest time commitments. Copyright 2004 ISA. rights . — 71 — ANSI/ISA-TR99.00.02-2004 23 Participate dustry Forums Development Programs iodic reviews updates should provided adapt changg threats user needs corporate improvg electronic security technology. plprovides participatiappropriate dustry groups forums. groups clude sector-lead organizations, standards organizations, supplier organizations, groups provide knowledge sharg systems compromised, response approaches, successful programs, plans, technologies. Beyond user groups focused particular product supplier, twide variety dustry groups forums available cprovide formatiassistance. complete list well beyond scope thdocument, significant listed below. 23.1 ISA—strumentation, Systems, AutomatiSociety ISestablished Standards Practices Committee ISA-SP99 express tent developg guidance help stakeholders provide secure Manufacturg Control Systems vulnerable electronic network-based trusifailures. IScommittee membership encouraged provide representative extise user, supplier, academic communities. 23.2 U.S. National stitute Standards Technology (NIST) Process Control Security Requirements Forum (PCSRF) wdeveloped NIST goal sharg formatitharedevelopg standards provide secure Manufacturg Control Systems. provides anmeans formatisharg group work terested developg standards. NIST developg testbed study formance measures tests Manufacturg Control System security products determe if particular time-sensitive requirements cmet. testbed cludes emulations water distriibottlg plants so testg cludes much tended physical environment possible. 23.3 North AmericElectric Reliability Council (NERC) NERC provides several dustry formatisharg services programs electric utility dustry. web site listed secti24 below. 23.4 Chemical dustry DatExchange (CIDX) CIDX hrecently formed busess undevoted subject cyber security chemical dustry. Thgroup promote education, adoptistandards, technology development. 23.5 stitute Electrical Electronics Engeers (IEEE) IEEE Power Engeerg Society (PES) hseveral committees addressg cybersecurity. 23.6 ternational Electrotechnical Commissi(IEC) IEC TC57 Workg Group 15 (DatCommunicatiSecurity) addressg cybersecurity control center substaticommunications. IEC TC65 (dustrial Process Measurement Control) addressg cybersecurity. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 72 — 23.7 ternational Council Large Electric Systems (CIGRE) Advisory Group D2.02 hformed workg group, formatiSecurity Power Utilities. 23.8 U.S. Department Energy National SCADTest Bed Program U.S. Department Energy’s Office Energy Assurance hrecognized need National Laboratory-based SCADtest bed. Both SandiNational Laboratory Idaho National Engeerg Environmental Laboratory volved developg thnational test bed dustry participation. test bed focus identifyg SCADprocess control system security vulnerabilities then developg validatg solutions improve resilience critical frastructures. 23.9 Process Control System Cyber Security Forum (PCSRF) Thsubscriptiforum westablished meet complex, growg, creasgly urgent security threats vulnerabilities process control systems. sponsored U.S. National stitute Standards Technology (NIST). forum brgs together frastructure dustries, process control system vendors, services providers, government regulatory stakeholders charged protectg critical frastructures dustries reliant networked process control systems. forum relies collaborative, formation-sharg environment develop shsecurity solutions. PCSRF’s roles Manufacturg Control Systems security clude: • Develop protectiprofiles security features equipment built with. • Future solutions equipment system stallations. • System certificatithrough dependent testg. • cludg security considerations specification, procurement, assurance aredustrial process control systems lifecycle. • Test bed validate standards develop formance conformance test methods. 24 Bibliography References Much formatithdocument h based readily available formaticludg various existg security-focused Web sites. Thtechnical report emphasizes need filter guideles ensure unacceptably impact system functionality. approaches formatiIT-focused, explas statement secti1 apply thformaticarefully, always considerg impact Manufacturg Control Systems functionality. addition, referenced formaticomplete flawed its applicatiManufacturg Control Systems. Aga, must used carefully determe impact Manufacturg Control Systems functionality. followg references provide additional formatidetails concerng security recommendations: • ANSI/ISA-95.00.01-2000, Enterprise-Control System tegratiPart 1 : Models Termology (IEC/ISO 62264-1). (www.isa.org/standards/ ). Copyright 2004 ISA. rights . — 73 — ANSI/ISA-TR99.00.02-2004 • ANSI/ISA-95.00.02-2001, Enterprise-Control System tegratiPart 2 : Object Model Attries. (IEC/ISO draft 62264-2). (www.isa.org/standards/ ). • U.S. National Strategy Secure Cyberspace (whitehouse.gov/pcipb/cyberspace_strategy.pdf ) • Critical frastructure Protection: Cybersecurity dustrial Control Systems, U.S. NIST. (mel.nist.gov/proj/cip.htm) • Process Control Security Requirements Forum (PCSRF), U.S. NIST. (isd.mel.nist.gov/projects/processcontrol/) • National frastructure Assurance Partnership, U.S. NIST U.S. NSA. (niap.nist.gov/) • Computer Security Resource Center, U.S. NIST. (csrc.nist.gov/) • CIAO - Critical frastructure Assurance Office. ( ciao.gov/ ) • Twenty Critical ternet Security Vulnerabilities, SANS stitute. (sans.org/top20.htm) • North AmericElectric Reliability Council (NERC), (nerc.com ) • Critical frastructure ProtectiAdvisory Group (CIPAG), NERC. (nerc.com/~filez/cipfiles.html) • U.S. Federal Energy Regulatory Commissi(FERC), (ferc.gov) • NOPR Standard Market Design, U.S. FERC. (ferc.gov/Electric/RTO/Mrkt-Strct-comments/discussion_pa.htm) • U.S. Department Energy (DOE). 21 Steps Secure Your SCADNetwork. (oea.dis.anl.gov/home.htm) • Oil Natural G- National Petroleum Council (https://www.pcis.org/getDocument.cfm?urlLibraryDocID=30) • Chemicals - US Chemicals SectCyber-Security formatiSharg Forum. (https://www.pcis.org/getDocument.cfm?urlLibraryDocID=37) • Critical frastructure Protectational Plput, Water Sector—AssociatiMetropolitWater Agencies. (https://www.pcis.org/getDocument.cfm?urlLibraryDocID=27) • Safeguardg IEDs, Substations, SCADSystems Agast Electronic trusions, P. Oman, E. Schweitzer III, J. Roberts, (selc.com/techpprs/6118.pdf) • CommCriteriISO/IEC 15408—sight, Thoughts, Questions, Issues, A. Aizudd. (niser.org.my/resources/common_criteria.pdf) • National fragard Program, U.S. FBI. (fragard.net/) Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 74 — • U.S. Dept. HomelSecurity, (dhs.gov/) • formatiTechnology formatiSharg AnalysCenter, (https://www.it-isac.org/) • Water formatiSharg AnalysCenter, (waterisac.org/) Copyright 2004 ISA. rights . — 75 — ANSI/ISA-TR99.00.02-2004 Annex — Sample Policies Procedures Document Thannex provides example entity’s approach Manufacturg Control System Network Security Policies Practices document. provides type guidance recommended ANSI/ISA-TR99.00.02-2004, please note contas references, limits, values, termology specific entity may different user, owner, entity requirements. acronyms references may also different those used ISdocuments. Every Manufacturg Control System user, owner, entity needs develop program, cludg procedures, practices, oational policies, standards, trag, specific activities, corporatg guidance subject matter identified ISA-99.00.02-2004 tailored specific user’s, owner’s, entity’s hardwsoftwexistg organizational programmatic requirements. Manufacturg Control System Network Security Oational Policies Recommended Practices October 200X Ver. 2.0 1/03/0X Notice material threport believed accurate tended recommended practices. material itself does frge any U.S. patents. No further warranty expressed implied. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 76 — Contents troduction.77 Purpose.77 Contriors .77 MCN Security Mandatory Oational Policies .78 General MCN Connectivity .78 Architecture.79 DatEncrypti.79 Virus Detecti.79 bound Traffic MCN.80 Outbound Traffic MCN .80 Wireless CommunicatiMCN.80 MCN Security Recommended Practices.81 General MCN Considerations.81 Virus Detecti.81 bound Traffic MCN.82 Outbound Traffic MCN .83 Miscellaneous Recommendations.84 Copyright 2004 ISA. rights . — 77 — ANSI/ISA-TR99.00.02-2004 troductiPurpose Thdocument presents mandatory recommended set practices workg Manufacturg Control Network (MCN) security. recommendations result collaboratibetween Engeerg, IT, Security organizations. MCNs must conform mandatory oational policies listed. variance process must followed any diversimandatory policies. Contriors company proprietary formatih removed thdocument ensure corporate security. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 78 — MCN Security Mandatory Oational Policies followg policies must followed MCNs. variance process must followed any diversimandatory policies. Sites currently usg non-guidele firewequipment want expstallatimust also variance process. doesn’t make sense early adopters currently usg non-guideled firewalls change equipment, may want migrate corporate guideled equipment, firewalls need replaced future. General MCN Connectivity 1. high medium-risk manufacturg control networks must firewalled disconnected any external networks (site, corporate, and/public networks). a. High-risk manufacturg control network stallations completed haste. b. Medium-risk manufacturg control network stallations completed promptly securg high-risk stallations. 2. manufacturg control network firewalls must be: a. Configured accordg set published standards established company-wide. b. Centrally monitored accordance “Corporate FirewMonitorg Guideles” health security Corporate FirewMonitorg/Support Entity. c. Centrally backed-up Corporate FirewMonitorg/Support Entity viable disaster recovery process documented. d. Centrally supported Corporate FirewMonitorg/Support Entity documented Escalation, Reportg, Change Management process place. 3. BrXXX, Model NNN firewalls current guidele firewmanufacturg control networks. Copyright 2004 ISA. rights . — 79 — ANSI/ISA-TR99.00.02-2004 Architecture 1. manufacturg control network must completely separated corporate network (e.g., MCN local arenetwork (LAN) canshsame switchg frastructure). a. MCN-connected devices addressed usg approved company registered addressg. b. devices MCN must separate subnet rest site Ldevices. c. MCN cfull Class C subnet 254 nodes portirange based upnatural bboundaries subnet mask. d. Devices Laccessg nodes MCN must pro subnet mask, defed node’s gateway mask. ( subnet mask work.) e. Network Address Translati(NAT) used MCN. 2. No modems shdirectly connected MCN MCN node remote access MCN devices users support sonnel. DatEncrypti1. MCN dattravelg public networks (tranet) must encrypted. standard corporate VPN technology must employed. Virus Detecti1. Virus detectisoftwshrun windows-based devices MCN. Virus defitifiles must kept up-to-date. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 80 — bound Traffic MCN 1. teractive users connected Lwho need access devices MCN must token based factauthenticatiauthenticate MCN firewall. 2. Receivg e-mail allowed any MCN device. 3. HTTP Proxy must setup MCN firewblock bound scripts. 4. bound unauthenticated SNMP commands “Gets” “Sets” prohibited LWMCN devices. 5. followg Telnet practices must followed: • teractive token based factauthenticated Telnet sessicommands LWMCN allowed. • Non–teractive bound Telnet sessicommands LWMCN prohibited. 6. followg FTP practices must followed: • bound anonymous FTP sessicommands (teractive application-toapplication) prohibited LWMCN. • bound user identified (teractive application-to-application) FTP sessicommands LWMCN allowed. • teractive token based factauthenticated anonymous FTP sessicommands LWMCN allowed. Outbound Traffic MCN 1. MCN devices shallowed access ternet through firewall. Wireless CommunicatiMCN 1. Wireless devices usg 802.11b communications standard shused manufacturg control networks. Copyright 2004 ISA. rights . — 81 — ANSI/ISA-TR99.00.02-2004 MCN Security Recommended Practices followg security guidance strongly recommended complimentary practices mandatory policies identified precedg section. practices should followed ensure safety Manufacturg Control Network. General MCN Considerations 1. Oatconsole activities should limited those required form job. Non-essential applications, Lotus Notes Outlook user E-mail Microsoft Office desktop applications, should stalled MCN devices. 2. general, token based factauthenticatirequired users located MCN order access devices MCN. 3. Control room oators need windows logtoken based factauthenticatigaaccess consoles used control process. Physical security practices must employed restrict access designated sonnel. Virus Detecti1. BrYYY guideled preferred virus detectisoftwwithcompany. BrZZZ Anti-virus acceptable alternative BrYYY compatible critical MCN applications. 2. Virus defitifiles MCN devices should obtaed corporate tranet server, directly ternet. (order mimize security vulnerabilities, recommended strategy FTP copy virus defitifiles LAN-connected device sgle device MCN, then thdevice distrie defitifiles MCN nodes.) files should virus checked before copyg them MCN. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 82 — bound Traffic MCN 1. bound traffic through MCN firewshould limited essential communications only. a. non-teractive bound traffic LMCN source destatirestricted service port usg static firewrules. b. teractive users Lsuccessfully token based factauthenticated MCN firewdestatirestricted service port usg dynamic rules. teractive users may further restricted applicatilevel windows authorizatimechanisms and/access control lists. c. Remote support sonnel connectg ternet must run corporate VPN connecticlient authenticate usg token based factauthenticatischeme order connect corporate network. (Mandatory Policy) d. Remote support sonnel connectg corporate network vidial-modem must authenticate usg token based factauthenticatigaaccess network resources. required authenticate second time gaaccess MCN usg token based factauthentication. e. Remote Procedure C(RPC)-type communications like DCOM dynamically open wide range ephemeral ports (#1024 – #65535) should avoided. Restrict, if possible, makg registry modifications limport ranges withapplication. f. Web servers should located Lrather thMCN side firewall. If Web server located MCN, standard browser clients Lmay connect MCN-based Web server, provided applicatidoes utilize any Javscripts. bound HTTP scripts must blocked MCN firewall. 2. Support sonnel movg files LMCN should FTP rather thwindows Copy move files. 3. Avoid passg DomaName Services (DNS) between LMCN. However, tmay any workaround if Primary DomaController (PDC) located MCN. WS method typically used NetBIOS name resolution. Thissue cresolved usg LMHOST file removg WS entry network configuration. Copyright 2004 ISA. rights . — 83 — ANSI/ISA-TR99.00.02-2004 4. bound traffic MCN ansame firewshould limited essential communications only. a. non-teractive bound traffic MCN ansource destatirestricted service port usg static firewrules. b. bound teractive users anMCN employ token based factauthenticatidestatirestricted service port usg dynamic firewrules. Outbound Traffic MCN 1. Outbound traffic through MCN firewshould limited essential communications only. a. non-teractive outbound traffic MCN Lsource destatirestricted service port usg static firewrules. b. teractive users (no logauthentication) MCN-connected devices need token based factauthenticatiegress through MCN firewresources LAN. Communicatisource destatirestricted service port usg static firewrules. c. Special admistrative users may token based factauthenticatitemporarily egress MCN. Dynamic rules used provide temporary egress LAN-connected devices. Dynamic rules may violatimandatory bound Outbound Policies. 2. Outbound Simple Mail Transport Protocol (SMTP) mail communications MCN Lacceptable. 3. Mapped drives across MCN firewshould avoided. 4. Outbound traffic MCN anMCN same firewshould limited essential communications only. a. non-teractive outbound traffic MCN anMCN source destatirestricted service port usg static firewrules. b. Outbound teractive users MCN anMCN require token based factauthenticatidestatirestricted service port usg dynamic rules. 5. Time service communicatiLtime server may traverse MCN firewsynchronize time MCN. Communicatisource destatirestricted service port. Copyright 2004 ISA. rights . ANSI/ISA-TR99.00.02-2004 — 84 — Miscellaneous Recommendations 1. Arebusesses should develop documented Change Management process appropriate signoff safety, security, manufacturg sonnel. FirewMonitorg/Support Entity shnotified advance any ruleset changes expected trigger firewalarm notificatievent. 2. Aremust provide updated escalaticontact formaticentral FirewMonitorg/Support Entity. 3. site security policy must clude manufacturg control security practices employed sites. practices should contaiodic review authorized users configured MCN firewassociated rules address vulnerabilities created changg roles. 4. Manufacturg Support Systems download values directly DCS should typically located MCN rather thLAN. Placg manufacturg support system behd MCN firewcadd additional level protectimanufacturg support system its data. Thassessment needs siteby- site decision, based upspecific manufacturg support system DCS terface physically connected, capability terface, terface presently configured/setup, terface cre-configured, systems used. 5. Special HMI applicaticlients may employ proprietary security mechanisms authorize control access users formatiservers. proprietary security mechanisms may functicorrectly through MCN firewall. Special cmust taken ensure users csecurely employ any special proprietary security mechanisms withconstrats strgent MCN security policies practices. 7. VAX-based manufacturg shop floapplications may contaformaticritical regulatory process control systems, busess critical thgeneral Lbased servers. Sites should consider implementg token based factauthenticatiagent authenticate users order reduce vulnerability systems. 8. CD DVD burner stalled MCN device may viable alternative backup key files rather thopeng up MCN firewcopy files MCN network LAN. Copyright 2004 ISA. rights . — 85 — ANSI/ISA-TR99.00.02-2004 9. Like control room consoles, tmay special functiHMI(hummache terface) nodes manufacturg floshared amongst several oators form essential productitasks. oators need logtoken based factauthenticatiauthenticatiorder gaaccess HMI nodes. Physical controls admistrative practices employed limaccess devices authorized oators. Examples clude shared mix stations, spng doff stations, packg stations, etc. Copyright 2004 ISA. rights . Thpage tentionally left blank. — 87 — ANSI/ISA-TR99.00.02-2004 Annex B — Sample Vulnerability Assessment Procedure ISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. Annex C —tegratg Security Supplier Practices ISA-SP99 committee recognizes thtopic important address future revisithTechnical Report. Copyright 2004 ISA. rights . Thpage tentionally left blank. Developg promulgatg sound consensus standards, recommended practices, technical reports ISA’s primary goals. achieve thgoal Standards Practices Department relies technical extise efforts volunteer committee members, chairmen reviewers. ISAmericNational Standards stitute (ANSI) accredited organization. ISadmisters United States Technical Advisory Groups (USTAGs) provides secretarisupport ternational Electrotechnical Commissi(IEC) ternational OrganizatiStandardizati(ISO) committees develop process measurement control standards. obtaadditional formatiSociety’s standards program, please write: ISA ttn: Standards Department 67 Alexander Drive P.O. Box 12277 Research Triangle Park, NC 27709 ISBN: 1-55617-889-1