Introducing The ISA / IEC-62443 Series Of Cybersecurity Standards .
Introducing the ISA / IEC-62443Series of Cybersecurity Standards& Applying them to Municipal Water SystemsGraham Nasby, P.Eng, PMP, CAPWater SCADA & Security SpecialistCity of Guelph Environmental Services (Water)2021 OWWA Automation WebinarNov 4, 2021 – Ontario Waterworks Association – Ontario, Canada1
About the SpeakerGraham Nasby, P.Eng., PMP, CAPWater SCADA & Security SpecialistCity of Guelph Environmental Services (Water Services) 10 years in the consulting sectorJoined Guelph Water Services in 2015 OWWA and WEAO Member, Member of OWWA Automation CommitteeCo-chair of ISA112 SCADA Systems standards committeeVoting member of ISA101 HMI Design standards committeeVoting member of ISA18 Alarm Management standards committeeNamed Canadian Expert on IEC/SCC-TC65 with Standards Council of Canada Guest instructor at McMaster University and Conestoga CollegeHas published over 40 papers and articles on automation topicsReceived University of Guelph “Mid Career Achievement Award” in 2014Received ISA’s Standards Committee Leader of the year award in 2021. Contact: graham.nasby@guelph.caIntro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202122
I wanna be aWater Guywhen I grow up!3Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 20213
City of Guelph Water Services Guelph, Ontario, Canada140,000 residents21 groundwater wells3 water towers 549 km of water mains49,000 service connections2,750 fire hydrants35 unmanned facilities46,000 m3/day [12 MGD]60,000 m3/day peak [15 MGD]4Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 20214
Guelph Water Connected with SCADA Approx. 15km x 15km area 35 Facilities–––––4 booster stations21 wells2 valve chambers3 water towers5 monitoring sites 40 PLCs plus 2 data centers Redundant Data-Logging– Traditional SCADA data-logging– QuickPanels with store/forward– DNP3 Data-loggers with store/forwardARKELLSPRINGS High availability SCADA network– Primary: private fibre optic– Secondary: private wireless, with 45 second auto-failoverIntro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202155
Presentation Outline SCADA RefresherWhat are the ISA/IEC-62443 StandardsWho develops the 62443 standards62443 Standards Structure & Documents Common Themes of ISA/IEC-62443 StandardsStructure of the StandardsMaturity, Security Level, Zones/ConduitsKey ISA/IEC-62443 Concepts How to Apply 62443 Standards to SCADA Systems Working with other Cybersecurity Standards Best Practices & Take-Aways6Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 20216
A Quick SCADA Refresher7Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 20217
What is SCADA?SCADA Supervisory Control and Data AcquisitionIntro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202188
Typical SCADA Architecture9Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 20219
Introducing the ISA/IEC-62443 StandardsGeneralPolicies & Procedures2-1Security programrequirements for IACSasset owners1-2Master glossary ofterms andabbreviations1-3System securityconformance metrics1-4Security life cycle anduse cases1-1Concepts and modelsSystem3-1Security technologiesfor IACS2-2Security protectionscheme and securityprotection ratings3-2Security riskassessment andsystem design2-3Patch management inthe IACS environment3-3System securityrequirements andsecurity levels2-4Security programrequirements for IACSservice providers2-5Implementationguidance for IACSasset ownersComponent / Product4-1Product securitydevelopment life-cyclerequirements4-2Technical securityrequirements for IACScomponentsIn ISA / IEC-62443 terminology:IACS Industrial Automation Control Systemalso known as “OT” or “SCADA”10Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202110
Who Develops the 62443 Standards ISA-62443 (and IEC 62443); a series of standardsdeveloped primarily by ISA and published by twogroups:– ISA99 ANSI/ISA-62443– IEC TC65/WG10 IEC 62443 In consultation with:– ISO/IEC JTC1/SC27 ISO/IEC 2700x11Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202111
ISA – International Society of Automation12Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202112
ISA99 Standards CommitteeThe International Society of Automation (ISA) committeeISA99 Security for Industrial Automation & Control Systems Members from around the world Multiple sectors and stakeholders Working in collaboration withIEC TC65 WG10 Consistent leadership since c. 200213Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202113
ISA99 Committee Scope(*)“ automation and control systems whose compromisecould result in any or all of the following situations:–––––––endangerment of public or employee safetyenvironmental protectionloss of public confidenceviolation of regulatory requirementsloss of proprietary or confidential informationeconomic lossimpact on entity, local, state, or national security”(*)Taken from the original committee scope description14Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202114
ISA99 Committee MembershipReflects expertise from many sectors, including:–––––––––Chemicals, Oil and GasFood and acturingTransportationICS suppliersGovernment15Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202115
ISA/IEC-62443 Standards DocumentsGeneralPolicies & Procedures2-1Security programrequirements for IACSasset owners1-2Master glossary ofterms andabbreviations1-3System securityconformance metrics1-4Security life cycle anduse cases1-1Concepts and modelsSystem3-1Security technologiesfor IACS2-2Security protectionscheme and securityprotection ratings3-2Security riskassessment andsystem design2-3Patch management inthe IACS environment3-3System securityrequirements andsecurity levels2-4Security programrequirements for IACSservice providers2-5Implementationguidance for IACSasset ownersComponent / Product4-1Product securitydevelopment life-cyclerequirements4-2Technical securityrequirements for IACScomponentsIn ISA / IEC-62443 terminology:IACS Industrial Automation Control Systemalso known as “OT” or “SCADA”16Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202116
ISA/IEC-62443 Common ThemesDefense In Depth Defense in Depth is a concept in which several levels of security (defense) aredistributed throughout the system. The goal is to provide redundancy in case asecurity measure fails or a vulnerability is exploited.Zones and Conduits Zones divide a system into homogeneous zones by grouping the (logical or physical)assets with common security requirements. The security requirements are defined bySecurity Level (SL). The level required for a zone is determined by the risk analysis.Zones have boundaries that separate the elements inside the zone from those outside.Information moves within and between zones. Zones can be divided into sub-zones thatdefine different security levels (Security Level) and thus enable defense-in-depth.Conduits group the elements that allow communication between two zones. Theyprovide security functions that enable secure communication and allow the coexistenceof zones with different security levels.17Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202117
ISA/IEC-62443 Common ThemesMaturity Level Maturity Level 1 - Initial: Product supplier/implementers usually carry out productdevelopment ad hoc and often undocumented processMaturity Level 2 - Managed: The product supplier/implementer is able to manage thedevelopment of a product according to written guidelines. It must be demonstrated thatthe personnel who carry out the process have the appropriate expertise, are trainedand/or follow written procedures. The processes are repeatable.Maturity Level 3 - Defined (practiced): The process is repeatable throughout thesupplier's organization. The processes have been practiced and there is evidence thatthis has been done.Maturity Level 4 - Improving: Product suppliers use appropriate process metrics tomonitor the effectiveness and performance of the process and demonstrate continuousimprovement in these areas.Maturity Level 5 – Same as 4, but has been improved/optimized over time, andcontinues to be optimized to meet both security and repeatability goals18Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202118
ISA/IEC-62443 Common ThemesSecurity Level Technical requirements for systems (IEC 62443-3-3) and products (IEC 62443-4-2) areevaluated in the standard by four so-called Security Levels (SL). The different levelsindicate the resistance against different classes of attackers. The standard emphasizesthat the levels should be evaluated per technical requirement (see IEC 62443-1-1) andare not suitable for the general classification of products. Security Level 0: No special requirement or protection required.Security Level 1: Protection against unintentional or accidental misuse.Security Level 2: Protection against intentional misuse by simple means with fewresources, general skills and low motivation.Security Level 3: Protection against intentional misuse by sophisticated means withmoderate resources, IACS-specific knowledge and moderate motivation.Security Level 4: Protection against intentional misuse using sophisticated means withextensive resources, IACS-specific knowledge and high motivation. 19Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202119
ISA/IEC-62443 Components Principal RolesLife Cycles and ProcessesSystem Under ConsiderationGeneral Security ConceptsOperations Security ConceptsFoundational Requirements20Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202120
Principal Roles Asset OwnerProduct SupplierMaintenance Service ProviderIntegration Service Provider21Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202121
Associated Roles Asset Operator Regulatory Authority Compliance Authority22Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202122
Related LifecyclesBased on VDI 218223Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202123
System to be Protected Describes the scope of the system beingaddressed by the security response Must be defined by the asset owner forthe specific situation What is being protected?What do you want to protect it from?What level of risk is acceptable?How many resources to invest 24Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202124
General Security Principals Security ElementsRisk-Based ApproachCompensating MeasuresLeast PrivilegeLeast FunctionEssential FunctionDefense in DepthSupply Chain SecuritySource: ISA-62443-1-125Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202125
Operations Security Principals How Different Parts of the System are UsedDefining System Access PointsSafety, Integrity, Availability, Confidentiality (OT vs IT)Zones and ConduitsSecurity LevelsMaturity LevelsSecurity Protection SchemeSecurity Protection RatingSecurity and Functional SafetySource: ISA-62443-1-126Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202126
Security Element GroupingIdentification, authentication &access control – FR1Organizational security measuresNetwork and communications securityComponent securityProtection of dataUser access controlSecurity Program ElementsConfiguration managementFundational requirementsUse control – FR2Restrict data flow (FR5)Timely response to event (FR6)ProcessISA/IEC 62443-2-4ISA/IEC 62443-4-1ISO 27001 & other ISMSPeopleISA/IEC 62443-2-1ISA/IEC 62443-2-2Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 2021ISA/IEC 62443-3-3ISA/IEC 62443-4-2Technical RequirementsOrganizationSecurity program requirementsData confidentiality (FR4)Resource availability (FR7)Event and incident managementSystem integrity and availabilitySystem Integrity (FR3)27Organizational requirements27
Typical Structure of IACS System (SCADA)IACSIncludesa set ofPolicies andProceduresIncludes oneor moreAutomationSolution(s)Includes oneor moreSystems(Products)Includes oneor moreComponents(Products)Source: ISA-62443-1-128Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 2021Source: ISA11228
Zones & Conduits A means for defining – How different systems interact– Where information flows betweensystems– What form that information takes– What devices communicate– How those devices communicate– The security differences betweensystem components Technology helps, but architecture is more important29Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 2021Source: ISA11229
Security (Protection) LevelsProtection against 30Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 2021Source: ISA11230
(Security) Maturity Levels A means of assessing capability An evolving concept in the standards Progressive levels of achievement– Initial– Managed– Defined– Improving31Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202131
Foundational Requirements FR 1 – Identification & authentication controlFR 2 – Use controlFR 3 – System integrityFR 4 – Data confidentialityFR 5 – Restricted data flowFR 6 – Timely response to eventsFR 7 – Resource availability32Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202132
Other Important Requirements Safety, Integrity, Availability, Confidentiality– Addition of safety– Availability has the highest priority after safety Functional Safety and Security– Coordinated approach to risk assessment33Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202133
Other Important Requirements Security Protection Scheme (SPS)–a set of technical and organizational security measures forprotecting the system against cyber threats during operation Security Protection Rating (SPR)–used when assessing the fulfillment by the SPS of thesecurity requirements34Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202134
ISA/IEC-62443 Standards DocumentsGeneralPolicies & Procedures2-1Security programrequirements for IACSasset owners1-2Master glossary ofterms andabbreviations1-3System securityconformance metrics1-4Security life cycle anduse cases1-1Concepts and modelsSystem3-1Security technologiesfor IACS2-2Security protectionscheme and securityprotection ratings3-2Security riskassessment andsystem design2-3Patch management inthe IACS environment3-3System securityrequirements andsecurity levels2-4Security programrequirements for IACSservice providers2-5Implementationguidance for IACSasset ownersComponent / Product4-1Product securitydevelopment life-cyclerequirements4-2Technical securityrequirements for IACScomponentsIn ISA / IEC-62443 terminology:IACS Industrial Automation Control Systemalso known as “OT” or “SCADA”35Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202135
Looking in some ISA/IEC-62443 Documents36Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202136
Looking in some ISA/IEC-62443 Documents37Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202137
Looking in some ISA/IEC-62443 Documents38Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202138
Looking in some ISA/IEC-62443 Documents39Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202139
ISA/IEC-62443 Standards DocumentsGeneralPolicies & Procedures2-1Security programrequirements for IACSasset owners1-2Master glossary ofterms andabbreviations1-3System securityconformance metrics1-4Security life cycle anduse cases1-1Concepts and modelsSystem3-1Security technologiesfor IACS2-2Security protectionscheme and securityprotection ratings3-2Security riskassessment andsystem design2-3Patch management inthe IACS environment3-3System securityrequirements andsecurity levels2-4Security programrequirements for IACSservice providers2-5Implementationguidance for IACSasset ownersComponent / Product4-1Product securitydevelopment life-cyclerequirements4-2Technical securityrequirements for IACScomponentsIn ISA / IEC-62443 terminology:IACS Industrial Automation Control Systemalso known as “OT” or “SCADA”40Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202140
Applying ISA/IEC-62443 to the Water Sector Use Zones & Conduits Architecture – Segment & ProtectDesign Security into the System instead of afterwardsUse a Risk-Based Approach to Design, Testing & OpsDesign a system around: Least Privilege, Least FunctionDefense in DepthSupply Chain SecurityDocumented ProceduresReview Security FrequentlyActive MonitoringTreat it as a LifecycleIntro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 2021GeneralPolicies & ProceduresSystemComponent / Product1-1Concepts and models2-1Security programrequirements for IACSasset owners3-1Security technologiesfor IACS4-1Product securitydevelopment life-cyclerequirements1-2Master glossary ofterms andabbreviations2-2Security protectionscheme and securityprotection ratings3-2Security riskassessment andsystem design4-2Technical securityrequirements for IACScomponents1-3System securityconformance metrics2-3Patch management inthe IACS environment3-3System securityrequirements andsecurity levels1-4Security life cycle anduse cases2-4Security programrequirements for IACSservice providers2-5Implementationguidance for IACSasset owners4141
Any Questions?* Not a High Performance SCADA SystemGraham Nasby, Water SCADA & Security Specialistgraham.nasby@guelph.ca42Intro to ISA/IEC-62443 Cybersecurity Standards2021 OWWA Automation Webinar – Nov 4, 202142
Intro to ISA/IEC-62443 Cybersecurity Standards 2021 OWWA Automation Webinar - Nov 4, 2021 Who Develops the 62443 Standards 11 ISA-62443 (and IEC 62443); a series of standards developed primarily by ISA and published by two groups: -ISA99 ANSI/ISA-62443 -IEC TC65/WG10 IEC 62443 In consultation with:
l IEC 62443 1 1 (Ed 2) IEC/TR 62443-1-2 IEC 62443-1-3 Gener - - Terminology, concepts and models Master glossary of terms and abbreviations System security compliance metrics ISA 62443.01.01 ISA 62443.01.02 ISA 62443.01.03 Asset owner IEC 62443-2-1(Ed 2) Establishing an IACS security program IEC 62443-2-2 Operating an IACS security program IEC .
A global series of standards The ISA/IEC 62443 series of standards, based on ISA-99, is a collaborative effort between several regulators, the main ones being: IEC TC65 / WG10 ANSI / ISA-62443 ISO / IEC-JTC1-SC27 The motivation to pay close attention to the security of industrial automation and control systems emerged in the
isa 62443-2-1:2009 4.2.3.4 · isa 62443-3-3:2013 sr 7.8 · iso/iec 27001:2013 a.8.1.1, a.8.1.2 · nist sp 800-53 rev. 4 cm-8 · ccs csc 1 · cobit 5 dss05.02 · isa 62443-2-1:2009 4.2.3.4 · iso/iec 27001:2013 a.13.2.1 · nist sp 800-53 rev. 4 ac-4, ca-3, ca-9, pl-8 · cobit 5 apo02.02 · iso/iec 27001:2013 a.11.2.6 · nist sp 800
certification program based on the ISA/IEC 62443-3-3 and the ISA/IEC 62443-4-1 standards. ISASecure Component Security Assurance (CSA) - formerly EDSA - certification - applies to components (embedded devices) of industrial control systems and assures the required security features of a component are met based on the ISA/IEC 62443-4-2
IEC 61215 IEC 61730 PV Modules Manufacturer IEC 62941 IEC 62093 IEC 62109 Solar TrackerIEC 62817 PV Modules PV inverters IEC 62548 or IEC/TS 62738 Applicable Standard IEC 62446-1 IEC 61724-1 IEC 61724-2 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/TS 62738 IEC 62548 or IEC/
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
ASME marks is documented and traceable to the entity authorized by ASME to use its marks. All data reports and certificates of conformance shall be retained for a period established by the appropriate code or standard. 21. CAP-21 CRITERIA FOR REAPPLICATION OF AN ASME CERTIFICATION MARK 1 After an item has been certified under an ASME standard, if the ASME certification mark (e.g. Code Symbol .
