ISA IC32 Flashcards
1
Q
What is Control System?
A
CS is hardware and software components of an Industrial Automation and Control System IACS
2
Q
What is IACS stand for?
A
Industrial Automation and Control System
3
Q
What is Cybersecurity?
A
Defined as measures taken to protect a computer or computer system against unauthorized access or attack.
4
Q
Name 5 Trends of Control System Cybersecurity?
A
- Businesses have reported more unauthorized attempts andmarked increase in malicious code attacks
- Controls systems use more commercial off the shelf (COTS) software and hardware
- Implementing Internet Protocols (IP) exposes control systems to same vulnerabilities as business systems
- Increased use of remote monitoring and access
- Tools to automate attacks are commonly available
5
Q
6 Potential Impacts of Cybersecurity issues in Control Systems
A
- Unauthorized access, theft or misuse of data
- Loss of integrity or reliability of the control system
- Loss of control system availability
- Equipment damage
- Personnel injury
- Violation of legal and regulatory requirements
6
Q
Name 4 Services that are currently availble for Cybersecurity missuse
A
- Malware as a Service (MaaS)
- Hacking as a Service (HaaS)
- Crimeware as a Service (CaaS)
- Fraud as a Service (FaaS)
7
Q
Name 5 old but goodies for Malware?
A
- Stuxnet
- Shamoon I & II
- HAVEX
- Malware is Operating System (OS) agnostic
- Shellshock (Bashdoor) Unix/Linux/MacOSX variant
8
Q
What are the 5 Myths in Regard of IACS Security?
A
- Myth 1 “We Don’t Connect to the Internet…”
- Myth 2 Control Systems Are Behind a Firewall
- Myth 3 Hackers Don’t Understand Control Systems
- Myth 4 Our Facility is Not a Target
- Myth 5 Our Safety Systems Will Protect Us
9
Q
Myth 1 “We Don’t Connect to the Internet…” why it is not true?
A
You don’t need to connect to the internet to get infected. USB Sticks, Jump Server, Remote Services
10
Q
Myth 2 “Control Systems Are Behind a Firewall” why it is not true?
A
Firewalls are still badly misconfigured
Modern configuration software doesn’t help admins make fewer mistakes
11
Q
Myth 3 “Hackers Don’t Understand Control Systems” why it is not true?
A
- Many people think that hackers don’t understand control systems – this is no longer true
- Hacking is no longer just for fun – hackers now sell zero-day exploits to organized crime
- Hacking as a Service Hit the Mainstream
- SCADA and process control systems are now common topics at “DEFCON” and “Blackhat” conferences
12
Q
Myth 5 “Our Safety Systems Will Protect Us” is not true
A
• Modern safety systems are micro-processor based,
programmable systems configured with a Windows PC
• Now commonplace to integrate control and safety systems using Ethernet communications with open and insecure protocols (Modbus TCP, OPC, etc.)
• Many safety system communication interface modules run embedded operating systems and Ethernet stacks that have known vulnerabilities
• IEC 61508 Certification (i.e. Safety Integrity Level (SIL)
certification) doesn’t evaluate security,
13
Q
What is the characteristic of a Regulation?
A
Regulations are mandatory.
14
Q
Name 3 Regulations
A
- Department of Homeland Security - Chemical Facility Anti-Terrorism Standards (CFATS)
- Department of Energy Federal Energy Regulatory Commission (FERC)
- Nuclear Regulatory Commission - Cyber Security Rule
15
Q
Name 5 facts about regulations
A
• Limited number enforced cyber and physical security
regulations — no teeth
• National cyber security strategies may or may not be in place
• Public-private partnerships lacking
• Sector-specific cybersecurity plans may or may not exist
• General agreement that no country or government can address cybersecurity risk in isolation
16
Q
Name 2 characteristics of Standards (Norms)
A
- Standards are voluntary documents (Consensus driven)
* There is no requirement on anyone to use them unless….. (agreed in contract or reffered regulations)
17
Q
When can courts use Standards (4)?
A
• Courts may decide in the absence of relevant regulation
– Non-compliance with a standard
– Using a “what would a reasonable man on the street do” test
– Sufficient grounds to determine liability
– EUROPEAN COMMISSION Standards and Standardization Handbook
18
Q
What does standard exist of (2)?
A
Standards contain both normative and informative elements
19
Q
What are normative Elements?
A
Normative elements are those parts that shall be (mandatory) complied with in order to demonstrate compliance with the standard
Normative elements are indicated by the use of the word ‘shall‘
20
Q
What are informative elements?
A
Informative elements provide clarification or additional
information
– Informative elements may not contain requirements
– The word ‘shall‘ is not used
21
Q
What global initiatives in the works for Standards (3)?
A
• Collaborative approach preferred
• ENISA (European Union Agency for Network and Information Security) has analyzed the current maturity level of ICS/SCADA cybersecurity in Europe
– Provided recommendations for improvement
• Australia Cyber Security Strategy
• Japan (new agency) ICPA (Industrial Cybersecurity Promotion Agency)
22
Q
What does ISA stand for?
A
The International Society of Automation (ISA)
23
Q
What Norm ISA creates and for what?
A
Committee on Security for Industrial Automation & Control Systems (ISA99)
24
Q
Which Sectors ISA represents (7)
A
Representing companies across all sectors, including: – Chemical Processing – Petroleum Refining – Food and Beverage – Energy – Pharmaceuticals – Water – Manufacturing
25
What can happen when industrial automation and control systems were compromised (7)?
– endangerment of public or employee safety
– environmental protection
– loss of public confidence
– violation of regulatory requirements
– loss of proprietary or confidential information
– economic loss
– impact on entity, local, state, or national security”
26
How is the ISA standard called for securing automation and control systems?
ISA/IEC 62443
27
How many groups work ISA/IEC 62443 ?
2 Groups:
– ISA99 ANSI/ISA-62443
– IEC TC65/WG10 IEC 62443
28
Name 5 characteristics of ISA/IEC 62443 commitee?
* Once published as an IEC format (obtain money)
* PREFACE has listing of members and participants (experts in their area)
* Volunteering their time and efforts
* It can take up to 3 years for a standard to be developed, reviewed, voted on and be published
* Always looking for new participants
29
How to participate ISA committee without beeing a member?
– Being a member of a work or task group that is developing or revising one or more work products (e.g., standards, technical reports)
– Contributing to a "supporting" work activity, such as communications and outreach.
– Reviewing and offering comments or feedback on draft work products
– Assisting the committee in establishing joint working relationships with other committees and organizations
30
Name 9 other commitees and organizations that work with ISA committee?
* Process Safety (ISA84, IEC TC65)
* Wireless Communications (ISA100)
* Certification (ISCI)
* Communications & Advocacy (Automation Federation)
* Security Framework (NIST)
* International Reach (IEC/ISO)
* Industrial Control Systems Joint Working Group (ICSJWG)
* ISA in Europe, the Middle East & Africa (ISA EMEA)
* ISASecure®
31
How many parts does ISA/IEC 62443 contain?
4 parts
32
What is the first part of ISA/IEC 62443?
First or top General tier contains standards and reports that are general in nature
33
What is the second part of ISA/IEC 62443?
Second tier Policies & Procedures addresses the people and process aspects of an effective security program using
34
What is the third part of ISA/IEC 62443?
Third tier System focus is on the technology related aspects of security
35
What is the fourth part of ISA/IEC 62443?
Fourth tier Component focuses on specific security related technical requirements of products and components
36
What content of ISA/IEC 62443-1-1 to 1-4 ?
– Concepts and Models
– Master Glossary
– Security Compliance Metrics
– Lifecycle & Use Cases
37
What content of ISA/IEC 62443-2-1 to 2-4 ?
– Security Management System
– Implementation Guidance
– Patch Management
– Requirements for Solution Suppliers
38
What content of ISA/IEC 62443-3-1 to 3-3?
– Security Technologies
– Risk Assessment and System Design
– System Requirements and Security Levels
39
What content of ISA/IEC 62443-4-1 to 4-2 ?
– Product Development Requirements
| – Technical Requirement for Components
40
What is the characteristic of Security of Automation and Control Systems ISA/IEC 62443?
Clauses and subclauses serve as the basic components in the subdivision of the content
41
What does ICS stand for?
ICS = Industrial Control System(s) General term for types of control systems acting together to achieve an
industrial objective
42
What does IACS stand for?
IACS = Industrial Automation and Control System(s)
collection of personnel, hardware, software and policies involved in the operation of the industrial process and that can affect or influence its safe, secure and reliable operation
43
What term is used in ISA 62443?
IACS Industrial Automation and Control System(s)
44
What is ISA 62443?
62443 series is a large collection of related standards and reports
– Critical that there be consistency across the various documents
– Work in progress
45
How is the working information maintained and where?
The working information is maintained in the form of a Master Glossary on the ISA99.isa.org Wiki
• Glossary to be published as technical report ISA-TR62443-1-2
46
What are the differences between IT and IACS (4)?
* There are important differences between IT systems and IACS
* Problems occur because assumptions that are valid in an IT environment may not be valid on the plant floor and vice versa
* IACS cyber security must address issues of safety, which is not usually an issue with conventional IT cybersecurity
* Understanding the different needs of IACS and IT system security leads to cooperation and collaboration between historically disconnected camps
47
What does OT stand for?
Operational Technology; other word for IACS
48
What are the different priorities of IT and IACS?
IACS (Confidentiality--> Integrity --> Availability)
| IT (Availability --> Integrity --> Confidentiality
49
What are the performance requirements 5 of IT vs IACS?
Response must be reliable --> is time critical
High throughput --> Modest troughput
High delay and jitter tolerated --> high delay serious concern (near real time)
Less critical emergency interaction --> response to emergencies critical
IT protocols --> IT + Industrial Protocols
50
What are the Availability requirements 5 of IT vs IACS?
Scheduled operation --> Continuous operation
Occasional failures tolerated --> Outages intolerable
Rebooting tolerated --> Rebooting may not acceptable
Beta testing in the field -->
Thorough QA testing expected in nonproduction
environment
Modifications possible with little paperwork -->
Formal certification may be required after any change
51
What are the Operating Environments 6 of IT vs IACS?
Typical “Office” Applications --> Special Applications
Standard OS’s --> Standard and embedded OS’s
Upgrades are straightforward --> Upgrades are challenging and may impact hardware, logics and graphics
Technology is refreshed often Commercial Off The Shelf (COTS) (3 to 5 y) --> Legacy systems (15-20y)
Abundant resources (memory, bandwidth) -->
Resource constrained
Data center, server room or office environment -->
Industrial environment
52
What does COTS Stand for?
Technology is refreshed often Commercial Off The Shelf (COTS)
53
What are the different Risk Management Goals 4 of IT vs IACS?
Data confidentiality and integrity paramount -->
HSE and production are paramount (höchste Bedeung)
(integrity & availability)
Risk impact is loss of data, delay of business operations -->
Risk Impact is loss of life, equipment or product
Recover by reboot --> Fault tolerance essential
54
What should be regarded when setting up an IACS (3)?
* DON’T throw out all IT security technologies and practices and start from scratch
* DO borrow IT security technologies and practices but modify them and learn how to use them properly in IACS
* DO develop clear understanding how IACS assumptions and needs differ from that of the IT environment
55
What can be adapted for IACS from IT Security?
– IACS uses IT technologies like Windows, TCP/IP and Ethernet
– Much of IT policy and technology will work for control systems
– IT environment doesn’t deal in safety, only security
56
What is Defense in Depth (4)?
* A Perimeter (Rand des Systems) Defense is Not Enough
* The bad guys will eventually get in.
* Can’t just install a firewall and forget about security
* Must harden the control systems network
57
What does Defense in Depth need?
– Defense in Depth
– Detection in Depth
– Accountable and timely incident response
58
What does Defense in depth mean?
“Defense in Depth” – applying multiple countermeasures in a layered
or stepwise manner.
59
What can be part of Defense in Depth (10)?
Virus Scanners, Patch Management, Roled Based Access Control, Account Management, Secure Architectures, Demilitarized Zones, Firewalls, VPN, Policies and Procedures, Physical Security
60
What should Detection in Depth alarms and logs report?
– Unusual data transfer patterns
– Unexpected protocols being used
– Out-of-time data traffic
– Communication to unknown or unexpected MAC/IP Addresses
– Logs turned-on to monitor activity
– Send SYSLOG compatible logs to a central logging server
– IDS sensors deployed across multiple zones in the production environment tuned to detect anomalous traffic
– Patch Management & Anti-virus report devices out-of-date
– Detection of unknown devices
– Detection of missing devices
61
How you calculate Risk?
Risk = Threat x Vulnerability x Consequence
62
What is Risk Response/Reaction (5)?
```
– Design the risk out
– Reduce the risk
– Accept the risk
– Transfer or share the risk
– Eliminate/redesign redundant or ineffective controls
```
63
What is Risk Tolerance and who is responsible for it?
It is management’s responsibility to determine the level of risk the organization is willing to tolerate
64
What are Models in context of IACS?
• Reference models provide the overall conceptual
• Asset model describes relationships between assets within an industrial automation and control system.
• Reference architecture describes the configuration of assets
• Zone model groups reference architecture elements according to defined characteristics (zone and conduits)
• This provides a context for the definition of policies,
procedures, and guidelines, applied to the assets.
65
How is the model relationship of ISA99 (4)?
Policies Procedures and Guidelines --> Assets --> Reference Architecture --> Zone and Conduit Model
66
How many Reference Model Levels exist and how they are called (5)?
* Level 4 – Enterprise Systems
* Level 3 – Operations Management
* Level 2 – Supervisory Control
* Level 1 – Local or Basic Control
* Level 0 – Process
67
What is Process Level 0 (2)?
– Physical process
| – Includes sensors and actuators
68
What is Local or Basic Control 1 (1)?
Functions involved in sensing and manipulating the physical process
69
What is Supervisory Control 2 (21)?
Functions involved in monitoring and controlling the physical process
70
What is Operations Management 3 (1)?
Managing the work flows
71
What is Enterprise Systems 4 (1)?
Business Planning and Logistics
72
What is the Referencemodel for ISA99 Norms?
Level 0 - 3 = Industrial Automation and Control Systems and Level 4 (Enterprise System) seperated but connected via Interface!
73
What is the SCADA Referencemodell?
Level 0-2 conected but different plants connected via WAN with one Control Center Level 3 --> needs to be extra secured between Lvl.2 and 3
74
What are Asset Models (4)?
• Asset model starts at a high level
• Includes all Level 4, 3, 2, 1, 0 equipment and
Information systems
• Explicitly includes networks and ancillary equipment
• Generic enough to fit the many situations where control systems are deployed
75
Name 4 characteristics of Security Zones (4)?
* Security zone is a logical grouping of physical, informational, and application assets sharing common security requirements
* There can be zones within zones, or subzones, that provide layered security, giving defense in depth and addressing multiple levels of security requirements
* A security zone has a border, which is the boundary between included and excluded elements
* Security policy of a zone is typically enforced by a combination of mechanisms both at the zone edge and within the zone
76
What is a trusted security zone (2)?
– Confidence that an operation or data transaction source, network or software process can be relied upon to behave as expected
– Attribute of an entity that is relied upon to a specified extent to exhibit an expected behavior
77
What is a untrusted security zone (3)?
– Not meeting predefined requirements to be trusted
– Entity that has not met predefined requirements to be trusted
– Entity may simply be declared as untrusted.
78
How can you define security zones (2)?
– Physically (physical zone) e.q. location
| – Logically (virtual zone) e.q. process steps
79
What are the zone characteristics and security
| requirements that are its attributes (7)?
```
– Security Policies
– Asset Inventory
– Access Requirements and Controls
– Threats and Vulnerabilities
– Consequences of a Security Breach
– Authorized Technology
– Change Management Process.
```
80
What is a conduit?
Conduit is a logical grouping of communication assets that protects the security of the channels it contains
– Similar to how physical conduit protects cables from physical damage.
Or: logical grouping of communication channels, connecting two or more zones, that share common security requirements
81
Name 6 characteristics of Conduits?
* Trusted conduits crossing zone boundaries must use an endto-end secure process
* Physical devices and applications that use the channels contained in a conduit define the conduit end points
* Can be defined physically (cable/wireless) or logically
* Conduits is a kind of Zone (but has no sub-conduit)
* Conduits can cross a zone if not compromising
* Conduits can can be a single service (i.e., a single Ethernet network) or can be made up of multiple data carrier
82
Each conduit has a set of characteristics and security
| requirements that are its attributes (similar to zones), please name (8)?
```
– Security Policies
– Asset Inventory
– Access Requirements and Controls
– Threats and Vulnerabilities
– Consequences of a Security Breach
– Authorized Technology
– Change Management Process
– Connected Zones
```
83
What is WAN (3)?
* A wide area network (WAN) is a communications system that covers a large geographic area.
* Traditionally joined mainframes distributed across the country or world. Now usually joins two or more LANs.
* Often uses public networks, such as the telephone system. Can also use private lines, leased lines or satellites.
84
Name 3 WAN Strategies?
• Three WAN strategies:
– Enterprise WANs
– Carrier Managed WANs
– Internet
85
What is LAN?
• A local area network (LAN) is a communications system that covers a limited distance (usually under 10 km), generally within a single facility.
86
How is LAN called in Production areas (5)?
```
– Supervisory Networks (Kontrollnetzwerke)
– DCS Highways
– PLC Highways`
– Fieldbuses
– Device Networks
```
87
What is ISO/OSI Modell (4)?
• Seven-layer vertical stack model
– Organizes data communications protocols into layers
– International Organization for Standardization (ISO)
• Open Systems Interconnect / Reference Model (OSI/RM)
• Each layer in the OSI model has a specific function in
an ideal network and groups similar protocols together
• Conceptual framework
88
Name all 7 Layers of ISO OSI?
1.Physical 2.Data Link 3.Network 4.Transport 5.Session 6. Presentation 7.Application
Please Do Not Throw Salami Pizza Away
89
What is Physical Layer and characteristics (6).
The physical protocols define the physics of getting a message between devices like (important for troubleshooting):
- Frequencies
- Voltages
- Connectors
- Modulation
- Topologies
- Cables
90
Name 5 Physical Layer topologies?
Mesh, Star, Ring, Bus and Hybrid
91
What is Datalink Layer?
Provides the rules for framing, converting electrical signals to data, error checking, physical addressing and media access control (which station can talk at any given time on the network)
Every communications network needs some data link protocols.
92
What are 2 subcategories of DataLink?
– Logical Link Control (LLC)
| – Media Access Control (MAC) = Physical Address
93
What is a level 2 switch (3)?
* Layer 2 Switches work at physical and data-link layer within a single LAN
* More advanced than a hub because a switch will only send a message to the device that needs or requests it
* MAC address used to decide where to forward frame
94
What are the differences beetween unmanaged (3) and managed (2) switches?
not configurable - remotely configurable
Plug and Play - advanced protocols (spanning tree, portconf. vlan)
Unmanaged at home or small companies
95
What is VLAN (4)?
• Partition a Layer 2 network (LAN) into multiple distinct
segments (a.k.a. broadcast domains)
• Enables grouping of hosts with a common requirements regardless of their physical location
• VLAN protocols (e.g. IEEE 802.1Q) tag frames with VLAN information
• Can work hand in hand with QoS to prioritize time sensitive traffic
96
What is Network Layer (3)?
• The protocols at the Network layer deal with routing of messages through a complex network
• For example, finding the best route through
a network
• IP of TCP/IP fame is one example of a
network layer protocol
97
What are Routing Protocols – high level outside local network (3) (Network Layer)?
– RIP – Router Information Protocol
– OSPF – Open Shortest Path First
– BGP – Border Gateway Protocol
98
What are Routable Protocols (5) (Network Layer)?
```
– IP (IPv4 and IPv6)
– IPX
– ICMP
– IGMP
– IPSEC
```
99
Name 3 chacteristics of IPv4 (Network Layer)?
* Every device in a TCP/IP network needs a unique IP address
* IPv4 uses a 32 bit address written in the quad-dotted form: 147.10.24.16
* Each number (0-255) is the decimal coding for 8 bits (octet)
100
What is ARP (3) (Network Layer)?
* Address Resolution Protocol (IPv4)
* Resolve Network Layer (3) addresses to Data Link Layer MAC or Physical Addresses (2)
* Ethernet networks converts an IP address to a MAC address
101
Name 5 chacteristics of IPv6 (Network Layer)?
• Formalized in 1998 by the IETF due to IPv4 address
exhaustion
• 128 bits allows over 3.4 undecillion addresses (3.4 x 1038)
– Displayed as 8 groups of 4 hexadecimal digits
– Address example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334
• No ARP--uses Neighbor Solicitation
• Slow roll out for IACS
• Pretty much every device will have to be updated to make it
work seamlessly
102
Name 2 Devices (Network Layer)?
Router
| Level 3 Switch
103
What is a router (3) (Network Layer)?
* Router is a Layer 3 device that connects a WAN to a LAN
* Divides big network into logical sub-networks
* Routers need to be configured with an IP routing table (static or dynamic)
104
What is a Level 3 Switch (3) (Network Layer)?
* Layer 3 Switches are switches with routing capabilities but no WAN connection
* Will act like a switch when it is connecting devices on the same LAN (subnet)
* Will act like a router to route traffic between different subnets
105
What is Level 4 Transport Layer (3)?
• Provides transparent transfer of data between end systems, or hosts, and is responsible for end-to-end error recovery and flow control.
• It ensures complete data transfer.
• For example number
packets to keep them in order
106
What Protocols exist for Level 4 Transport Layer 5?
* TCP = Transmission Control Protocol
* UDP = User Datagram Protocol Send and forget
* DCCP = Datagram Congestion Control Protocol
* SCTP = Stream Control Transmission Protocol
* RSVP Resource Reservation Protocol
107
What are the 4 Function of Transport Layer 4?
– Flow Control
– Multiplexing
– Virtual Circuit Management
– Error Checking and Recovery
108
For what reasons TCP/UDP have port numbers?
TCP/UDP port numbers identify the application that will handle a packet inside the host.
109
How will Port Assigned (3)?
• RFC 6335 defines procedures related to port number registry
• Port numbers are assigned based on three ranges:
– System or Well Known Ports (0-1023)
– User or Registered Ports (1024-49151)
– Dynamic or Ephemeral or Private Ports (49152-65535)
• Service Name and Transport Protocol Port Number Registry
– Exists as online database
110
What is Layer 5 Session Layer (3)?
• Session is a persistent logical linking of two
software application processes
• Provides the mechanism for opening, closing
and managing a session between end-user
application processes
– Associated with TCP/UDP port numbers
• Each OS handles session data differently
111
Name 3 Example Protocols for Layer 5 Session Layer?
– Layer 2 Tunnelling Protocol (L2TP)
– Point-to-Point Tunnelling Protocol (PPTP)
– Remote Procedure Calls (RPC)
112
What is Layer 6: Presentation Layer (3)?
• Presentation layer functions are generally
handled in the Application layer (FTP, SMTP,
Telnet, etc.)
• Deals with data format conversion and possibly
with encryption and security
– Associated with Secure Sockets Layer (SSL)
• Responsible for the delivery and formatting of
information to the application layer for further
processing or display (if used)
113
What is Layer 7: Application Layer (3)?
• Interacts with software applications that implement a communicating component
• Protocols specific to network applications such as email, file transfer and reading data registers in a PLC
• Does not include user applications like
word processing or operating systems
like Windows-XP
114
What are Level 7 Gateways?
• Gateways are a layer-seven device
• Gateways connect two completely differing network systems
(e.g. DCS to PLC)
• Also used to provide application layer conversions (e.g.
between two different email systems)
115
Name Problems with OSI Model (4)?
• OSI layer specifications are functional only (What to do is defined, How to do it is not)
• Two protocol families that are "ISO compatible" won’t
necessarily communicate
• It is too complex for many applications (such as industrial fieldbuses) so layers are skipped, typically L5 & L6
( PLC, DCS have unique OS, memory management, scan management)
• But it does give us a good starting point to organize all those protocols...
116
Name two tools for Network Discovery and Security Auditing Tools.
– Nmap
| – SuperScan
117
What are tools for Network Discovery and Security Auditing Tools good (3) for and how they can used for unautorized purpuse (4)
Good: – Network inventory, Managing service upgrade schedules, Monitoring host or service uptime
Bad: Scan and “fingerprint” network, Services (application name and version), Operating systems (and OS versions), Type of packet filters/firewalls are in use
118
What is nmap (4) and how is the windows GUI called?
* NMAP is the work horse for scanning IP, ARP, ports, and services on IP based networks
* Zenmap is NMAP with a Windows GUI
119
Why is TCP & IP not secure?
TCP & IP were not designed to be secure (They were designed to ensure that communications work)
120
Why are PLCs not secure (3)?
• PLCs were designed to replace relays
– Their primary function is to service I/O
– Ethernet was an afterthought.
– They were not designed to be secure
121
What are threats or network attacks (9)?
* Storms/Floods
* Known Vulnerabilities
* Spoofing
* Man-in-the-Middle (Stuxnet)
* Replay attacks (Stuxnet)
* Sniffing
* Session hijacking
* Buffer or stack overflow
* Brute force or dictionary
122
Name 3 Network Security Devices?
– Switches/Routers
– Firewalls
– Unidirectional Gateways (aka Data Diodes)
123
What are Network Security Technologies 4?
* Network Security Devices
* Network Architectures (Segmentation)
* Cryptography
* Intrusion Detection Systems
124
Name 3 Cryptography Technologies?
– VPN
– Hashes
– Secure Protocols
125
For what you can have Intrusion Detection Systems (2)?
– Network
| – Host
126
What is a firewall 5?
• Inter-network connection device that restricts data
communication traffic between two connected networks (Filters network traffic)
• Application installed on a general-purpose computer
• Dedicated platform (appliance)
(Forwards or rejects/drops packets on a network)
• Typically firewalls are used to define zone borders
• Firewalls generally have rules restricting which ports are open.
127
What is a hardware firewall (2)?
• A firewall is a mechanism used to control access to and from a network for the purpose of protecting it and the equipment
attached.
• Is a gateway through which all traffic passes.
128
Name 3 classes of Firewall?
– Packet Filter
– Stateful Inspection (Header Analyse)
– Application Proxy and DPI (Deep Packet Inspection) --> looks into package
129
What does a Application Proxy and is aware (3)?
• Application proxy are protocol aware:
– e.g. modbus, ftp and telnet
– Can inspect messages to be sure they are correct, complete and
properly ordered
– Deep Packet Inspection (DPI) Analyzes protocols at the application
layer to identify malicious or malformed packets
130
What can Router filter?
Routers may now include TCP/UDP port number filters
131
What is a firewall policy?
* A firewall is relatively easy to install.
* Configuring is more difficult.
* Deciding how it should be configured is most difficult
* A firewall is only as good as its rules!!!
132
What is the default rule for a firewall 5?
– Block all traffic by default
– Explicitly allow only specific traffic to known service
– Ingress and Egress (inbound and outbound)
– IACS devices should not be allowed to access the Internet
– Prevent traffic from transiting directly from the IACS network to the
enterprise network
133
What is best practice for IACS Firewall Config 4?
* Default rule
* Clean up unused rules
* Rules must be exhaustively tested before deployment
* Management/Out of Band ports secured
134
What are IACS Firewalls (4)?
Companies offering IACS firewalls to protect traditionally
vulnerable components such as PLCs and DCS controllers
– Industrial form factor and robustness
– Electrician / Control Tech friendly
– Knowledge of industrial protocols
– Extensibility beyond just packet filtering
135
Name some IACS Firewall Companies 7?
```
– Tofino (Belden)
– Hirschmann Eagle (Belden)
– Moxa EDR-8xx and EDR-G9xx series
– Secure Crossing Zenwall Line (5, 10, 2500, etc)
– mGuard (Phoenix Contact)
– Scalance S (Siemens)
– Connexium (Schneider Electric)
```
136
What is a data Diode (4)?
* Network device allowing data to travel only in one direction
* Normal flow control SYN ,SYN-ACK, ACK must be emulated
* Defense and nuclear power plants
* Finding their way into IACS
137
What is a Intrusion Detection System (5)?
• Tools to detect attempts to break into or misuse a computer system
• Security service monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an
unauthorized manner
• If firewalls and access control systems are the lock on the door
– IDS is the burglar alarm
• Allow system admins to respond to potential security issues
• Intrusion Prevention Systems (IPS) add the ability to act on intrusion detection by blocking malicious activity
138
Name 5 Network Intrusion Detection Systems (NIDS)
```
– Monitor network traffic
– Pre-defined rules (signature-based)
– Behaviors (heuristics-based)
– Passive Sniffing
– Inline Deployment (bump in the wire)
```
139
Name 4 Host Intrusion Detection (HIDS)
– Monitor host
– Pre-defined rules (signature-based)
– Behaviors (heuristics-based)
– Passive Sniffing
140
Name 5 Problems with IDS?
* False positives
* Deployment and operational costs
* Only effective against known vulnerabilities
* Limited signatures for control system protocols
* Requires continuous care and feeding (update signatures)
141
Name 3 IDS Best Preactises
• Distributed deployment – install NIDS at zone entry points
• Enhance IT IDS signatures with SCADA IDS signatures (e.g. Quickdraw)
• Intrusion Prevention System (IPS) should be implemented with
extreme care to avoid inadvertently blocking necessary traffic.
142
What is UTM Unified Threat Management (9) Einheitliches Gefahrenmanagement?
```
– Single appliance
– Network firewalling
– Network intrusion prevention
– Gateway antivirus (AV)
– Gateway anti-spam
– VPN
– Content filtering
– Load balancing
– Data leak prevention
```
143
How should network be segmented business/process Level (4)?
• Between plant floor and the rest of the company networks a firewall is a must
• Do not try to use a router to prevent hackers/viruses entering – it isn’t good enough.
• Much better is the use of a Demilitarized Zones (DMZ)
between the enterprise and process control networks.
• This three-tier design allows secure data transfer between systems.
144
What is defense in depth architecture?
Distributing security appliances provide defense in depth to key assets like controllers. Firewall + DMZ on different levels like Internet, Business and IACS FW
145
What classes of Crypto Ciphers exist (2)?
– Block Ciphers (Fixed size e.g 64 bits)
| – Stream Ciphers (Continuous stream: Bit by bit)
146
What Types of Ciphers exists (2)?
Types of Ciphers
– Symmetric key(Same shared key, Lower network overhead, Faster than asymmetric)
– Asymmetric key ( Different keys, Higher network overhead)
147
Symmetric Key Algo (6)?
```
– DES
– 3DES
– AES
– Blowfish and Twofish
– Rivest
– IDEA
```
148
Asymmetric (public) key (5)?
```
– RSA
– Diffie-Hellman
– El Gamal
– Merkle-Hellman (Trapdoor) Knapsack
– Elliptic Curve
```
149
How can messages secured via autothentication (2)
```
• Digital signatures
• Message digests
– MD (MD2, MD4, MD5, MD6)
– SHA (SHA-1, SHA-2, SHA-3)
– HMAC
```
150
Name Internet protocols (8)
– SSL (Secure Sockets Layer)
– TLS (Transport Layer Security)
– S-HTTP (Secure Hypertext Transfer Protocol)
– Application layer encrypts only data (not used)
– HTTPS (Hypertext Transfer Protocol Secure)
– Encrypts the communications layer over SSL
– IPSec (Internet Protocol Security)
– MPLS (Multiprotocol Label Switching)
– SSH-2 (secure Shell)
– WTLS (Wireless Transport Layer Security)
151
What to use instead of Telnet, FTP and HTTP?
SSH
SFTP/FTPS
HTTPS
152
What is VPN Virtual Private Network (3)?
• Network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their proprietary data
• Ideal VPN appliance offers central management and multiplatform functionality and is compatible with all essential
network applications and legacy platforms
• SSL VPN is a commonly-used protocol for managing the security of message transmission on the Internet via the web browser
153
What is Site to Site VPNs (2)?
• The two endpoints of the VPN are intermediary devices that
pass traffic from a trusted network to another trusted network
while relying on the VPN technology to secure the traffic on the
untrusted transport network.
• Commonly called site-to-site or LAN-to-LAN VPNs.
154
What are Remote access VPNs 2?
• One endpoint is a host computing device and the other endpoint is an intermediate device that passes traffic from the
host to the trusted network behind the security gateway while relying on the VPN technology to secure the traffic on the untrusted network
• Commonly called remote access service (RAS) VPNs.
155
What is a protocol?
Set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems.
156
Name Industrial Protocols (8).
```
– MODBUS
– PROFIBUS
– OPC
– CIP
- DNP3
- IEC 61850
- HART
- BACnet
```
157
What is Modbus (6)
* Serial communications protocol originally published in 1979 by Modicon (now Schneider Electric)
* De facto standard, openly published and royalty free
* Widely used network protocol in the industrial manufacturing environment (over 7 million nodes )
* Basic functions support reading and writing of PLC registers and I/O
* Variants exist
158
How to Secure Modbus (3)?
• Easily firewalled (source IP, destination IP, TCP Port 502)
• MODBUS aware firewalls can inspect packets and reject specific function codes
- Master and Slave connection with Paket Inspection or only allow read and not write for slave.
159
What is Profibus (2)?
* PROFIBUS (Process Field Bus) is a standard for field bus communication in automation technology
* Developed by Siemens around 1989
160
What Variants exists for Profibus (3) and what is ProfiNET?
```
• Many variations:
– PROFIBUS DP (Serial)
– PROFIBUS PA (Serial)
– PROFISAFE (Safety)
• PROFINET (TCP - Ethernet)
```
161
What is OPC (5)?
* Object Linking and Embedding (OLE) for Process Control
* Communication standard developed in 1996 by an industrial automation industry task force
* Based on Microsoft OLE, COM, and DCOM technologies
* Specifies the communication of real-time plant data between control devices from different manufacturers
* The OPC Foundation maintains the standard
162
What OPC Specifications Exist (8)?
* OPC Data Access (a.k.a. “OPC Classic”)
* OPC Alarms and Events
* OPC Batch
* OPC Data eXchange
* OPC Historical Data Access
* OPC Security
* OPC XML-DA
* OPC Unified Architecture (UA)
163
Why is it difficult to secure OPC (2)?
• Because OPC is free to use any port between 1024 and 65535 it is “IT firewall unfriendly”
– You don’t know in advance what port the server will use
– So you can’t define the firewall rule
– You have to leave all ports open on your firewall
• Configuring firewall to leave range of ports open creates a serious security hole
164
What is an OPC Aware Firewal (3)l?
* Use deep packet inspection technology to manage OPC traffic behind the scenes
* Validates OPC connection request messages
* Momentarily opens the TCP port specified by the server
165
What is OPC Tunnel Applications (4)
• Replaces DCOM networking protocol with TCP
• OPC Client connects to tunnel product
• Tunnel product accepts requests from the client
– Converts requests to TCP messages
– Sent to a companion tunnel product on the server side
• Request is converted back to OPC
– Sent to the OPC server application for processing
• Response from server sent back across tunnel products to the client
166
What is Common Industrial Protocol (CIP) (3)
The Common Industrial Protocol (CIP) is an industrial protocol for industrial automation applications (formerly Control & Information Protocol)
• Developed by Rockwell Automation
• Supported by Open DeviceNet Vendors Association (ODVA)
167
What are the three CIP underlying protocols (3)?
– DeviceNet
– ControlNet.
– EtherNet/IP
168
What does IP in EtherNet IP mean?
(“IP” = “Industrial Protocol” not “Internet Protocol”)
169
What is Ethernet/IP (3)
* Uses two communications mechanisms and two ports
* Implicit messaging (Port 2222,Producer/Subscriber, Typically I/O messages, Uses UDP Multicast and Unicast for IO transfer)
* Explicit messaging (Port 44818, Client Server,HMI to PLC, Uses TCP Unicast for administration and data transfer)
170
What CSMS Stand for?
Cybersecurity Management System
171
What are Three main categories of CSMS?
– Risk Analysis
– Addressing Risk with the CSMS
– Monitoring and improving the CSMS
172
CSMS What are two elements of Risk Analysis?
– Business rationale (betriebswirtschaftliche Erwägung)
| – Risk identification, classification and assessment
173
CSMS three Elements of Adressing Risk?
– Security policy, organization and awareness
– Selected security countermeasures
– Implementation
174
CSMS Monitoring and improving the CSMS has two elements?
– Conformance (Compliance)
| – Review, improve and maintain the CSMS
175
What is security in regard of CSMS?
Security is balance of risk versus cost; All situations different
176
What can be unrecoverable consequences for IACS Risks?
– Business risk may only be temporary financial setback
| – Control HSE consequences may be permanent
177
Name for Elements of a CSMS?
– Objective
– Description
– Rationale (Grundgedanken)
– Requirements
178
What are the 6 Elemets of CSMS Process?
- Initiate CSMS
- High-level risk assessment
- Address risk assessment at a high level
- Detailed risk assessment
- Establish policy, organization and awareness
- Select and implement countermeasures
179
What are the 4 Elements of initiate CSMS?
– Establish purpose
– Organizational support (MGMT!)
– Resources
– Scope (Initial scope may be smaller than desired,Can grow)
180
What are the 6 Elements of a High Levele Risk Assessment CSMS?
```
– Drives the content of CSMS
– Threats
– Likelihood
– Vulnerabilities
– Consequences
```
181
How to Adress Risks 3CSMS?
– Address risk assessment at a high level
– Resources needlessly expended if not kept high level
– Overall higher level risk context has to be established (high, mid, low)
182
What is a detailed Risk assessment (2)CSMS?
– Detailed technical assessment
| – Focus on vulnerabilities identified at high level
183
What is part of Establish policy, organization and awareness (4) CSMS?
– Driven by high-level and details risk assessment results
– Creation of policies and procedures
– Assignment of organizational responsibilities
– Planning and execution of training
184
What is part of Select and implement countermeasures (3) CSMS?
– Defines and implements cyber security defenses
– Technical
– Non-technical
185
What is the Coordinated approach (5) CSMS?
– High-level and low-level decisions driven by risk assessment results
– Establish policy, organization and awareness
– Select and implement countermeasures
– Training
– Essential to make countermeasure effective
186
What are the elements of Maintain the CSMS (9)?
– Is organization maturing in its CSMS activities?
– Does organization conform to policies and procedures?
– Are cyber security goals met effectively?
– Do the goals need to change in light of internal or external events?
– Is a review of high-level or detailed risk assessment required?
– Are there improvements identified and implemented?
– Are there training enhancements to make?
– Has enthusiasm and support waned?
– Have other priorities pushed CSMS to the back burner?
187
What are the concerns in regard if CSMS (3)?
• Fine balance
• We can’t afford perfect security
• Risk reduction is balanced against the cost of security
measures to mitigate the risk
188
Why is it important to initiate CSMS?
* The desired outcome is to obtain leadership commitment, support, and funding
* First develop a business rationale that will justify the program to management
Second develop a proposed scope for the program
189
What is the Pitfall of CSMS Program (6)?
* Common pitfall is to initiate without a high-level rationale
* What is your organization’s mission statement?
* Why are we doing all of this “cyber security” work” in relation to the mission statement?
* Return on Investment (ROI) difficult to quantify when it comes to cyber
* What are we supporting?
* Cyber security requires organizational resources
190
How is the High-Level Risk Assessment categorized (2)?
```
x= Consequence category
y= Likelihood
```
191
What is important for Detailed Risk Assesment (3) CSMS?
- Inventory of IACS Systems, networks and Devices
- Resources/Time may not allow detailed examination of all of these assets (Priortise using High Level)
- Detailed vulnerabilities guided by the high-level risk
assessment vulnerabilities identified
192
What can a Detailed Risk Assesment uncover (4)?
– New threats
– New Likelihoods
– New consequences
– New risks
193
What does the Implementation Implementation of policy involves 3?
– Communicating the policy to the organization
– Training personnel in the organization
– Assigning responsibility for adherence to the policy
194
Policies and procedures can impact any activity in the CSMS (3)?
– Countermeasures used drive specific system and maintenance process implementation
– All of these have a cost
– Determining when risk is to be re-assessed
195
Select and Implement Countermeasures (5)
```
• Selection of countermeasures is the technical process of risk management
• Driven by:
– Organization’s risk tolerance
– Pre-selected common countermeasures
– Results of high-level risk assessment
– Results of detailed risk assessment
```
196
ISA/IEC 62443 how many security levels exist?
5 Levels (0-4).
197
Define SL 0:
SL 0: No specific requirements or security protection necessary (no security)
198
Define SL 1:
SL 1: Protection against casual or coincidental violation
199
Define SL 2:
SL 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation
200
Define SL3
– SL 3: Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
201
Define SL4
– SL 4: Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation (Nachrichtendienst)
202
What are the 3 different Types of Security Level?
– Target (Target SL Level)
– Achieved (reached Level)
– Capability (what can I reach)
203
Name 7 Functional Requirements for ISA 62443-1-1?
* FR 1 - Access Control (AC) or Authentication Control
* FR 2 - Use Control (UC)
* FR 3 - Data Integrity (DI)
* FR 4 - Data Confidentiality (DC)
* FR 5 - Restrict Data Flow (RDF)
* FR 6 - Timely Response to Events (TRE)
* FR 7 - Resource Availability (RA)
204
How can you extend SL?
Instead of compressing SLs down to a single number, it is possible to use a vector of SLs that uses the seven FRs instead of a single protection factor.
• FORMAT
– SL-?([FR,]domain) = { IAC UC SI DC RDF TRE RA }
• Examples
– SL-T(BPCS Zone) = { 2 2 0 1 3 1 3 } -> Target
– SL-C(SIS Engineering Workstation) = { 3 3 2 3 0 0 1 } Capability
205
How is Risk Defined (Formula)?
Risk = Threat x Vulnerability x Consequence
206
What is a Threat (2)?
– Potential for violation of security, which exists when there is a circumstance, capability, action or event that could breach security and cause harm
– Circumstance or event with the potential to adversely affect operations (including mission, functions, image or reputation), assets, control systems or individuals via unauthorized access, destruction, disclosure,
modification of data and/or denial of service
207
What is a Vulnerability (3)?
– Flaw or weakness in a system’s design, implementation, or operation and management that could be exploited to violate the system’s
integrity or security policy
– Weakness in a system function, procedure, internal control or implementation that could be exploited or triggered by a threat source,
either intentionally designed into computer components or accidently
inserted at any time during its lifecycle
– Sources come from physical and cyber security threats, internal and external
threats, consider hardware, software, and information
208
What is the Risk Consequence (2)?
– Result that occurs from a particular incident
| – Condition or state that logically or naturally follows from an event
209
What is Likelihood (Formula) + Definition?
Likelihood = Threat x Vulnerability
| Quantitative chance that an action, event or incident may occur
210
What are the 3 Levels of Likelihood?
```
Low = very unlikely
Medium = Likely in next 10 Years
High = next year
```
211
What should be included in a good risk assessment (5)?
```
– Risk profile
– Highest severity consequences
– Threats & vulnerabilities leading to the highest risks
– Target Security Levels
– Recommendations
```
212
What is Risk Response (5)?
```
– Design the risk out
– Reduce the risk
– Accept the risk
– Transfer or share the risk
– Eliminate or redesign redundant or ineffective controls
```
213
What is Risk Tolerance (1)?
It is management’s responsibility to determine the level of risk the organization is willing to tolerate
214
What is the scope of ISA 62443-2 Risk Assessment (5)?
– Define System under Consideration (SuC)
– Partition SuC into zones and conduits
– Assess risk
– Establish Security Level Target (SL-Ts)
– Document requirements
215
What is System und Consideration SuC (3)?
– Defined collection of IACS and related assets for the purpose of security risk analysis
– Consists of one or more zones and related conduits
– All assets belong to either a zone or conduit
216
What is Target Security Level (SL-T) 2?
– Measure of confidence based on security policy and consequence analysis
– This is usually determined by performing a risk assessment on a system and determining that it needs a particular level of security to ensure its correct operation
217
What is Achieved Security Level (SL-A) 4?
– Actual level of security
– Measured after a system design is available
– Additional compensating countermeasures in place
– Used to measure that the Target Security Level (SL-T) goal is met
218
What is Capability Security Level (SL-C) 2?
– Built in to a device or system when properly configured
| – Capable of meeting a Target Security Level (SL-T) without additional compensating countermeasures
219
What is CRRF stand for and how to calculate?
Cyber Risk Reduction Factor
| (CRRF) = unmitigated Risk/tolerable Risk
220
For what CRRF is necessary 2?
* SL-T is dependent upon the Cyber Risk Reduction Factor (CRRF)
* Measure of the degree of risk reduction required to achieve tolerable risk
221
How to establish zones and conduits 5?
```
– Group IACS and related assets
– Criticality of assets
– Operational function
– Physical location
– Logical location
```
222
How to seperate business and control system zones 3?
– Logically
– Physically
– Impact to health, safety and environment (HSE)
223
What is the minimum Documention for zones and conduits 11?
– Name and/or unique identifier
– Logical boundary
– Physical boundary if applicable
– List of all physical and logical access points and associated boundary devices
– List of data flows associated with each access point
– Connected zones or conduits
– List of assets and their classification, criticality and business value
– Applicable security requirements
– Target Security Levels (SL-T)
– Applicable security policies
– Assumptions and external dependencies
224
What to consider to seperate for Zones and Conduits 5?
– Separation of business and control system zones
– Separation of safety-critical zones
– Separation of temporarily connected devices
– Separation of wireless communications
– Separation of devices connected via untrusted networks
225
What is the IACS Cybersecuirty Lifecycle and what Phases (3)?
Assess Phase
Development & Implement
Maintain Phase
226
What is the Assess Phase?
Assess phase: a zone is assigned a Target Security Level (SL-T)
227
What is the Development and Implement Phase?
Countermeasures are implemented to meet the Target Security Level (SL-T)
228
What is the Maintain Phase?
Ensures the Achieved Security Level (SL-A) is
| better then or equal to the Target Security Level (SL-T) --> Audited and/or Tested
229
What is the definition of IACS Service Providers?
Specifies requirements for security capabilities for IACS
service providers that they can offer to the asset owner during integration and maintenance activities of an Automation Solution.
230
What should an IACS Service Provider be capable (4)?
Implementation, Operations, Maintenance and Retirement.
231
What is the role of System Integrators of Service Providers?
System Integrators (design and deploy services). Operational and Maintainance Capabilities are defined by Policies and Procedures.
232
What are the tepical Integration Service Provider Activities (5)?
– analysis
– development
– definition
– installation, configuration, patching, backup, and testing
– gaining approval of the asset owner during the execution of activities
233
What are the typical activities of Maintanance Service Provider?
```
– Patching and anti-virus updates
– Equipment upgrades and maintenance
– Component and system migration
– Change management
– Contingency plan (Notfallplan) management
```
234
What is the Role of the Product Supplier (3)?
• Manufacturer of hardware and/or software product
• Develops control system product as a combination of
– Supporting applications
– Embedded devices
– Network components
– Host devices
• Independent of IACS environment
235
Where to place Patching, what issue is it?
is a risk management issue
| – Does the benefit of patching outweigh the cost and risks associated with patching?
236
What does the Patching Cycle look like 5?
Information Gathering --> Monitoring and Evaluation --> Patch Testing --> Patch Deployment --> Verification and Report (Beginn)
237
What are the 4 Prio Levels for Patching?
High: Within 1 week
Medium: (default) Within 3 months
Low: Within 2 year or next available outage
None: Never
238
What are the Requirements for Product or Service Provider 4?
Discovery of vulnerabilities
Development, verification and validation
Distribution of cyber security updates
Communication and outreach
239
What are the Protection Mechanism against malicious code 4?
```
Protection mechanism against malicious code to
– Prevent
– Detect
– Report
– Mitigate
```
240
How do you verify that your prevention or detection
| mechanisms are functioning as expected 6?
Use mixed deployment systems:
– Scanning at the control system firewall
– Ingress and egress traffic
– Application whitelisting (AWL)
– Automatic updating for non-critical systems
– Systems with vendor approved update schemes
– Manual scheduled updates for more difficult systems
241
What are the primary goals for secure Product and System Development 5?
```
Primary goal to provide a framework addressing
– Secure by design
– Defense in depth approach to designing
– Building
– Maintaining
– Retiring
```
242
What are the requirements for Defense in Depth approach 8?
```
– Security management (Overall)
– Specification of security requirements
– Secure by design
– Secure implementation
– Security verification and validation testing
– Security defect management
– Security update management
– Security guidelines
```
243
Were from Product security requirements are derived 2?
Product security requirements derived from
– Baseline Requirements (BR)
– Requirement Enhancements (RE)
244
Name three certifications from ISCI with four security assurance levels (SAL) in alignment with ISA/IEC 62443
– ISASecure Embedded Device Security Assurance (EDSA) Certification
– ISASecure System Security Assurance (SSA) Certification
– ISASecure Security Development Lifecycle Assurance (SDLA) Certification
245
What is ISCI Stand for?
ISA Security Compliance Institute = Not-for-profit automation controls industry consortium
246
What are other IACS Certifications 4?
UL Cybersecurity Assurance Program (UL CAP)
Wurldtech A GE Company
TÜV Rheinland
247
Name two Standards ISA is coorperationg with?
USA Presidential Executive Order 13636 issued in 2013 to enhance security of KRITIS
NIST Cybersecurity Framework Version
248
What is the Framework Core 2?
– Cybersecurity activities common across critical infrastructure sectors and
organized around particular outcomes
– Enables communication of cyber risk across an organization
249
What is Framework Implementation Tiers2?
– Describes how cybersecurity risk is managed by an organization
– Describes degree to which an organization’s cybersecurity risk management practices exhibit the key characteristics (e.g., risk and threat aware, repeatable, and adaptive)
250
What is Framework Profile 2?
– Aligns industry standards and best practices to a particular implementation
scenario
– Supports prioritization and measurement of progress toward the Target Profile, while factoring in other business need including cost-effectiveness
and innovation
251
Name 5 Elements of NIST CSF Framework?
Identify, Protect, Detect, Respond and Recover
252
What NIST is for and how is it connected to ISA 62443 2?
NIST CSF Informative References consists of globally
recognized standards for cybersecurity
One of those standards are the ISA/IEC 62443’s
253
Name global Cyber Security Frameworks 6?
• ISO 27001:2013 Information technology -- Security techniques -- Information security
management systems -- Requirements
• ISA 62443-2-1:2009 Requirements for an IACS security management system
• ISA 62443-3-3-2013 System security requirements and security levels
• COBIT 5 Control Objectives for Information and Related Technology (ISACA)
• CCS CSC – Council on Cyber Security Critical Security Controls
• NIST Special Publication 800-82 Revision 2
– Guide to Industrial Control Systems (ICS) Security
254
What does a Framework describe 5?
* Framework provides a common taxonomy and mechanism
* Describes current cybersecurity posture
* Describes target state for cybersecurity
* Identifies and prioritizes opportunities for improvement within the context of a continuous and repeatable process
* Assesses progress toward the target state
* Communicates among internal and external stakeholders about cybersecurity risk
255
Name Standard Development Organizations (SDOs) 5?
* International Electrotechnical Commission (IEC)
* International Society for Automation (ISA)
* National Institute for Standards and Technology (NIST)
* EU Cybersecurity Dashboard
* UAE National Electronic Security Authority
