Standards provide framework for preventing intrusions.
As industrial systems have evolved and become more open, that openness has brought many of the same security concerns found in business applications. But industrial security breaches can kill or injure humans, making it extremely important to prevent hackers from taking control of industrial machines or manipulating chemical processes.
As cyber security gains importance in industrial applications, standards that detail best practices are maturing and extending their reach. Standards have been helping safeguard commercial networks for some time, but versions that focus on industry have become available only in the past few years. Protecting industrial networks and the equipment they link together is a complex task, so those guidelines are emerging slowly as a number of documents are developed.
“ISA 99 is the dominant control system security standard effort internationally,” says John Cusimano, Director of Security Services for exida in Sellersville, PA. The ISA 99 committee, which has several working groups supported by more than 200 companies, has completed several aspects of this series of standards and continues to work on others.
The documents pool common knowledge so people can use proven practices to protect their systems. That’s important given the many variables in network protection, which are even greater than those of conventional physical security for plants. “There’s no such thing as 100% security, but if people follow the best practices they can improve their overall reliability and protect themselves against incidents,” Cusimano says
Though security discussions often focus on outside attacks, Cusimano notes that security must address unintentional incidents as well as intentional attacks. Some studies have found that as many as 75% of reported incidents are unintentional.
“Common unintentional problems are people performing network diagnostics or connecting to a system with a laptop that’s been infected by malware. Such actions can lockup a device or the entire network. This can’t be downplayed because it was unintentional, because unintentional incidents have led to injuries and even death,” Cusimano says.
The ISA 99 documents set the framework for preventing incidents that cause significant and minor problems on the plant floor. Though security is a key factor driving their implementation, proponents note that deploying the standards will help reduce downtime, improving overall productivity.
ISA 99.00.01-2007, often referred to as part 1, was issued in 2007. It provides an overall framework by describing the concepts, models and definitions used in control system security.
ISA 99.02-01-2009 (part 2), which was formalized early in 2009, lays the groundwork for asset owners, defining how they can establish their control system security programs. Among other things, it examines fundamental risk management, looking at threats and countermeasures. “The document establishes the concept of security levels, quantifying how much protection different networks need and how much they have,” Cusimano says. “A lot of what Part 2 talks about is the security life cycle, going through a risk analysis process that begins by identifying the most severe risks and determining how to mitigate them.”
One of the primary techniques to protect networks and equipment is to employ a layered approach known as defense-in-depth. Employing a number of protective layers makes it difficult and time consuming for outsiders to break through. “Should a would-be attacker get through one layer, they won’t be able to get through the others,” Cusimano says.
This layered approach also makes it easier for companies to create protection schemes that match their needs. These levels may differ in critical areas of a facility and they will also differ depending on the value and volume of what’s being produced.
Though standards are a critical element for network protection, many end-user companies are looking for assurance that their automation system suppliers are following best practices and designing security in their devices and systems. In response, the ISA has established the ISA Security Compliance Institute (ISCI), a consortium that aims to facilitate the independent testing and certification of control system products to a defined set of control system security standards. ISCI recently published two of three key elements of the ISASecure Embedded Device Security Assessment (EDSA) certification.
This certification provides asset owners with defined levels of security capabilities for embedded devices by rating them for ISASecure Level 1, 2 and 3. The levels are analogous to the widely-used safety integrity level (SIL) ratings. “This helps manufacturers of automation equipment build secure safeguards into their systems, and it assures asset owners that they can rely on equipment suppliers to give them assets that can be secured,” Cusimano says.
Products that get ISCI certification will undergo a comprehensive evaluation including communications robustness testing, a functional security assessment and a software development lifecycle audit. When standards like these provide uniform testing techniques, both equipment manufacturers and asset owners benefit. “End users want to be able to compare systems and equipment makers want to be able to differentiate themselves,” Cusimano says. “This is a pretty momentous event in the maturity of this industry. With this, you have an independent assessment so asset owners can make comparisons.”
Though standards set the framework for control system security, they won’t remain static documents. Networking technologies are changing rapidly as commercial users demand more bandwidth, and the techniques used to safeguard systems are constantly being altered to respond to changes in the way systems can be compromised.
“Control system security is an evolving, maturing field and can be difficult to nail down due to constant technological advances”, says Cusimano. “However, we shouldn’t allow future uncertainty to prevent us from applying today’s best practices. Many aspects of today’s standards will withstand the test of time, but others will be more fluid. ISCI decided it was time to draw a line in the sand and establish how products are certified and will adjust accordingly as things change.
For more information about ISCI EDSA program please click here.Have an Inquiry for Siemens about this article? Click Here >>