On February 12, 2014, President Obama signed the Executive Order EO13636 to improve cybersecurity of the nation's...
critical infrastructure. With this order, he also directed the National Institute for Standards and Technology (NIST) "… to lead the development of a framework to reduce cyber risks to critical infrastructure (the Cybersecurity Framework)." Subsequently there was a flurry of activity by NIST and multiple entities and individuals across the country to ultimately build Version 1 of the framework. This was an excellent start for the nation's critical infrastructure operators to begin to assess their cybersecurity posture. However, these actions and ensuing efforts also began to raise questions about cybersecurity frameworks for industrial control systems, otherwise known as ICS. While many enterprises are focused on the security of their IT assets, industrial control systems for businesses in manufacturing, energy and other verticals may be exposed to potential security risks. A Supervisory Control and Data Acquisition (SCADA) system, for example, may not be a data center server, but it is still a computerized system that is vulnerable to malware, insider threats and other potential attacks.
The framework concept for ICS security was not being ignored at one global company in the United States -- which wishes to remain anonymous. The chief information security officer (CISO) of the company saw a need and requested assistance in becoming one of the first organizations to develop a framework for implementing ICS security across the corporation.
With this vision set by the CISO, three questions immediately surfaced. First, what is the ultimate purpose of this document/framework? Second, what are the functions of the framework? And finally, what is the framework's scope? This is especially important when dealing across multiple countries as a global company.
Purpose of the framework
The framework was developed on the foundational philosophy that for this company -- and for most critical infrastructures -- ICS security systems are the foundation of the factories and production lines. Without their safe, secure and reliable operations, product manufacturing and shipping would be negatively impacted. In turn, this would result in reduced customer satisfaction and lower corporate revenue.
Hence, the framework established the key elements of ICS security for the company's global plants and factory operations. This framework enveloped the entire ICS lifecycle from architecture to design to ICS component procurement, operations, maintenance, repair and ultimately decommissioning. The intent of the framework, however, was to complement and integrate the overall cyber and physical security controls for the corporation and those associated regional/national laws affecting the company and its product manufacturing.
But first, what are the functions of a conceptual framework?
A Congressional Research Service report issued on March 29, 2005 regarding Border and Transportation Security includes a list of the criteria for an effective framework, though it does not deal with ICS security per se. These criteria used the following questions to be answered regarding the framework being developed:
- Does it help analysts/policymakers understand and provide structure to a complex phenomenon? (In our case, ICS security)
- Does it help focus on important dimensions of policy design?
- Does it help generate additional hypotheses for possible future action?
- Does it offer guidance for prioritizing actions?
Admittedly, this criteria did not provide any immediate guidance for the development of the ICS security framework; however, it did give some questions to ask as we wrote and circulated the document for review.
Scope of an ICS security framework
As the team began to build the framework, it became obvious the scope of the document needed to be nailed down. The first question that arose was along the lines of, "What exactly is ICS?"
ISA uses the term "industrial automation and control system" rather than the abbreviation ICS. That said, there are two definitions for ICS that a framework relies upon. They are:
- Personnel, hardware and software:
- That can affect or influence the safe, secure and reliable operation of an industrial process; and
- Involved in the operation of the industrial processes which can affect or influence its safe, secure and reliable operation.
The framework developers also determined the following systems are included in the scope of "ICS:"
- Distributed Control Systems
- Programmable Logic Controllers
- Remote Terminal Units
- Intelligent Electronic Devices
- Supervisory Control and Data Acquisition
- Safety Instrumented Systems (SIS)
- Associated information systems, such as advanced/multivariable control, online optimizers, dedicated equipment monitors, process historians and manufacturing execution systems
- Associated human, network or machine interfaces for control, safety and manufacturing operations
Primary framework ICS security philosophy
A fundamental element of the framework is the ICS security philosophy held by the company. Rather than using the classic IT-centric approach of Confidentiality, Integrity and Availability, the team used the ICS-security centric approach of Availability, Integrity and Confidentiality with the ultimate recognition that for manufacturing, and even for SIS systems, availability is paramount.
Primary network model
As with many approaches to network architecture and design, a "Reference Model" is appropriate. In the case of the framework, the reference model is another "subframework" for understanding significant relationships among different network elements and zones. The ICS security framework's reference model selected is the Purdue Model (ISA-95) and based on ISA-99/IEC-62443.
The view of the framework's ICS Reference Architecture is included below:
What standards should a framework use?
Rather than assume there was one international standard that would satisfy the company's ICS security framework, a collection of current ICS-security-centric standards and frameworks were inventoried. Examples looked at included:
- NIST Standards SP800-82 and SP800-53
- NIST Cybersecurity Framework
- ISA/IEC-62443 Products (Reference: Graphical View)
- ISO 27001/2 Information Security Management
- International & Industry Standards, such as:
- European Union Agency for Network and Information Security, Protecting Industrial Control Systems;
- Qatar National Information Assurance, National ICS Security Standard; and
- American Petroleum Institute, Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries.
Following the review of the different security standards that could apply to ICS security, the framework was ultimately based on the following:
Developing the control matrix
Of the frameworks analyzed, the structure and layout of the NIST Cybersecurity Framework was selected for this effort. An excerpt from the developed ICS security framework is included below as a demonstration of how this approach was taken.
Using an ICS framework for risk and impact analysis
The original intent of the ICS security framework was to provide guidance and a semblance of criteria in order to ascertain ICS impact levels. However, the company also wanted to take advantage of the structure of the framework and its approach to ultimately characterize ICS components and systems for risk assessments.
What criteria make sense for these risk/impact levels?
An excellent answer to this question was identified in NIST 800-82, Revision 2, Page 88, and is included below to help the reader better understand the idea presented:
These two tables were invaluable when trying to assess impact levels, which can ultimately assist in risk analysis.
Concept of 'essential function'
During the course of the ICS security framework, many standards and ICS security documents were read, studied, evaluated, dissected and so on. A concept noted in the ISA standards woven into the framework was that of "common control system constraints" and "essential functions."
An essential function is a function or capability required to maintain health, safety, environment and availability of equipment under control.
Basically a SIS protecting the environment and offering personnel safety provides an essential function. This is much different from a regular control that is used for production systems only.
ISA-62443-3-3, System Security Requirements and Security Levels details several "constraints" to be followed for essential functions and can be woven into maintenance and operations practices to ensure the availability of these key systems and components. These constraints include:
- Security measures shall not adversely affect essential functions of a high availability ICS unless supported by a risk assessment (and approval by management).
- Security measures should not cause loss of protection, loss of control, loss of view or loss of other essential functions.
- Access controls shall not prevent operation of the essential functions.
- Essential functions of the ICS shall be maintained if zone boundary protection goes into fail-close and/or island mode.
- A denial-of-service event on the ICS or SIS network shall not prevent the SIS and its associated functions from acting.
Summary of framework document
The framework was finally published. It is used globally and some ICS security assessments have been performed using the framework as a reference and guide. The security controls matrix continues to be augmented and updated; however, the rate of change of the ISA/IEC-62443 standards has been a challenge to the document owners.
About the author:
Ernie is a highly experienced and seasoned technical consultant, author, speaker, strategist, instructor and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information security domain, industrial controls security, cybercrime and cyber warfare areas. His primary work emphasis involves cyber and physical security of industrial controls, smart grid, energy supply, and oil/gas/electric systems and facilities with special expertise on industrial controls and NERC Critical Infrastructure Protection (NERC CIP) standards. Hayden holds certifications as a SANS Global Industrial Cyber Security Professional (GICSP Gold), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). Hayden is an Executive Consultant at Securicon, LLC and has held roles as Global Managing Principal -- Critical Infrastructure/Industrial Controls Security at Verizon, held information security officer/manager positions at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA and Seattle City Light. In 2012 Ernie was named a "Smart Grid Pioneer" by Smart Grid Today and published an article on Microgrid security in Jesse Berst's Smart Grid News. Ernie is a frequent author of blogs, opinion pieces and white papers. He has been cited in the Financial Times, Boston Globe, Energy Biz Magazine and Puget Sound Business Journal. Many of his articles have been posted to such forums as SearchSecurity, Energy Central, Public Utility Fortnightly "SPARK," and his own blog on Infrastructure Security.