Scribd
Upload
164 views18 pages

Address Smart Building Cybersecurity With Iec 62443: Isasecure Webinar

Uploaded by

Usman Syed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
164 views18 pages

Address Smart Building Cybersecurity With Iec 62443: Isasecure Webinar

Uploaded by

Usman Syed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

ISASecure webinar

Address Smart Building


Cybersecurity with IEC 62443

Presented by Jon Williamson

August 5, 2020
Smart Buildings

Power HVAC BMS Security Fire Lighting / Other

Substations Ventilation Temperature Control Video Panels Lighting


Microgrid Chillers Thermostats Access Control Detectors Shade / Blind
Generators Air Handlers Analytics Intrusion Suppression Roof
Power distribution Purification Air Quality / Health Loss Prevention Smoke Digital Signage
Arc flash technology Monitoring Safety Conference
Metering Parking Emergency
Elevator / Lift
Occupant Health

Monitoring (Workstations, Mobile, Alerts)

Analytics (Logging, Optimization, AI)

Connectivity (IT networks, Wireless, Mobile, Intranet, Cloud)

Smart Building Benefits Efficiency Comfort Experience Health


OT Attacks are on the rise

Industry reports Building incidents Critical incidents Case study

Gartner (2017) December 2013: Target


• by 2020, more than 25% of • Target, USA (2013) • Maroochy Shire Australia Corporation
all identified attacks in (2001)
enterprises will involve IoT • DHS, USA (2013) • Up to 40 million financial
• IoT will account for less • Bowman Avenue Dam, NY and personal records of
than 10% of IT security • St. Regis Hotel, China – (2013) Target customers
budgets’. (2014) exfiltrated
• buildings will account for • Ukrainian Power Station • Hackers stole credentials
81% of all connected • Google Sydney HQ (2014) (2016) from an HVAC and
things in 2020 refrigeration company,
• Hollywood Presbyterian • Kemuri Water Company gained remote access to
Kaspersky (2019) Hospital LA (2017) (2016) the network, installed
• 40,000 smart buildings malware on Point-of-Sales
worldwide running • Erie County Medical Malware (POS) and other nodes,
Kaspersky, nearly 4 in 10 Center, NY (2017) send data (via FTP) to
• Lockergog • Garmarue
(37.8%) of these buildings Russian server
had been affected by a • Norsk Hydro Aluminium • Shamoon • Stuxnet

malicious cyber attack. (2019) • Wannacry • Havex/Dragonfly


Smart Buildings need cybersecurity across all systems

Power HVAC BMS Security Fire Lighting / Other

Substations Ventilation Temperature Control Video Panels Lighting


Microgrid Chillers Thermostats Access Control Detectors Shade / Blind
Generators Air Handlers Analytics Intrusion Monitoring Digital Signage
Power distribution Purification Air Quality / Health Loss Prevention Suppression Conference
Arc flash technology Monitoring Smoke Emergency
Metering Parking Safety
Elevator / Lift
Occupant Health

MQTT
SIP
Proprietary
SNMP
ASHRAE BACnet® evolution DMX
• 1995 – Initial release http://
• 2010 – Network Security “addendum G”
• 2019 – BACnet/SC “secure connect”
… regardless of protocol
Building systems utilize a layered architecture

Power HVAC BMS Security Fire Lighting / Other

Server /
Application

Supervisory

Field
OT vs. IT
• More predictable failure modes
• Tighter time-criticality and determinism
• Higher availability
• More rigorous management of change
Input / Output
• Longer time periods between maintenance
• Significantly longer component lifetimes
Introducing ISA/IEC 62443

▪ ISA/IEC 62443
▪ Family of standards
▪ Initiated in ISA99 committee – jointly developed with IEC
▪ Provides a flexible framework to address and mitigate current and
future security vulnerabilities in industrial automation and control
systems

▪ ISA
▪ International Society of Automation
▪ Non-profit professional association founded in 1945 to create a better world through
automation.
▪ Publishes 62443 as ANSI/ISA-62443
▪ ISA Security Compliance Institute (ISCI)
▪ Wholly owned non-profit subsidiary of ISA
▪ ISASecure conformity assessment to ISA/IEC 62334 standards
▪ International Electrotechnical Commission (IEC)
▪ Founded in 1906, world’s leading organization for the preparation and publication of
International Standards for all electrical, electronic and related technologies.
▪ ISA/IEC 62443 developed in IEC Technical Committee 65/Working Group 10
IEC 62443 Standards and ISASecure Certification:
Applicability to Building Control Systems

2016 ISASecure Building Control Systems Working Group

Download Working Group Final Report at


http://isasecure.org/en-US/Building-Control-Systems-Report

Jim Sinopoli-Smart Buildings, LLC Mike Chipley-PMC Group, LLC


ISA/IEC 62443 Standards Family

ISA 62443-1-1 ISA 62443-1-2 ISA 62443-1-3 ISA 62443-1-4


General Concepts and Master terms System Lifecycle and
models glossary compliance use-case

ISA 62443-2-1 ISA 62443-2-2 ISA 62443-2-3 ISA 62443-2-4 ISA 62443-2-5
Policies &
Management Management Patch Integrator Asset owner
Procedures requirements guidance management requirements guidance

ISA 62443-3-1 ISA 62443-3-2 ISA 62443-3-3


System Security System risk System
technologies assessment requirements

ISA 62443-4-1 ISA 62443-4-2


Component SDL Component
requirements requirements
ISA/IEC 62443 Standards Family Application
Smart Building (site specific)

ISA 62443-1-3 ISA 62443-2-1 ISA 62443-2-3


Owner Operate
System Management Patch
compliance requirements management

Design/Deploy Subsystem Subsystem Complementary


1 2 components
ISA 62443-2-4
Integrator ISA 62443-3-3
Integrator
requirements System
requirements

Products (off-the-shelf) Applications Embedded Network Host Devices


Devices Components
Develop
ISA 62443-4-1 ISA 62443-3-3 ISA 62443-4-2
Supplier
SDL System Component
requirements requirements requirements
ISA/IEC 62443 Standards Family Application

Component Industrial Automation Building Automation System Video Surveillance System


and Control System

Embedded device Programmable Logic Supervisory controllers Video Camera


Controller Field controllers Video Transceiver (analog to IP)
ISA 62443-4-2 Intelligent Electronic - Unitary
Device - Terminal
Component - General purpose
requirements Network device Switch Switch Switch
VPN terminator Router / Gateway Router / Gateway
VPN VPN
Host Operator workstation Operator workstation (facility manager Network Video Recorder
device/application Data historian level) Video Client / Workstation
Advanced workstation (engineering
level)
Application Server (handles data
storage)
ISA/IEC 62443-4-2 Foundational requirements for components

Develop Foundational Requirement Groups


FR1 - Identification and authentication control (IAC)
ISA 62443-4-2
FR2 - Use control (UC)
Component
FR3 - System integrity (SI)
requirements
FR4 - Data confidentiality (DC)
FR5 - Restricted data flow (RDF)
FR6 - Timely response to events (TRE)
FR7 - Resource availability (RA)

Security Definition
Means Resources Skills Motivation
Levels
SL1 Protection against casual or coincidental violation
SL2 Protection against intentional violation using simple means with low simple low generic low
resources, generic skills and low motivation
SL3 Protection against intentional violation using sophisticated means with
sophisticated moderate IACS-specific moderate
moderate resources, IACS-specific skills, and moderate motivation
SL4 Protection against intentional violation using sophisticated means with
sophisticated extended IACS-specific high
extended resources, IACS-specific skills, and high motivation
ISA/IEC 62443-4-2 Foundational requirements for components

Develop Foundational Requirement Component Requirement


FR 1 – Identification and authentication control CR 1.1 – Human user identification and authentication
ISA 62443-4-2 CR 1.2 – Software process & device identification and authentication
CR 1.3 – Account management
Component CR 1.4 – Identifier management
requirements CR 1.5 – Authenticator management
CR 1.6 – Wireless access management
CR 1.7 – Strength of password-based authentication
CR 1.8 – Public key infrastructure certificates
CR 1.9 – Strength of public key-based authentication
CR 1.10 – Authenticator feedback
CR 1.11 – Unsuccessful login attempts
CR 1.12 – System use notification
CR 1.13 – Access via untrusted networks
CR 1.14 – Strength of symmetric key-based authentication
ISA/IEC 62443-4-2 Foundational requirements for components

Develop Foundational Requirement Component Requirement


FR 2 – Use control CR 2.1 – Authorization enforcement
ISA 62443-4-2 CR 2.2 – Wireless use control
CR 2.3 – Use control for portable and mobile devices
Component CR 2.4 – Mobile code
requirements CR 2.5 – Session lock
CR 2.6 – Remote session termination
CR 2.7 – Concurrent session control
CR 2.8 – Auditable events
CR 2.9 – Audit storage capacity
CR 2.10 – Response to audit processing failures
CR 2.11 – Timestamps
CR 2.12 – Non-repudiation
CR 2.13 – Use of physical diagnostic and test interfaces
FR 3 – System integrity CR 3.1 – Communication integrity
CR 3.2 – Protection from malicious code
CR 3.3 – Security functionality verification
CR 3.4 – Software and information integrity
CR 3.5 – Input validation
CR 3.6 – Deterministic output
CR 3.7 – Error handling
CR 3.8 – Session integrity
CR 3.9 – Protection of audit information
CR 3.10 – Support for updates
CR 3.11 – Physical tamper resistance and detection
CR 3.12 – Provisioning product supplier roots of trust
CR 3.13 – Provisioning asset owner roots of trust
CR 3.14 – Integrity of the boot process
ISA/IEC 62443-4-2 Foundational requirements for components

Develop Foundational Requirement Component Requirement


FR 4 – Data confidentiality CR 4.1 – Information confidentiality
ISA 62443-4-2 CR 4.2 – Information persistence
CR 4.3 – Use of cryptography
Component
requirements FR 5 – Restricted data flow CR 5.1 – Network segmentation
CR 5.2 – Zone boundary protection
CR 5.3 – General purpose person-to-person communication restrictions
FR 6 – Time response to events CR 6.1 – Audit log accessibility
CR 6.2 – Continuous monitoring
FR 7 – Resource availability CR 7.1 – Denial of service protection
CR 7.2 – Resource management
CR 7.3 – Control system backup
CR 7.4 – Control system recovery and reconstitution
CR 7.6 – Network and security configuration settings
CR 7.7 – Least functionality
CR 7.8 – Control system component inventory
ISASecure Process and Product Certifications
Simplifies compliance and
supplier selection

process
Security Development Lifecycle Assurance
SDLA ISA/IEC 62443-4-1

product
Component Security Assurance
ISA/IEC 62443-4-1, ISA/IEC 62443-4-2
CSA
Vulnerability Identification Test + Communication Robustness Test

product
System Security Assurance
ISA/IEC 62443-4-1, ISA/IEC 62443-4-2, ISA/IEC-62443-3-3
SSA
Vulnerability Identification Test + Communication Robustness Test
ISASecure Training & Certificates
Qualifies cybersecurity experts
Aligns ISA/IEC 62443 practices

ISA Cybersecurity Training


▪ ISA/IEC 62443 centric training – awareness, assessments, design, operation,
maintenance, etc.
ISA Cybersecurity Certificates
▪ ISA certificates for students who complete ISA training courses and pass
professional examinations.
ISA/IEC 62443 addresses Smart Building needs

New Quick Start Guide Framework well suited for unique OT attacks on the rise
needs of Smart buildings
Applicable to all
• More predictable failure modes
• Tighter time-criticality and determinism architecture levels
• Higher availability Host Devices Network
• More rigorous management of change Components
• Longer time periods between maintenance
• Significantly longer component lifetimes Applications Embedded
Devices

Full lifecycle support General


ISA 62443-1-1

Concepts and
models
ISA 62443-1-2

Master terms
glossary
ISA 62443-1-3

System
compliance
ISA 62443-1-4

Lifecycle and use-


case

• Supplier
• Integrator Policies &
Procedures
ISA 62443-2-1

Management
ISA 62443-2-2

Management
ISA 62443-2-3

Patch
ISA 62443-2-4

Integrator
ISA 62443-2-5

Asset owner


requirements guidance management requirements guidance

Asset owner
ISA 62443-3-1 ISA 62443-3-2 ISA 62443-3-3

System Security System risk System


technologies assessment requirements

Conformance provides
drives risk reduction
ISA 62443-4-1 ISA 62443-4-2

Component SDL requirements Component


requirements

• Requirements

isa.org/cyberguide •
Guidance
Training Compliments existing
• Certificates
Smart Building standards
ISASecure webinar

Address Smart Building


Cybersecurity with IEC 62443

Questions

You might also like