Control Systems Security Guides
Control Systems Security Guides Control systems guides have been mainly focused on the features concerning device performance and communications protocols specifications. Moreover, these standards are open to interpretation, as is the case with the specification of the IEC 61870-5-101 protocol which allows for the implementation of different profiles that are mutually incompatible but which are all in compliance with the standard.
In recent years, the industrial environment has started to insist upon security regulation in order to safeguard their facilities. As a result of this necessity, an extensive group of security standards and guidelines has come to exist. The features of some of the most important standards and guidelines are provided below.
The ISA99 standard encompasses a series of technical reports and guidelines. Of this series, only the first two guidelines (ANSI/ISA-99.01.01-2007 and ANSI/ISA-99.02.01-2009) and one technical report (SI/ISA-TR99.01.02-2007) were ultimately published.
The first guideline that was published addresses the concepts, terminology and models to be used throughout the rest of the series. The second guideline that was published describes the elements which are necessary for implementing a cybersecurity management system as well as how to meet said requirements for each element.
The technical report that was published focuses on various security tools as well as how to implement and apply them to control systems. This report has been updated in order to address new tools.
Development on this standard was brought to a standstill when the decision to begin work on the ISA IEC 62443 standard was taken. The latter compiles information that has already been developed by ISA and also defines new deliverables.
The IEC 62443 standard, elaborated by group TC65 of the International Electrotechnical Commission, originated as ongoing work regarding the ISA 99 standard. The goal is to complete and expand on the scope of ISA 99.
The standard includes a total of 13 documents, some of which have already been officially published and the rest of which are under development. The breakdown of the documents is as follows: 5 technical reports, 1 technical specification and 7 guidelines. The documents are grouped into four content-based blocks: General, Policies and Procedures, System and Component.
- Developmental progress regarding the IEC 62443 standard documents -
The documents which have been published are:
- IEC/TS 62443-1-1:2009: Technical specification which defines the terminology, concepts and models for control systems and industrial automation. It is the updated version of document ANSI/ISA-99.01.01-2007 from the ISA99.
- IEC 62443-2-1:2010: This document corresponds to the ANSI/ISA-99.02.01-2009 document published by ISA 99 which describes the cybersecurity management system for control systems.
- IEC/TR 62443-3-1:2009: An updated version of the ANSI/ISA-TR99.01.02-2007 technical report with new security technologies for Industrial Automation and Control Systems (IACS).
- IEC/PAS 62443-3-3:2008: This is a publicly available specification whose objective is to establish a framework for securing information and communication technology aspects of industrial processes.
NIST SP 800-82
The purpose of this publication from the U.S. National Institute of Standards and Technology (NIST) is to provide a security guide to Industrial Control Systems such as SCADA (Supervisory Control and Data Acquisition), DCS (Distributed Control System) and other control systems which work on industrial control systems.
The document defines typical topologies of this systems, identifies threats and vulnerabilities and provides security countermeasures and recommendations to mitigate the associated risks.
The document was published in 2011 and there is a second version from June 2015.
NIST SP 800-53
Like the NIST SP 800-82 document, this document was also developed by the NIST.
The purpose of this publication is to provide a security controls guide for information systems. It applies to all information system components which process, store or transfer information.
Appendix F of the document contains various security controls which are designed to facilitate compliance with the different regulations. The NIST has published a series of additional guidelines (ICS Supplemental Guidance, ICS Enhancements (one or more) and ICS Enhancement Supplemental Guidance), which indicate and facilitate the application of the security controls published in NIST SP 800-53 regarding industrial control systems. The additional guidelines also contain information regarding which systems these security controls do and do not apply to.
The guideline is currently in its 4th version which was published in 2013.
The United States Nuclear Regulatory Commission (NRC) published this guide in order to establish controls for compliance with the Commission’s regulations. These regulations regard the protection of computers, communications and the networks during cyber-attacks.
The RG 5.71 guide (Regulatory Guide 5.71) describes a defence strategy which is based on a defensive architecture and various security controls from both NIST SP 800-82 and NIST SP 800-53. The controls are divided into three categories: technical, operational and management.
The most important standards for the industrial sector are those mentioned here. Furthermore, these are the standards which the sector consults and tries to comply with the most so that all facets of security are covered rather than only specific ones (with the exception of RG 5.71).
It is also imperative to point out other important standards and guidelines that exist apart from those mentioned above. These other normatives are focused on specific sectors – fundamentally on the electric power industry which is the most advanced – or on another specific security role.
The NERC is the electric power regulatory organism of the United States. In order to oversee the security of electrical grids as well as the industry in general, a series of mandatory rules and regulations were created. Nine guidelines were originally established, all of which concerning cybersecurity except for the first. Afterwards, the number of guidelines rose to 11 and nowadays is in its third version, with version number five under development (except for CIP-010 and CIP-011 that are version 1).
These standards recognise the different roles that each entity within the operation of the electric system plays, the criticality and vulnerability of its Assets, and the risks to which they are exposed.
Business and operational demands for managing and maintaining a reliable electric system increasingly rely on Cyber Assets supporting critical functions and processes to communicate with each other for services and data. This results in increased risks to these Cyber Assets give that the more they are exposed, the greater chance they have of suffering a cyber-attack.
The scope of the IEC 62351 standard includes security for control operations in the power industry. The core objective is to undertake the development of security standards regarding the communications protocols defined by the IEC TC 57 group, specifically IEC 60870-5 (IEC101, IEC104, etc.), IEC 60870-6 (ICCP), IEC 61850 (MMS, GOOSE), IEC 61970 and IEC 61968.
The IEC 62351 standard is divided into 11 independent documents. The first document is an introduction to the standard and the second is a glossary of terms. The remainder of the document contains the set of security measures which are applied according to the protocol family. The final documents included in the standard define the implementation of measures such as Role Based Access Control (RBAC), key management, the definition of security architecture and security measures to be taken with XML files.
The IEEE 1711-2010 standard is the result of the work that was carried out during the development of the IEEE P1689 document. The requirements of the IEEE P1689 document have been incorporated into this standard. Likewise, the IEEE P1689 document comes from the AGA12 standard. It was developed for the U.S. gas industry and contains cryptographic protection measures to be applied to control systems for improved security.
IEEE 1711-2010 defines a serial security protocol for two types of cryptographic modules: the SCADA cryptographic module (SCM) protects the serial SCADA channel, and the Maintenance Cryptographic Module (MCM) protects the maintenance channel which is usually a modem connection.
The IEEE 1686-2007 standard defines the functions and features to be provided by Intelligent Electronic Device (IED) to accommodate Critical Infrastructures Protection (CIP).
The standard describes which countermeasures, audit mechanisms and alarm indicators shall be provided by the vendor of the IED with regard to all activities associated with access, operation, configuration, firmware revision, and information and data retrieval. The standard also allows users to define a security program around the features mentioned.
The standard is developed taking into account the security measures and controls published by the NERC CIP (Critical Infrastructures Protection) plan. However, the standard can be applied to any IED that requires security features, regardless of whether or not it is affected by the regulation.
There are many other security regulations out there which have already been replaced by more up-to-date standards that cover new controls and features (AGA12, API 1164, etc.) as well as others which do not apply to Europe and therefore are not discussed in this article (C12.19, C12.22, etc.).