NOTE This Annex should contain any additional material that we want to include from the previous ISA -99.02.01-2009
4826
document. It is a placeholder and dumping ground right now. We will try to organize and consolidate the material
4827
in this Annex later.
4828 4829
C.1 IACS Assets
4830
Need to indicate the clear boundaries between IACS and other components. Below is some idea 4831
of how we define physical, logical and information IACS assets. This will definitely need to be 4832
refined. 4833
Physical IACS assets are objects that have processors and/or network interfaces and are 4834
responsible for performing some function in the IACS. We aren’t talking about the thermocouples 4835
or limit switches (Level 0), but we are talking about the I/O blocks and controllers necessary to 4836
perform the control loops. The Physical IACS asset list may also not contain large-scale items like 4837
generators or pumps, depending on their control mechanism. If they have a separate controller, 4838
then the controller is part of the physical IACS assets, while the generator or pumps aren’t. 4839
Logical IACS assets are objects like 3rd party software applications, computer operating systems, 4840
operational programs (ladder-logic, scripts, recipes, etc.), and other objects where generally a 4841
monetary amount can be associated with their loss or damage. 4842
Informational IACS assets are objects that are likely operational in nature, including things like 4843
disaster recovery plans, operational procedures, incident handling plans, data historian databases, 4844
etc. These are, many times, the outputs of different stages of the IACS-SMS that need to be 4845
managed and stored for future purposes (including certification, regulation, inspection, and 4846
review), but may be difficult to associate a monetary figure since they are policy, procedure, or 4847
planning related objects. 4848
4849
C.1.1 Element: Staff training and security awareness
4850
C.1.1.1 Description of the element
4851
Security awareness for all personnel is an essential tool for reducing cyber security risks. 4852
Knowledgeable and vigilant staff is one of the most important lines of defense in securing any 4853
system. In the area of IACS, the same emphasis shall be placed on cyber security as on safety 4854
and operational integrity, because the consequences can be just as severe. It is therefore 4855
important for all personnel (employee, contract or third-party) to understand the importance of 4856
security in maintaining the operation of the system. Staff training and security awareness programs 4857
provide all personnel (employees, contractors, and the like) with the information necessary to 4858
identify, review, address and where appropriate, remediate vulnerabilities and threats to IACS and 4859
to help ensure their own work practices include effective countermeasures. All personnel should 4860
receive adequate technical training associated with the known threats and vulnerabilities of 4861
hardware, software and social engineering. Cyber security training and security awareness 4862
programs are most effective if they are tailored to the audience, consistent with company policy 4863
and communicated regularly. Training provides a means to communicate key messages to 4864
personnel in a timely fashion. An effective training program can help employees understand why 4865
new or updated security controls are required and generate ideas they can use to reduce risks and 4866
the impact on the organization if control methods are not incorporated. 4867 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
C.1.1.2 Developing a staff training program and building security awareness 4868
Training of one sort or another is an activity that spans almost the entire period during which a 4869
CSMS is developed and implemented. It begins after the scope of the effort is clarified and the 4870
team of stakeholders is identified. The objective of the training program is to provide all personnel 4871
with the information they need so that they will be aware of any possible threats to the system and 4872
their responsibilities for the safe and secure operation of the production facilities. 4873
The organization should design and develop a cyber security training program in conjunction with 4874
the organization’s overall training program. Training should be in two phases: 1) general training 4875
for all personnel and 2) role-based training aimed at specific duties and responsibilities. Before 4876
beginning the development of the training program it is important to identify the scope and 4877
boundaries for the training and to identify and define the various roles within the organization. 4878
The general training program should be developed for all personnel. Users should be trained in 4879
the correct security procedures, the correct use of IACS facilities and the correct handling of 4880
information in order to minimize risks. Training should also include legal responsibilities, business 4881
controls and individual security responsibilities. 4882
Role-based training should focus on the security risks and responsibilities associated with the 4883
specific role a person fills within the organization. These individuals will need more specific and 4884
intensive training. Subject matter experts should be employed to contribute to this training. Role- 4885
based training may be conducted in the classroom, may be web-based or hands-on. This training 4886
may also leverage training provided by vendors for in-depth discussion of tools and associated 4887
exposures. 4888
The program should include a means to review and revise the program, as required and a means 4889
to evaluate the effectiveness of the program. Also, there should be a time defined for periodic 4890
retraining. 4891
Management’s commitment to training and ensuring adequate cyber security awareness is critical 4892
to providing a stable and secure computing environment for both IT and IACS. In particular for the 4893
IACS environment, a stable and secure computing environment aids in maintaining the safe 4894
operation of the equipment under control and reducing HSE incidents. This should be in the form 4895
of resources for developing and organizing the training and making staff available to attend. 4896
Following the development of a cyber security training program, the organization should provide 4897
the appropriate training for all personnel. Training programs should be provided in a place and at 4898
times that allow personnel to be trained without adversely affecting their other responsibilities. 4899
General training should be provided as part of a new employee’s orientation and as a part of the 4900
orientation for contract, temporary or third-party personnel. The training required should be 4901
appropriate for the level of contact which they will have with the organization. Specialized training 4902
may be provided as follows: 4903
a)
Training for stakeholders 4904Training is appropriate for the team of stakeholders as well as the community of individuals in 4905
the IACS community who will ultimately be impacted. The team of stakeholders will need 4906
specific training on the type of risks that are being considered, the scope and charter of work 4907
that management has approved, any background information on incidents that have occurred 4908
to these systems either within the organization or within the industry in general and on the 4909
types of architectures and systems that are in use within the organization. Formal classroom 4910
training is not necessary to share this information. Presentations at business meetings, 4911
communication sessions and e-mail announcements are examples of ways to share the 4912
information. 4913
Training employees preparing for new roles 4914 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
Training will be needed for employees as they prepare to assume new roles either within the 4915
direct risk management system or within the risk management related projects. Virtually all 4916
members of the IACS community will receive a certain amount of training during this phase. 4917
Some of the direct risk management roles will include responsibilities for self-assessments or 4918
internal audits. 4919
Training of auditors 4920
Training will be needed for auditors to help them understand the nature of the systems and 4921
networks they will be auditing as well as the specific policies that have been created. 4922
Ongoing training 4923
There will be an ongoing need for training at all levels due to the addition of new employees 4924
and third-party personnel, the need to provide updates as policies and services are modified 4925
over time and to provide refresher training to ensure that personnel remain competent in their 4926
roles and responsibilities. 4927
It is important to validate that personnel are aware of their roles and responsibilities as part of the 4928
training program. Validation of security awareness provides two functions: 1) it helps identify how 4929
well the personnel understand the organization’s cyber security program and 2) it helps to evaluate 4930
the effectiveness of the training program. Validation can come through several means including 4931
written testing on the content of the training, course evaluations, monitored job performance or 4932
documented changes in security behavior. A method of validation should be agreed upon during 4933
the development of the training program and communicated to the personnel. 4934
Records of employee training and schedules for training updates should be maintained and 4935
reviewed on a regular basis. Documenting training can assist the organization to ensure that all 4936
personnel have the required training for their particular roles and responsibilities. It can also help 4937
identify if additional training is needed and when periodic retraining is required. 4938
Over time, the vulnerabilities, threats and associated security measures will change. These 4939
changes will necessitate changes to the content of the training program. The training program 4940
should be reviewed periodically (for example, annually) for its effectiveness, applicability, content 4941
and consistency with tools currently used and corporate practices and laws and revised as needed. 4942
Subscriptions to security alert services may help ensure up-to-date knowledge of recently identified 4943
vulnerabilities and exposures. 4944
C.1.1.3 Supporting practices
4945
C.1.1.3.1 Baseline practices
4946
The following seven actions are baseline practices: 4947