• No results found

Additional IACS Implementation Guidance

In document FOR REVIEW PURPOSES ONLY! (Page 127-129)

NOTE This Annex should contain any additional material that we want to include from the previous ISA -99.02.01-2009

4826

document. It is a placeholder and dumping ground right now. We will try to organize and consolidate the material

4827

in this Annex later.

4828 4829

C.1 IACS Assets

4830

Need to indicate the clear boundaries between IACS and other components. Below is some idea 4831

of how we define physical, logical and information IACS assets. This will definitely need to be 4832

refined. 4833

Physical IACS assets are objects that have processors and/or network interfaces and are 4834

responsible for performing some function in the IACS. We aren’t talking about the thermocouples 4835

or limit switches (Level 0), but we are talking about the I/O blocks and controllers necessary to 4836

perform the control loops. The Physical IACS asset list may also not contain large-scale items like 4837

generators or pumps, depending on their control mechanism. If they have a separate controller, 4838

then the controller is part of the physical IACS assets, while the generator or pumps aren’t. 4839

Logical IACS assets are objects like 3rd party software applications, computer operating systems, 4840

operational programs (ladder-logic, scripts, recipes, etc.), and other objects where generally a 4841

monetary amount can be associated with their loss or damage. 4842

Informational IACS assets are objects that are likely operational in nature, including things like 4843

disaster recovery plans, operational procedures, incident handling plans, data historian databases, 4844

etc. These are, many times, the outputs of different stages of the IACS-SMS that need to be 4845

managed and stored for future purposes (including certification, regulation, inspection, and 4846

review), but may be difficult to associate a monetary figure since they are policy, procedure, or 4847

planning related objects. 4848

4849

C.1.1 Element: Staff training and security awareness

4850

C.1.1.1 Description of the element

4851

Security awareness for all personnel is an essential tool for reducing cyber security risks. 4852

Knowledgeable and vigilant staff is one of the most important lines of defense in securing any 4853

system. In the area of IACS, the same emphasis shall be placed on cyber security as on safety 4854

and operational integrity, because the consequences can be just as severe. It is therefore 4855

important for all personnel (employee, contract or third-party) to understand the importance of 4856

security in maintaining the operation of the system. Staff training and security awareness programs 4857

provide all personnel (employees, contractors, and the like) with the information necessary to 4858

identify, review, address and where appropriate, remediate vulnerabilities and threats to IACS and 4859

to help ensure their own work practices include effective countermeasures. All personnel should 4860

receive adequate technical training associated with the known threats and vulnerabilities of 4861

hardware, software and social engineering. Cyber security training and security awareness 4862

programs are most effective if they are tailored to the audience, consistent with company policy 4863

and communicated regularly. Training provides a means to communicate key messages to 4864

personnel in a timely fashion. An effective training program can help employees understand why 4865

new or updated security controls are required and generate ideas they can use to reduce risks and 4866

the impact on the organization if control methods are not incorporated. 4867 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.

C.1.1.2 Developing a staff training program and building security awareness 4868

Training of one sort or another is an activity that spans almost the entire period during which a 4869

CSMS is developed and implemented. It begins after the scope of the effort is clarified and the 4870

team of stakeholders is identified. The objective of the training program is to provide all personnel 4871

with the information they need so that they will be aware of any possible threats to the system and 4872

their responsibilities for the safe and secure operation of the production facilities. 4873

The organization should design and develop a cyber security training program in conjunction with 4874

the organization’s overall training program. Training should be in two phases: 1) general training 4875

for all personnel and 2) role-based training aimed at specific duties and responsibilities. Before 4876

beginning the development of the training program it is important to identify the scope and 4877

boundaries for the training and to identify and define the various roles within the organization. 4878

The general training program should be developed for all personnel. Users should be trained in 4879

the correct security procedures, the correct use of IACS facilities and the correct handling of 4880

information in order to minimize risks. Training should also include legal responsibilities, business 4881

controls and individual security responsibilities. 4882

Role-based training should focus on the security risks and responsibilities associated with the 4883

specific role a person fills within the organization. These individuals will need more specific and 4884

intensive training. Subject matter experts should be employed to contribute to this training. Role- 4885

based training may be conducted in the classroom, may be web-based or hands-on. This training 4886

may also leverage training provided by vendors for in-depth discussion of tools and associated 4887

exposures. 4888

The program should include a means to review and revise the program, as required and a means 4889

to evaluate the effectiveness of the program. Also, there should be a time defined for periodic 4890

retraining. 4891

Management’s commitment to training and ensuring adequate cyber security awareness is critical 4892

to providing a stable and secure computing environment for both IT and IACS. In particular for the 4893

IACS environment, a stable and secure computing environment aids in maintaining the safe 4894

operation of the equipment under control and reducing HSE incidents. This should be in the form 4895

of resources for developing and organizing the training and making staff available to attend. 4896

Following the development of a cyber security training program, the organization should provide 4897

the appropriate training for all personnel. Training programs should be provided in a place and at 4898

times that allow personnel to be trained without adversely affecting their other responsibilities. 4899

General training should be provided as part of a new employee’s orientation and as a part of the 4900

orientation for contract, temporary or third-party personnel. The training required should be 4901

appropriate for the level of contact which they will have with the organization. Specialized training 4902

may be provided as follows: 4903

a)

Training for stakeholders 4904

Training is appropriate for the team of stakeholders as well as the community of individuals in 4905

the IACS community who will ultimately be impacted. The team of stakeholders will need 4906

specific training on the type of risks that are being considered, the scope and charter of work 4907

that management has approved, any background information on incidents that have occurred 4908

to these systems either within the organization or within the industry in general and on the 4909

types of architectures and systems that are in use within the organization. Formal classroom 4910

training is not necessary to share this information. Presentations at business meetings, 4911

communication sessions and e-mail announcements are examples of ways to share the 4912

information. 4913

Training employees preparing for new roles 4914 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.

Training will be needed for employees as they prepare to assume new roles either within the 4915

direct risk management system or within the risk management related projects. Virtually all 4916

members of the IACS community will receive a certain amount of training during this phase. 4917

Some of the direct risk management roles will include responsibilities for self-assessments or 4918

internal audits. 4919

Training of auditors 4920

Training will be needed for auditors to help them understand the nature of the systems and 4921

networks they will be auditing as well as the specific policies that have been created. 4922

Ongoing training 4923

There will be an ongoing need for training at all levels due to the addition of new employees 4924

and third-party personnel, the need to provide updates as policies and services are modified 4925

over time and to provide refresher training to ensure that personnel remain competent in their 4926

roles and responsibilities. 4927

It is important to validate that personnel are aware of their roles and responsibilities as part of the 4928

training program. Validation of security awareness provides two functions: 1) it helps identify how 4929

well the personnel understand the organization’s cyber security program and 2) it helps to evaluate 4930

the effectiveness of the training program. Validation can come through several means including 4931

written testing on the content of the training, course evaluations, monitored job performance or 4932

documented changes in security behavior. A method of validation should be agreed upon during 4933

the development of the training program and communicated to the personnel. 4934

Records of employee training and schedules for training updates should be maintained and 4935

reviewed on a regular basis. Documenting training can assist the organization to ensure that all 4936

personnel have the required training for their particular roles and responsibilities. It can also help 4937

identify if additional training is needed and when periodic retraining is required. 4938

Over time, the vulnerabilities, threats and associated security measures will change. These 4939

changes will necessitate changes to the content of the training program. The training program 4940

should be reviewed periodically (for example, annually) for its effectiveness, applicability, content 4941

and consistency with tools currently used and corporate practices and laws and revised as needed. 4942

Subscriptions to security alert services may help ensure up-to-date knowledge of recently identified 4943

vulnerabilities and exposures. 4944

C.1.1.3 Supporting practices

4945

C.1.1.3.1 Baseline practices

4946

The following seven actions are baseline practices: 4947

b)

Addressing the various roles associated with maintaining a secure systems environment

In document FOR REVIEW PURPOSES ONLY! (Page 127-129)