Class: Resource Utilization (FRU)

Resource Utilization

Degraded Fault Tolerance Limited Priority of Service Chemical

Natural Gas Petroleum & Oil Transportation – Rail Cross-Sector ISA TR99-01 Cross-Sector ISA TR99-02 Electrical Power Telecommunications Water

= Gap = Partial Match = Match

3.10.1 Family Definitions

x Degraded Fault Tolerance (FLT) - The requirements of this family ensure that the STOE will operate correctly even in the event of failures.

x Limited Priority of Service (PRS) - The requirements of this family allow the TSF to control the use of resources within the TSF scope of control by users and subjects such that high priority activities within the TSF scope of control will always be accomplished without undue interference or delay caused by low priority activities.

3.10.2 Chemical Sector: CIDX Cyber-security Standard

3.10.2.1 Degraded Fault Tolerance and Limited Priority of Service

The CIDX cyber-security standard partially meets the Framework requirement under this class. For example, the standard recommends that the cyber-security team determine the amount of time/resources required for system restoration, location of back up files, hardware, frequency of backup, and need for hot spares, etc., to ensure critical systems can be restored in the event of a disaster situation. The conclusion based on the language and terminology under this class is that the standard partially meets the intent of the fault-tolerance backup system provisions of the FRU_PRS that require the companies to ensure that the STOE will maintain correct operation even in the event of failures.

3.10.3 Energy - Natural Gas Sector: AGA Report Number 12

3.10.3.1 Degraded Fault Tolerance and Limited Priority of Service

This class deals with the challenge of maintaining operations when confronted with degraded service levels or partial failures. AGA 12, Part 1, does not deal with these

contingencies. This is probably due to the fact that transmission and distribution

systems and the SCADA systems that monitor and control them are designed to be fault tolerant and already include priority-of-service mechanisms. AGA 12, Part 1, is

primarily concerned with securing ongoing data communications on SCADA channels. Good SCADA design involves eliminating single points of failure. Therefore, in many cases when a primary communication channel fails, a separate alternate channel independently secured by AGA 12 mechanisms will automatically provide operations continuity. For failed channels, AGA 12 is irrelevant.

However, it should be noted that AGA 12 mechanisms must be designed to deal with common causes of channel failures and must not impede restoration efforts and reestablishing communication. For example, cryptographic mechanisms must deal efficiently with communication noise issues that frequently degrade channel

performance. If they do not, the mechanisms themselves can easily become the cause of channel failure. Such fundamental design flaws should quickly be identified in field tests and would be corrected long before being deployed in a production environment.

3.10.4 Energy - Petroleum & Oil Sector: API Standard Number 1164

3.10.4.1 Degraded Fault Tolerance and Limited Priority of Service

This class deals with the challenge of maintaining operations when confronted with degraded service levels or partial failures. API 1164 deals with these contingencies by establishing backup requirements that are commensurate with the criticality of the operation. It also establishes priorities for the various operations, in accordance with their criticality, and for the subjects that will have access to the system in order to perform these operations. These procedures are mandated to be part of the system, but may not be automated. The standard fully meets the Framework requirements.

3.10.5 Transportation-Rail Sector

3.10.5.1 Degraded Fault Tolerance and Limited Priority of Service

None of the requirements listed under the Resource Utilization class (FRU) in the Framework are addressed in the transportation standard. No reference was found to either fault tolerance or priority of service. This is probably due to the differences in emphasis between the two documents and the difference in the way in which the control systems are used.

3.10.6 Cross Sector - ISA-TR99.00.01-2004

3.10.6.1 Degraded Fault Tolerance and Limited Priority of Service

None of the families listed under the Resource Utilization class (FRU) in the Framework are addressed in the TR99-01. This is probably due to the differences in area of

3.10.6.2 Cross Sector - ISA-TR99.00.02-2004

3.10.6.3 Degraded Fault Tolerance and Limited Priority of Service

None of the families listed under the Resource Utilization class (FRU) in the Framework are addressed in the TR99-02. This is probably due to the differences in area of

emphasis between the two documents.

3.10.7 Energy - Electric Power Sector: NERC CIP

3.10.7.1 Degraded Fault Tolerance

The provisions in CIP-009-1 address the requirements for recovery from events or conditions that would necessitate the activation of the recovery plan. The term “event” can be interpreted to be a power outage - making this a good match to the Framework requirement.

3.10.7.2 Limited Priority of Service

Besides identifying when the recovery plan needs to be activated, CIP-009-1 addresses who must be involved. However, it does not contain a requirement for restoring devices in a pre-determined, priority order.

3.10.8 Telecommunications Sector: ANSI T1.276

3.10.8.1 Degraded Fault Tolerance and Limited Priority of Service

No requirements are delineated in T1.276 that are a close or partial match to the Framework requirements delineated in the Resource Utilization (FRU) class. FRU is concerned with ensuring the availability of resources. M-48 is the only resource

utilization requirement specified in T1.276. However, this relates to the improper use of resources by system users, not ensuring the availability of resources. M-48 specifies that systems display an improper usage warning banner before any logical access is allowed. The Framework does not delineate a similar requirement, so this is a possible gap in the Framework, itself.

3.10.9 Water Sector: AWWA

3.10.9.1 Degraded Fault Tolerance

The AWWA standard recognizes the need to avoid power failures, so it states that a UPS be provided for critical SCADA devices, servers, networking components, and vital workstations. It also states to consider whether or not to use diesel powered generators for critical components. This partially fulfills the FRU_FLT family.

3.10.9.2 Limited Priority of Service

Unfortunately, the standard does not require a methodology to assign priorities to the devices in order to determine which are the most critical, which is required to meet the FTU_PRS family.