13 Communication Security
13.1 Network security management
Objective: To ensure the protection IACS, business process and information in networks and its supporting information processing facilities.
13.1.1 Network controls
3009
Control 3010
Networks should be managed and controlled to protect IACS, business process and information in 3011
systems and applications. 3012
The organization shall produce implementation guidance for wireless technologies. 3013
(1) The organization shall deploy continuous passive monitoring for unauthorized wireless 3014
access points and takes appropriate action if such access points are discovered. 3015
Implementation guidance 3016
Controls should be implemented to ensure the security of information in networks and the protection 3017
of connected services from unauthorized access. In particular, the following items should be 3018
considered: 3019
a) responsibilities and procedures for the management of networking equipment should be 3020
established; 3021
b) operational responsibility for networks should be separated from computer operations where 3022
appropriate (see 6.1.5); 3023
c) special controls should be established to safeguard the availability, confidentiality and integrity 3024
of data passing over public networks or over wireless networks and to protect the connected 3025
systems and applications (see 10 and 13.2 ); special controls may also be required to maintain 3026
the availability of the network services and computers connected; 3027
d) appropriate logging and monitoring should be applied to enable recording and detection of 3028
actions that may affect, or are relevant to, IACS and information security; 3029
e) management activities should be closely coordinated both to optimize the service to the 3030
organization and to ensure that controls are consistently applied across the IACS and 3031
information processing infrastructure; 3032 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
f) systems on the network should be authenticated; 3033
g) systems connection to the network should be restricted. 3034
h) High-risk IACS shall be isolated from or employ a network segmentation barrier to separate 3035
it from the other zones with different security levels or risk; and 3036
i) Barrier devices shall block all non-essential communications in and out of the security zone 3037
containing critical control equipment. 3038
Other Information 3039
Additional information on network security can be found in ISO/IEC 27033 Network Security. 3040
Wireless technologies include, but are not limited to, microwave, satellite, packet radio [UHF/VHF], 3041
802.11x, 802.15.4 (ZigBee, WirelessHART, ISA100.11a), and Bluetooth. 3042
At the time of publication of this document, these access points are typically based on 802.11x 3043
technology. In the future, this will change and thus other wireless technologies will need to be 3044
monitored as well. Regardless, organizations should conduct a thorough scan for unauthorized 3045
wireless access points in facilities containing high-impact IACS. The scan should involve the entire 3046
facility, not just areas containing a high-impact IACS.[JDG21]
3047 3048
13.1.2 Security of network services
3049
Control 3050
Security mechanisms, service levels and management requirements of all network services should be 3051
identified and included in network services agreements, whether these services are provided in-house 3052
or outsourced. 3053
Implementation guidance 3054
The ability of the network service provider to manage agreed services in a secure way should be 3055
determined and regularly monitored, and the right to audit should be agreed. 3056
The security arrangements necessary for particular services, such as security features, service levels 3057
and management requirements, should be identified. The organization should ensure that network 3058
service providers implement these measures. 3059
Other Information 3060
Network services include the provision of connections, private network services and value added 3061
networks and managed network security solutions such as firewalls and intrusion detection systems. 3062
These services can range from simple unmanaged bandwidth to complex value-added offerings. 3063
Security features of network services could be: 3064
a) technology applied for security of network services, such as authentication, encryption and 3065
network connection controls; 3066
b) technical parameters required for secured connection with the network services in accordance 3067
with the security and network connection rules; 3068
c) procedures for the network service usage to restrict access to network services or applications, 3069 where necessary. 3070 13.1.3 Segregation in networks 3071 Control 3072
It shall include network segmentation countermeasure strategies like: 3073 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
a) Groups of information services, users and information systems shall be segregated on 3074
networks 3075
b) Additionally, network segmentation countermeasure strategies employing security zones shall be 3076
developed for IACS based upon the risk level. 3077
The organization carefully considers the intrinsically shared nature of commercial 3078
telecommunications services in the implementation of security controls associated with the use of 3079
such services. 3080
(1) The organization implements a managed interface (boundary protection devices in an 3081
effective security architecture) with any external telecommunication service, implementing 3082
controls appropriate to the required protection of the confidentiality and integrity of the 3083
information being transmitted. 3084
Implementation guidance 3085
One method of managing the security of large networks is to divide them into separate network 3086
domains. The domains can be chosen based on trust levels (e.g., public access domain, desktop 3087
domain, server domain), along organizational units (e.g., human resources, finance, marketing) or 3088
some combination (e.g., server domain connecting to multiple organizational units). The segregation 3089
can be done using either physically different networks or by using different logical networks (e.g. virtual 3090
private networking). 3091
The perimeter of each domain should be well defined. Access between network domains is allowed, 3092
but should be controlled at the perimeter using a gateway (e.g., firewall, filtering router). For high risk 3093
IACS, the use of a DMZ in conjunction with a Control Zone offers additional risk reduction 3094
opportunities between the low-security-level Business Zone and the high-security-level Control 3095
Zone. The criteria for segregation of networks into domains, and the access allowed through the 3096
gateways, should be based on an assessment of the security requirements of each domain. The 3097
assessment should be in accordance with the access control policy (see 9.1.1), access requirements, 3098
value and classification of information processed and also take account of the relative cost and 3099
performance impact of incorporating suitable gateway technology. 3100
Wireless networks require special treatment due to the poorly defined network perimeter. For sensitive 3101
environments, consideration should be made to treat all wireless access as external connections (see 3102
9.4.2) and to segregate this access from internal networks until the access has passed through a 3103
gateway in accordance with network controls policy (see 13.1.1) before granting access to internal 3104
systems. 3105
The authentication, encryption and user level network access control technologies of modern, 3106
standards based wireless networks may be sufficient for direct connection to the organization’s 3107
internal network when properly implemented. 3108
Commercial telecommunications services are commonly based on network components and 3109
consolidated management systems shared by all attached commercial customers, and may include 3110
third party provided access lines and other service elements. Consequently, such interconnecting 3111
communication services may represent sources of increased risk despite contract security 3112
provisions. Therefore, when this situation occurs, the organization either implements appropriate 3113
compensating security controls or explicitly accepts the additional risk. 3114
Other information 3115
Networks often extend beyond organizational boundaries, as business partnerships are formed that 3116
require the interconnection or sharing of information processing and networking facilities. Such 3117
extensions can increase the risk of unauthorized access to the organization’s information systems that 3118
use the network, some of which require protection from other network users because of their sensitivity 3119 or criticality. 3120 This document is a WORKING DRAFT of an ISA99 committee work product. It may not be accurate of complete and is subject to change without notice. It is provided SOLELY for the purpose of review in support of further development of committee work products. This document may not be copied, distributed to others, or offered for further reproduction or for sale.
13.2 Information transfer