dISA-99.00.02

(1)

DRAFT dISA-99.00.02

Manuf actu rin g and C ont rol Syst ems Se cur ity

Part 2: Establishi ng a M anuf actu rin g and Contro l

Syst em Secur ity Prog ram

Draft 1, Edit 5

September 20, 2005

THIS DRAFT VERSION IS STRICTLY FOR REVIEW BY

ISA SP-99 MEMBERS ONLY

This document is a draft that represents work being done by an ISA Standards Committee leading to the development of an I SA Standard. ISA grants permis sion to anyone to reprodu ce and distr ibut e copi es of this draft ISA sta ndard, in whole or in part, but only f or the followi ng purposes and only as long as the recipient is not ch arged any fee for the copy (nor may the copy be inclu ded as part of a package with other materia ls or presenta tions for w hich a fee is ch arged):

1. Review of and comment on the draft standard;

2. Provide to others for review and comment; 3. Promotion of the standa rd; or

4. Informi ng and educating others about the standard. In addition, a ll copies must reproduce a copyright notice as follows:

Copyrig ht 2004 © ISA. All rig hts reserved. Reproduced and dist ribu ted with perm issio n of ISA. ISA rese rves a ll other rights to the draft standard. Any other reproduction or distrib ution without t he prior w ritten consent of IS A is prohib ited.

The reader is cautioned that this document has not been approved and cannot be presumed to reflect the posi tion of ISA or any other committ ee, society, or group . Althou gh every effort has been made to ensure accuracy, neither ISA, members of th e S&P Department, nor t heir emplo yers shall be held li able for error s or limi tations.

(2)

DRAFT dISA-99.00.02

Editor’s Comment

This is aworking draft, owned and maintained by Working Group #2 of the ISA SP-99 committee. All updates and revisions are tracked using a two-tiered structure that includes a Draft number and an Edit number.

Document content is developed in a series of smaller documents, each containing material for a specific section. New Drafts are typically created after each comprehensive review of document content (e.g., working group meetings), with Edits being created as individual sections are added or updated. Explanatory and supported comments appear throughout this document inRed Bookman-Italic font . They will not appear in final or published versions of the document. This editor’s comment will also be removed from any final or published copies.

dISA-99.00.02

Manufacturing and Control Systems Security

Part2:Establishing a Manufacturing and Control System Security Program ISBN:1-55617-976-6

ISA

67 Alexander Drive P. O. Box 12277

(3)

DRAFT dISA-99.00.02

Preface

This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-d99.00.02.

This document has been prepared as part of the service of ISA, the Instrumentation, Systems and Automation Society, toward a goal of uniformity in the field of instrumentation. To be of real value, this

document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standards@isa.org.

The ISA Standards and Practices Department is aware of the growing need for attention to the metric system of units in general, and the International System of Units (SI) in particular, in the preparation of instrumentation standards. The Department is further aware of the benefits to USA users of ISA standards of incorporating suitable references to the SI (and the metric system) in their business and professional dealings with other countries. Toward this end, this Department will endeavor to introduce SI-acceptable metric units in all new and revised standards, recommended practices, and technical reports to the greatest extent possible. Standard for Use of the International System of Units (SI): The Modern Metric System, published by the American Society for Testing & Materials as IEEE/ASTM SI 10-97, and future revisions, will be the reference guide for definitions, symbols, abbreviations, and conversion factors.

It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recommended practices, and technical reports.

Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA, or of any of the standards, recommended practices, and technical reports that ISA develops.

CAUTION – ISA adheres to the policy of the American National Standards Institute with regard to patents. I f ISA is in formed of an existin g patent that is r equired for use of the standard, it will require the owner of th e pate nt to either grant a royalty-fre e license for use of t he pate nt by users complyin g with th e standa rd or a license on reasonable te rms and con ditions that are fre e from unfair discrimination.

Even if ISA is unaware of any patent covering th is Standard, the user is cautioned that

implementation of the standard may require use of techniques, processes, or materia ls covered by patent rights. IS A takes no position on the existence or validity of any patent rights that may be involved in i mplementing the standard. I SA is not responsib le for identifying all patents that may require a license be fore implementation of the standard or for in vestigating the validity or sco pe of any patents bro ught to its attention. The user should c arefully i nvestigate rele vant patents before using the standard for th e user’s intended application.

Howeve r, ISA asks th at anyone reviewing this standard who is aware of any patents th at may impact imp lementa tion of the s tandard notify the IS A Standards and Practices De partment of th e patent and its owner.

Ad di ti on all y, the u se of t hi s s tandar d m ay inv ol ve hazard ou s mater ial s, oper ati on s o r equi pm ent . The sta ndard cannot antici pate a ll poss ible applications o r address all possi ble safety issues associated with use in haza rdous conditio ns. The user of this standard must exercise sound professional judgm ent concerning its us e and applicability und er the use r’s particular

(4)

DRAFT dISA-99.00.02

The following people served as active members of ISA SP-99 Working Group #2 for the preparation of this document:

Name Company Contri but or Reviewer

Paul Baybutt Primatech

Rahul Bhojani Bayer

Dennis Brandl BRL Consulting X

Eric Byres BCIT

Keith Chambers Datasweep

Andy Corbbett BP

Eric Cosman The Dow Chemical Company

Lynn Craig

Jean-Pierre Dalzon X

Daniel Dziadiw Schering-Plough

Robert Evans INL X

Lois Ferson

Ron Forrest Ohio State University

Robert Frost-Hunt Suncor

James Gilsinn *** NIST X

Thomas Good * DuPont X

Evan Hand Kraft Foods X

Mark Heard Eastman Chemical

Karen Hirst DuPont

Charles Mastromonico Savana River Site

Dave Mills ** Proctor & Gamble X

Shinji Oda Yokogawa

Richard Oyen ABB X

William Phillips CH2M

Bryan Singer Rockwell Automation X

Brad Taylor

David Teumim Teumim Technical

Loren Uden Equistar X

Bob Webb X

Joe Weiss KEMA, Inc. X

Marge Widmeyer

* Chairman ** Vice Chairman

(5)

Manufacturing and Control Systems Security DRAFT dISA-99.00.02 Part 2: Establishing a Manufacturing and Control System Security Program

Contents

1 Scope ... 20

1.1 Functional Criteria ...20

1.2 Activity-Based Criteria ... 21

2 Defini ti on s... 22

2.1 Information Technology (IT) ...22

2.2 Cyber Security Management System (CSMS)...22

2.3 Human-Machine Interface (HMI) ...22

2.4 stakeholder ... 22

2.5 asset ... 22

2.6 business continuity plan ...22

2.7 gatekeeper...22

2.8 consequence ... 22

2.9 Safety Instrumented System (SIS) ... 22

2.10 Burner Management System ...22

2.11 Manufacturing Execution System (MES) ...23

2.12 likelihood ... 23

2.13 threat likelihood ... 23

2.14 vulnerability likelihood ...23

2.15 risk tolerance...23

2.16 Programmable Logic Controller (PLC)...23

2.17 Process Information Management (PIM) system... 23

2.18 Cyber Security Vulnerability Assessment (CSVA)...23

2.19 Vulnerability Assessment Methodology (VAM)...23

2.20 risk mitigation ... 23

2.21 account...23

2.22 operator... 23

2.23 Health, Safety, and Environmental (HS&E) ...24

2.24 Media Access Control (MAC) address...24

2.25 change management ... 24

2.26 legacy system ... 24

2.27 incident ...24

(6)

DRAFT dISA-99.00.02 Manufacturing and Control Systems Security Part 2: Establishing a Manufacturing and Control System Security Program

2.31 Process Safety Management (PSM)...24

2.32 social engineering ...24 2.33 Six-Sigma...24 2.34 authenticator ...24 2.35 Administrative Practices...25 2.36 Local user...25 2.37 Remote user...25 3 Normativ e Referenc es ... 26 3.1 Other References ... 26

3.2 Informational References & Resources...26

3.2.1 Industry/Sector Specific... 26

3.2.2 Websites ...27

3.2.3 Other Documents & Resources...27

4 Executiv e Overvi ew... 28

4.1 Maturity of a Company’s Cyber Security Program ...28

4.2 Establishing an Integrated Security Program...30

4.2.1 Overview of a Cyber Security Management System...30

4.2.2 Activities Required to Develop a Cyber Security Program...33

4.3 How to Use This Document... 33

5 Establis hing t he Business Ca se for Manufacturing and Contro l System Securi ty ... 35

6 Ac ti viti es Requ ir ed to Develo p a Cyb er Secur it y Management Sys tem – An Overvi ew ... 38

6.1 Activity 1 – Develop a Business Case...38

6.2 Activity 2 – Obtain Leadership Commitment, Support, and Funding ...39

6.3 Activity 3 – Define the Charter and Scope of M&CS Security for Your Company ... 39

6.4 Activity 4 – Form a Team of Stakeholders ...39

6.5 Activity 5 – Raise Staff Cyber Security Capability Through Training ...40

6.6 Activity 6 – Characterize the Key M&CS Risks ... 40

6.7 Activity 7 – Prioritize and Calibrate Risks...40

6.8 Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level 41 6.9 Activity 9 – Organize for Security ...41

6.10 Activity 10 – Inventory M&CS Devices and Networks ...41

6.11 Activity 11 – Screening and Prioritization of M&CS Systems ... 41

(7)

6.13 Activity 13 – Develop Detailed M&CS Cyber Security Policies and Procedures...42

6.14 Activity 14 – Define the Standard Set of M&CS Security Risk Mitigation Controls... 42

6.15 Activity 15 – Develop Additional Elements of the Cyber Security Management System Plan . 42 6.16 Activity 16 – Quick Fix...42

6.17 Activity 17 – Charter, Design, and Execute Cyber Security Risk Mitigation Projects... 43

6.17.1 Charter the Cyber Security Risk Mitigation Project ... 43

6.17.2 Project Design...43

6.17.3 Project Execution...43

6.17.4 Decisions to Make When Planning a Test Program ... 44

6.17.5 Testing ...44

6.18 Activity 18 – Refine and Implement the Cyber Security Management System ... 44

6.19 Activity 19 – Adopt Continuous Improvement Operational Measures ...45

7 Ac ti viti es Requ ir ed to Develo p a Cyb er Secur it y Management System – A Detailed Discu ss io n ... 46

7.1 Activity 1 – Develop a Business Case...48

7.1.1 Key Components of the Business Case...48

7.2 Activity 2 – Obtain Leadership Commitment, Support, and Funding ...49

7.2.1 Identify Appropriate Senior Managers... 49

7.2.2 Identify Gatekeepers and Persuade, If Necessary...49

7.2.3 Revise the Business Case, If Necessary ... 50

7.2.4 Present the Case to the Senior Managers ... 50

7.2.5 Prerequisites...50

7.3 Activity 3 – Define the Charter and Scope of M&CS Security for Your Company ... 50

7.4 Activity 4 – Form a Team of Stakeholders ...52

7.5 Activity 5 – Raise Staff Cyber Security Capability Through Training ...53

7.5.1 Plan...53

7.5.2 Do ... 53

7.5.3 Check...53

7.5.4 Act... 53

7.6 Activity 6 – Characterize the Key M&CS Risks ... 54

7.6.1 Qualitative vs. Quantitative...54

(8)

7.7 Activity 7 – Prioritize and Calibrate Risks...55

7.7.1 The Risk Equation ... 55

7.7.2 Calibrating Likelihood and Consequence Scales... 56

7.7.3 Risk Tolerance Level ...57

7.8 Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level 57 7.8.1 Prerequisites...58

7.9 Activity 9 – Organize for Security ...58

7.10 Activity 10 – Inventory M&CS Devices and Networks ...60

7.10.1 Locate and identify key manufacturing and control devices and systems...60

7.10.2 Group the devices and systems and develop an inventory ...60

7.10.2.1 Develop Simple Network Diagrams ...63

7.11 Activity 11 – Screening and Prioritization of M&CS Systems ... 63

7.11.1 Preliminary assessment of overall vulnerability of each identified system...64

7.11.2 Prioritize the Systems ... 64

7.12 Activity 12 – Conduct a Detailed Security Assessment ...65

7.12.1 Select the cyber security vulnerability assessment methodology ...65

7.12.2 Conduct the cyber security vulnerability assessment...67

7.12.2.1 Pitfalls to avoid ... 69

7.12.2.2 Interrelationship with physical security measures...69

7.13 Activity 13 – Develop Detailed M&CS Cyber Security Policies and Procedures...70

7.14 Activity 14 – Define the Standard Set of M&CS Security Risk Mitigation Controls... 71

7.14.1 Risk Mitigation...71

7.14.2 Business Continuity Plan ...72

7.14.3 Access Control Procedures ...72

7.14.3.1 Account Administration ... 73

7.14.3.2 Authentication...74

7.14.3.2.1 Authentication for Local Users ...74

7.14.3.2.2 Authentication for Remote Users ... 76

7.14.3.2.3 Authentication for Task-To-Task Communication...76

(9)

7.14.3.3.1 Authorization for Local Users:...77

7.14.3.3.2 Authorization for Remote Users...77

7.14.4 Network Segmentation ...78

7.14.5 Security Tools ...78

7.15 Activity 15 – Develop Additional Elements of the Cyber Security Management System Plan . 79 7.15.1 Communications, Operations and Change Management...79

7.15.2 Incident Planning and Response... 79

7.15.3 System Development and Maintenance... 80

7.15.4 Develop and Implement an Integrated Audit and Compliance Process ...80

7.16 Activity 16 – Quick Fix...81

7.17 Activity 17 – Charter, Design, and Execute Cyber Security Risk Mitigation Projects... 81

7.17.1 Charter the Cyber Security Risk Mitigation Project ... 81

7.17.2 Project Design...82

7.17.3 Project Execution...82

7.17.4 Separation of Development and Test Environments ...83

7.17.5 Decisions to Make When Planning a Test Program ... 83

7.17.6 Types of Testing ... 83

7.17.6.1 Component Testing... 83

7.17.6.2 Integration Testing ... 84

7.17.6.3 System Validation Testing...84

7.17.7 Test Plans ... 84

7.17.8 Test Performance ...85

7.17.9 Test data review and analysis ...85

7.17.10 Installation of integrated system components ... 85

7.18 Activity 18 – Refine and Implement the Cyber Security Management System ... 85

7.19 Activity 19 – Adopt Continuous Improvement Operational Measures ...86

7.19.1 Implement Processes for System Development...87

7.19.2 Types of Operational Measures...87

7.19.2.1 Audit Results ...87

7.19.2.2 Incident Data ...87

(10)

8.1 Introduction... 88

8.2 Overview of the CSMS ...88

8.3 The 18 Key Elements to a Cyber Security Management System ... 91

8.3.1 Importance of Cyber Security in Business ... 92

8.3.1.1 Statement of Management Practice... 92

8.3.1.2 Applicability to Cyber Security in M&CS ...92

8.3.1.3 Baseline Practices... 93

8.3.1.4 Additional M&CS Security Practices ...94

8.3.1.5 Resources Used... 94

8.3.2 Scope of a Cyber Security Management System ...94

8.3.3 Security Policy ...96

8.3.4 Organizational Security ...98

8.3.5 Personnel Security ... 100

8.3.5.1 Statement of Management Practice...100

8.3.5.3 Baseline Practices...101

8.3.5.4 Additional M&CS Security Practices ... 101

8.3.6 Physical and Environmental Security...102

(11)

8.3.7 Risk Identification, Classification, and Assessment ...105

8.3.8 Risk Management and Implementation... 107

8.3.9 Incident Planning and Response... 109

8.3.10 Infrastructure-Related Operations and Change Management ... 112

8.3.11 Access Control...113

8.3.11.3 Account Administration ... 114

8.3.11.3.1 Statement of Management Practice...115

8.3.11.3.2 Applicability to Cyber Security in M&CS ...115

8.3.11.3.3 Baseline Practices...115

8.3.11.3.4 Additional M&CS Security Practices...116

(12)

8.3.11.4.4.1 Authentication for Local Users...117

8.3.11.4.4.2 Authentication for Remote Users...118

8.3.11.4.5 Resources Used...119

8.3.11.5 Authorization ...119

8.3.11.5.5 Unique Aspect of Authorization for M&CS...121

8.3.11.5.6 Authorization for Local Users...121

8.3.11.5.7 Authorization for Remote Users...121

8.3.12 Information and Document Management ...122

8.3.13 System Development and Maintenance...124

8.3.14 Staff Training and Security Awareness...126

8.3.15 Compliance ...128

(13)

8.3.15.4 Scheduling and Conducting Audits ... 131

8.3.15.4.5 Unique Aspects of Scheduling and Conducting Audits for M&CS ...133

8.3.16 Business Continuity Plan ... 134

8.3.17 Monitoring and Reviewing CSMS...137

8.3.18 Maintaining and Implementing Improvements...139

An nex A Sampl e Pol ic ies & Proc edur es ... 143

An nex B Sampl e Vuln erabili ty Ass essment Procedur e ... 144

B.1 Overview of the Process...144

(14)

B.3 Identify and Rate the Threats ...146

B.3.1 Probability Rating Scale ... 147

B.3.2 Consequence Rating Scale... 151

B.3.3 Rating the Probability and Consequence of Assets... 152

B.3.4 Prioritize Systems for Implementation Phase of Risk Mitigation Plan...153

B.4 Design or Select Countermeasures ...153

B.4.1 Implement Risk Mitigation Strategies Based upon Detected Vulnerabilities...153

B.4.1.1 Risk Mitigation Strategies... 153

B.4.1.2 Mitigation Design...154

An nex C Integrati ng Secur it y int o Vendo r Practic es ... 157

C.1 Product Development ...157

C.2 Documentation and Training ... 158

C.3 Installation ... 159

C.4 Response to Discovered Product Security Issues ...159

C.5 Security Patches to Third Party Products...159

C.6 Compatibility with Third Party Products Such as Anti-virus ...159

C.7 Support of the customer’s security analyses and audits ...160

C.8 Working on the Customer’s Premises ...160

An nex D CSMS Key Elements Self-As sessm ent Question s ... 161

D.1 Importance of Cyber Security in Business ...161

D.2 Scope of Cyber Security Management System...161

D.3 Security Policy ... 162

D.4 Organizational Security ...162

D.5 Personnel Security ...163

D.6 Physical and Environmental Security ...163

D.7 Risk Identification, Classification, and Assessment ... 164

D.8 Risk Management and Implementation...164

D.9 Incident Planning and Response... 165

D.10 Communications, Operations, and Change Management...166

D.11 Access Control...166

D.11.1 Account Administration...166

D.11.2 Authentication ...167

D.11.3 Authorization...167

D.11.3.1 M&CS Authorization... 168

D.12 Information and Document Management...168

(15)

D.14 Staff Training and Security Awareness...169

D.15 Compliance ...170

D.15.1 Compliance with Legal, Regulatory, and Security Requirements ...170

D.15.2 Scheduling and Conducting Audits... 170

D.16 Business Continuity Plan ... 171

D.17 Monitoring and Reviewing CSMS ...172

D.18 Maintaining and Implementing Improvements ...172

An nex E Partic ipation i n Industr y Forums and Development Programs ... 174

E.1 ISA – The Instrumentation, Systems, and Automation Society...174

E.2 International Electrotechnical Commission (IEC)...174

E.3 U.S. National Institute of Standards and Technology (NIST)... 174

E.4 Process Control System Cyber Security Forum (PCSRF)...175

E.5 North American Electric Reliability Council (NERC) ...175

E.6 Chemical Industry Data Exchange (CIDX)...175

E.7 Institute of Electrical and Electronics Engineers (IEEE)...175

E.8 International Council on Large Electric Systems (CIGRE)...175

(16)

Figures

Figure 1 – ANSI/ISA-95 Functional Hierarchy ...21

Figure 2 – Maturity Curve for an Integrated Cyber Security Management System ...29

Figure 3 – Resources in a Cyber Security Management System along the Maturity Curve ... 30

Figure 4 – Continuous Activity in a Cyber Security Management System ... 31

Figure 5 – 18 Key Elements of a CSMS Mapped into the Plan-Do-Check-Act Phases ...31

Figure 6 – Overlapping Stages of a Cyber Security Management System along the Maturity Curve...32

Figure 7 – Individual Projects in the Cyber Security Management System along the Maturity Curve ...32

Figure 8 – Timeline of Projects for a Cyber Security Management System along the Maturity Curve... 33

Figure 9 - CERT Reported Attacks on Computer Systems ...37

Figure 10 – Timeline of Activities to Develop a Cyber Security Management System... 38

Figure 11 – Relationship of Existing Risk Management Organizations to a New Cyber Security Management System ... 46

Figure 12 – Sample Manufacturing and Control Network Inventory Sheet ...62

Figure 13 – Example of a Graphically Rich Network Diagram...63

Figure 14 – 18 Key Elements of a Cyber Security Management System... 89

Figure 15 – Network Connection Types...149

Figure 16 – Network Segments Including Corporate Intranet and Dial-In ...150

Figure 17 – Network Segments in Site LAN and Integrated MCN... 150

(17)

Tables

Table 1 – Relationship Between the (19) Process Activities and the (18) Key Elements in the CSMS ...47

Table 2 – A Typical Likelihood Scale ...56

Table 3 – A Typical Consequence Scale ...56

Table 4 – A Typical Risk Tolerance Level Matrix... 57

Table 5 – Typical Roles and Training Objectives for Personnel Involved in Cyber Security... 59

Table 6 – Example Data Assets Table...145

Table 7 – Example Application / Device Assets Table ...146

Table 8 – Example Probability / Consequence Table...147

Table 9 – Example Threat Probability Table... 149

Table 10 – Quantitative Assessment of Probability and Consequence Ratings...152

Table 11 – Example Device Assets Table With Data ...152

Table 12 – Example Application / Device Assets Table With Data...153

Table 13 – Ratings for an Example Application / Device Assets Table ...154

Table 14 – Example Mitigation Strategy Matrix for Application / Device Assets ... 154

Table 15 – Ratings for an Example Data Assets Table ... 155

Table 16 – Example Mitigation Strategy Matrix for Data Assets...155

(18)

Forward Text to Come

(19)

Introduction

This is part of a multi-part standard that addresses the subject of Manufacturing and Control Systems security. The focus of the document is on “Establishing a Manufacturing and Control Systems Security Program”, and the purpose is to provide practical guidance and direction on how to establish the business case for a security program and how to design the program to meet your business needs.

Technical questions addressed by this document include: 1. Question #1?

2. Question #2? 3. etc.

Additional parts of the standard currently planned or under development include:

• ISA 99.00.01 – Models and Terminology

• ISA 99.00.03 – Operating a Manufacturing and Control Systems Security Program • ISA 99.00.04 – Specific Security Requirements for Manufacturing and Control Systems

There is also a technical report associated with this standard. This technical report may be updated more frequently than indicated in this standard. Refer to ISA for the most recent version.

(20)

1 Scope

In defining the scope of this standard the concept of Manufacturing and Control Systems (M&CS) electronic security is applied in the broadest practical sense, encompassing all types of manufacturing plants and facilities, as well as other processing operations such as utilities (i.e., electric, gas and water), pipelines and transportation systems or other industries which use automated or remotely controlled vehicles.

Specifically, Manufacturing and Control Systems include all systems that can affect or influence the safe, secure and reliable operation of an industrial process. They include, but are not limited to:

•_{Process Control Systems, including Distributed Control Systems (DCS), Programmable Logic}

Controllers (PLC), Remote Terminal Units (RTU), Intelligent Electronic Devices (IED), Supervisory Control and Data Acquisition (SCADA), networked electronic sensing and control, and monitoring and diagnostic systems (In this context, process control systems include Basic Process Control System (BPCS) and Safety Instrumented System (SIS) functions, whether they are physically separate or integrated.)

• Associated information systems such as advanced or multi-variable control, online optimizers,

dedicated equipment monitors, graphical interfaces, process historians, manufacturing execution systems and plant information management systems

• Associated internal, human, network, or machine interfaces used to provide control, safety, and

manufacturing operations functionality to continuous, batch, discrete, and other processes. Scope may be defined in terms of a functional reference model, or by providing a set of criteria for selecting activities that are considered to be included. Each of these methods is applied in the following sections.

1.1 Functi onal Criteria

The scope of this standard can be expressed in terms of the range of functionality addressed. Such functionality is usually described in the form of a logical model. One example of such a model that is relevant to the process industries is presented in ANSI/ISA-95 and reproduced in Figure 1. Similar models could be used to describe functional scope for other types of industries.

The primary focus of this standard is on levels 0 through 3 of the ANSI/ISA-95 model. Business Planning and Logistics Systems (i.e., Level 4) are not included within the scope of this document, although the integrity of data communications from the Manufacturing and Control Systems domains into the Enterprise Resource Business Systems should be included.

(21)

Level 4 Level 1 Level 2 Level 3 Business Planning & Logistics Plant Production Scheduling, Operational Management, etc

Manufacturing Operations Management Dispatching Production, Detailed Production

Scheduling, Reliability Assurance, ...

Batch Control Discrete Control Continuous Control

1- Sensing the production process, manipulating the production process 2- Monitoring, supervisory control and

automated control of the production process 3- Work flow / recipe control to produce the

desired end products. Maintaining records and optimizing the production process. Time Frame

Days, Shifts, hours, minutes, seconds 4 Establishing the basic plant schedule

-production, material use, delivery, and shipping. Determining inventory levels. Time Frame

Months, weeks, days

Level 0 0- The actual production process

Figure 1 – A NSI/ISA-95 Functi onal Hierarchy 1.2 Acti vity -Based Criteria

It is also possible to describe the scope of the standard in terms of the activities that are addressed. A system should be considered to be within in the scope of this standard if any of the following criteria are met:

• The activity performed is critical to process safety

•_{The activity performed is critical to process reliability or availability} • The activity performed is critical to process efficiency

• The activity performed is critical to product quality

• The activity performed is critical to maintaining regulatory compliance

This includes systems whose compromise could result in the endangerment of public or employee health or safety, loss of public confidence, violation of regulatory requirements, loss or invalidation of proprietary or confidential information, economic loss or impact on entity, local or national security.

(22)

2 Definitions

2.1 Infor mation Technol ogy (IT)

Information technology by itself describes the computer related assets of an organization that represent non-physical assets. These may be things like software applications, process programs, personnel files, etc. Throughout this document, this use of the term “information technology” is not abbreviated. Another use of Information Technology (IT) refers to the company’s internal organization (e.g. the IT

department) or the items that are traditionally maintained by this department (i.e. the administrative computers, servers, network infrastructure, etc.).

2.2 Cyber Security Management System (CSMS)

A program designed by an organization to maintain the security of the entire organization’s assets, whether they are on the business side or the Manufacturing & Control System side of the organization. 2.3 Human -Machin e Inter face (HMI)

A device used to convey and collect information to and from an operator for a particular device. In many cases, these involve video screens or computer terminals, push buttons, auditory feedback, flashing lights, etc.

2.4 Stakeholder

Stakeholders are personnel in an organization responsible for promoting and overseeing the cyber security process. These personnel include the manager of the cyber security program as well as the cross-functional team of individuals from all of the departments affected by the cyber security program.

2.5 Asset

An asset is any item that should be protected as part of the cyber security management system. These may be physical assets (i.e. operator stations, SCADA systems, PLCs, etc.), or they can be data assets (i.e. control algorithms, set points, account names and passwords, etc.).

2.6 Business continu ity plan

2.7 Gatekeeper

Gatekeepers are the trusted individuals that senior managers use to filter the important issues they need to address from the other issues that others are more suited to address.

2.8 Consequence

A consequence is the result that occurs from a security incident. 2.9 Safety Instru mented System (SIS)

A system specifically designed to monitor certain conditions to maintain the safety of the facility. 2.10 Bur ner Management System

(23)

2.11 Manufactur ing Executio n System (MES)

2.12 Likelihood

The quantitative chance that an incident may occur. 2.13 Threat likeli hoo d

The likelihood that a particular threat will occur. 2.14 Vulnera bility likelihood

The likelihood that a particular vulnerability will be exploited. 2.15 Risk toleranc e

2.16 Programm able Log ic Contro ller (PLC)

Type of control system in which the system is tightly coupled and usually located in a relatively small area

NOTE: PLCs are commonly found in manufacturing lines, electrical transmission and distribution facilities, pulp and paper facilities, etc.

2.17 Process Inform ation Management (PIM) syst em

2.18 Cyber Security Vulnerabil ity Assess ment (CSVA)

2.19 Vulnerabili ty Ass essment Methodol ogy (VAM)

2.20 Risk miti gation

2.21 Account

an access control function that allows the user(s) access to a particular set of data or functions for certain equipment

NOTE: Many times accounts are linked to user ID’s and passwords. These user ID’s and passwords may be linked to an individual or group of individuals.

(24)

2.23 Health, Safety, and Enviro nmental (HS&E)

2.24 Media Access Contro l (MAC) address

the hardware address that differentiates one device on a network from another

NOTE: For some networks, like Ethernet, this address is typically encoded on a chip in the device, while in some industrial networks, like DeviceNet, these can be controlled in software or with a hardware switch.

2.25 Change management

the process of controlling and documenting any change in a system to maintain the proper operation of the process equipment

2.26 Legacy sys tem

systems that already exist in a facility today that may not be removable/replaceable 2.27 Incident

2.28 ISO/IEC 17799

2.29 Compliance

2.30 Remote access

2.31 Proc ess Safety Managemen t (PSM)

2.32 Social engin eering

2.33 Six-Sigma

(25)

2.35 Adm inis trative Practices

defined and documented practices/procedures that individuals are personally accountable to follow at all times.

NOTE: These are usually in the conditions of employment for the organization. In the M&CS environment, these often have HS&E implications.

2.36 Loc al user

A user who is physically present in the immediate manufacturing area of control room 2.37 Remote user

A user who is not physically present in the immediate manufacturing area or control room 2.38 Ushered Access

The procedure for monitoring the actions of a remotely connected user, also called Shadowing. 2.39 Evergreen Process

(26)

3 Normati ve References

The following normative documents contain provisions, which through reference in this text constitute provisions of this part of this standard. At the time of publication, the editions indicated were valid. All normative documents are subject to revision, and parties to agreements based on this part of this standard are encouraged to investigate the possibility of applying the most recent editions of the normative documents indicated below. Members of IEC and ISO maintain registers of currently valid normative documents.

1. ANSI/ISA-95.00.01-2000, Enterprise-Control System Integration Part 1: Models and Terminology – Referred to throughout this document as “ISA-99, Part 1”

2. ANSI/ISA-88.01-1995, Batch Control Part 1: Models and Terminology – Referred to throughout this document as “ISA-88, Part 1”

3. ANSI/ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems – Referred to throughout this document as “ISA-TR99.00.01”

3.1 Other References

The following documents contain material referenced in this standard.

4. Purdue Research Foundation, A Reference Model for Computer Integrated Manufacturing, 1989, ISBN 1-55617-225-7 – Referred to throughout this document as the “Purdue Model”

5. Guidance for Addressing Cybersecurity in the Chemical Sector, Version 2.0, December 2004, Chemical Industry Data Exchange (CIDX) – Referred throughout this document as “CIDX Guidance for Cybersecurity”

6. Report on Cybersecurity Vulnerability Assessments Methodologies, Version 2.0, November 2004,_{CIDX – Referred to throughout this document as “CIDX Report on CSVA”}

7. Cybersecurity Reference Model, Version 1.0, August 2004, CIDX – Referred to throughout this document as “CIDX Reference Model”

8. NASA/Science Office of Standards and Technology (NOST),

http://ssdoo.gsfc.nasa.gov/nost/isoas/us04/defn.html

9. Zachmann Enterprise Reference Model,http://www.zifa.com/

10. ISO/IEC International Standard 17799,Information Technology – Code of Practice for Information Security Management, 2000 – Referred to throughout this document as “ISO/IEC 17799” 11. British Standard 7799-2:2002,Information Security Management – Specification with Guidance

for Use, September 2002 – Referred to throughout this document as “BS 7799” 3.2 Infor mation al References & Resources

The following sources were used in the development of this document but do not have specific references to content in this standard.

3.2.1 Indus try/Sector Specific

(27)

• Guidance for Cybersecurity Vulnerability Assessment Methodology Process, Version 1.0, CIDX.

Document Superseded by Report on Cybersecurity Vulnerability Assessment

• U.S. Chemicals Sector Cyber-Security Strategy, June 2002

3.2.2 Websites

• Sarbanes – Oxley website, http://www.sarbanes-oxley.com/

• Sans website, http://www.sans.org/

•_{MIS Training Institute,} _{http://www.misti.com/}

• U.S. National Institute of Standards & Technology,http://www.nist.gov/

• Information Systems Technology Audit Programs,http://www.auditnet.org/asapind.htm • eScan Security Assessment, http://www.escan.nist.gov/sat/index.htm

• American National Standards Institute, http://www.ansi.org/ • IDEAL Model, http://www.sei.cmu.edu/ideal/ideal.html

3.2.3 Other Document s & Resources

• Report on the Evaluation of Cybersecurity Self-assessment Tools and Methods, November 2004,

CIDX – Referred to throughout this document as “CIDX Report on Self-assessment”

•

NIST Special Publication 800-30,July 2002 – Referred to throughout this document as “NIST SP 800-30”Risk Management Guide for Information Technology Systems,

• Carlson, Tom, Information Security Management: Understanding ISO 17799, 2001,

http://www.responsiblecaretoolkit.com/pdfs/Cybersecurity_att3.pdf - Referred to throughout this

document as “Understanding ISO 17799”

• ISO/IEC International Standard 15408, Common Criteria – Referred to throughout this document

as “ISO/IEC 15408”

• NIST Special Publication 800-61, Computer Security Incident Handling Guide, January 2004 –

Referred to throughout this document as “NIST SP 800-61”

• NIST Process Control Security Requirements Forum (PCSRF), Industrial Control System –

System Protection Profile (SPP) – Referred to throughout this document as “PCSRF ICS-SPP”

• Control Objectives for Information and Related Technology (COBIT),http://www.isaca.org/

• Corporate Governance Task Force “Information Security Governance- A call to action”

http://www.cyberpartnership.org/InfoSecGov4_04.pdf

(28)

4 Executiv e Overview

Addressing cyber security on a company wide basis can seem like a daunting task. A frequent question is “Where do I begin?” After some initial investigation often comes a plea “Just tell me what I have to do!” Unfortunately there is no simple cookbook for security. There is good reason for this. There is not a one-size-fits-all set of security practices. Absolute security may be achievable, but is probably undesirable because of the loss of functionality that would be necessary to achieve this near perfect state of absolute security. Security is really a balance of risk versus cost. All situations will be different. In some situations the risk may be safety, health, or environmental related rather than purely an economic impact. The risk may have an unrecoverable consequence rather than a temporary financial setback. Therefore a cookbook set of mandatory security practices will either be overly restrictive and likely quite costly to follow, or be insufficient to address the risk.

Although the actual security policies and practices cannot be addressed with a cookbook approach, it is possible to follow a set of guidance that identifies the elements that should be considered in a quality security program and a logical process of how one would go about developing the program. ISA-99.00.02 provides this overall guidance for manufacturing and control systems.

This Executive Overview section of the document is an easy “must-read” that builds the foundation for understanding the large set of details and key terms found in the document. It is intended to provide:

• An initial grounding and understanding of the big picture of what it takes to implement a cyber

security program

• An understanding of what a cyber security management system is

• How one would go about developing the cyber security management system appropriate for your

company

4.1 Maturity of a Company’ s Cyber Security Program

Driven by increasing cyber security risks, many companies have taken a proactive approach towards Information Technology security. Certain sectors have also begun to establish cyber security procedures for their characteristic process control systems and networks.

Historically, Information Technology (IT) and Manufacturing organizations operated in two mutually exclusive areas, and the expertise and requirements of each organization were not understood or appreciated by the other. Issues arose as organizations tried to employ common IT security practices to manufacturing and control systems. In some cases, the security practices were in opposition to normal manufacturing procedures designed to maximize safety and continuity of production. Because today’s open information technologies are used extensively in manufacturing and control systems, additional knowledge is required to safely employ these technologies. The IT and manufacturing organizations need to work together and bring their knowledge and skills together to tackle security issues. In industries with a high potential for safety, health, or environmental incidents, it is important to bring Process Safety Management and physical security personnel to the table as well.

The goal is a “mature” security program that integrates all aspects of cyber security, incorporating desktop and business computing systems, manufacturing and control systems, and the value chain systems interacting with customers, suppliers, and transportation providers. Figure 2 shows the integration journey most businesses face while trying to reach maturity.

(29)

Time " M a t u r i t y o f a C y b e r S e c u r i t y P r o g r a m "

Manufacturing and Control Systems Cyber Security Desktop and Business Systems Cyber Security Value Chain Systems Cyber Security

Point B Point A

Figure 2 – Maturity Curve for an Integrated Cyber Security Management System

As indicated in the graphic, many companies have fairly detailed and complete cyber security programs for their desktop and business computer systems, but cyber security management procedures are not as fully developed for manufacturing and control systems and value chain systems.

While the desired end result is the same (a cyber security management system that encompasses all aspects of electronic security), every company’s journey to achieve that goal will be different based on company objectives and tolerance for risk. Integrating cyber security into a company’s standard practices is a cultural change that takes time and resources. As Figure 2 suggests, it cannot be achieved in one step. It is an evolution that standardizes on the approach to cyber security.

The security procedures implemented are proportionate to the risk level and will vary from one company to another. They may even be different for various operations within the same company based on global needs and requirements. Individual policies and procedures may also be different for each class of system within a company because the levels of risk and security requirements are different. The cyber security management system establishes the overall program that accommodates these differences. Some of the options for handling the differences between the IT and manufacturing organizations and developing a mature cyber security management system include:

• Training the manufacturing and process control personnel to understand technology and cyber

security issues

• Training IT personnel to understand manufacturing processes and technologies, along with the

Process Safety Management (PSM) processes and methods

•

Developing procedures that join the skill sets of both organizations to deal with cyber security_{collaboratively}

For the cyber security program to be successful, it is important to bring together the right mix of people on both the mitigation projects and the overall Cyber Security Management System program development.

(30)

Manufacturing and Control Systems Cyber Security Desktop and Business System Cyber Security

Value Chain Systems Cyber Security

Manufacturing & Controls Business IT

Process Safety Network IT

Suppliers

Value Chain Partners

Manufacturing & Operations

Integra tion of Resources

Figure 3 – Resources in a Cyber Security Management System along the Maturity Curve 4.2 Establis hin g an Integrated Security Program

4.2.1 Overview of a Cyber Security Management System

The cyber security management system is the umbrella set of security policies and procedures that collectively are used to drive cyber security throughout the company. The management system addresses creation of the policies and procedures, mitigation activities to reduce vulnerabilities, periodic reassessment of the changing landscape of vulnerabilities and the effectiveness of institutionalized procedures, and finally, the overall effectiveness of the umbrella program. The maturity of the company’s cyber security program increases as the elements of the cyber security management system are implemented.

The complete cyber security management system consists of (18)key elements that take place in the following four major phases:

• Plan – Establish the scope and policy of the cyber security management system, identify, classify,

and assess risks, and develop a business continuity plan.

• Do – Implement and operate the security management system and all its processes.

• Check – Monitor, assess, and measure performance and report results to management for

review.

• Act – Take corrective and preventive actions and continually improve performance.

Figure 4 indicates that the activity is a continuous one. The program must be evergreen and will require upgrades to address the changing landscape of security risks.

(31)

Establish Maintain And Improve Implement And Operate Monitor And Review Plan Do Check Act Cyber Security Management System

Figure 4 – Continuous A ctivity in a Cyber Security Mana gement Syste m

The Cyber Security Management System (CSMS) defined in Section 8 identifies the (18)key elements that should be included in a CSMS. Figure 5 shows the mapping of the (18)key elements into the four macro-level Act phases described above. In reality, there is a mini set of Act steps that will be done as each of the (18)key elements is implemented.

Plan Do Check Act

4. Organizational Security

5. Personnel Security

6. Physical and Environmental Security 9. Incident Planning and Response 10. Communications, Operations, and Change Management 11. Access Control

12. Information and Document Management 13. System Development and Maintenance 14. Staff Training and Security Awareness 1. Importance of Cyber

Security in Business 2. Scope of Cyber Security Management System

3. Security Policy 7. Risk Identification, Classification, and Assessment 8. Risk Management and Implementation

16. Business Continuity Plan

15. Compliance

17. Monitoring and Reviewing CSMS

18. Maintaining and Implementing Improvements

Figure 5 – 18 Key Elements o f a CSMS Mapped i nto the Plan-Do-C heck-Act Phases With any program, there is a starting point and a progression of activities to get to an end state. When applied to the development of an integrated security program, the high level phases can be thought of as

(32)

ACT: Tak e actio n to m ake improvements

PLAN: CSMS Development Phase

DO: Risk Assessment and Mitigation Phase

CHECK: Complian ce, Audit, an d CSMS Metrics Phase

Figure 6 – Overlapping Stages of a Cyber Security Management System along the Maturity Curve It is important to consider the overall design of the cyber security management system early and incorporate that thinking as the program is developed. While all the implementation details are not required, it is extremely important to establish responsibilities, accountabilities, corporate principles, and high-level policies that guide further development of the key Cyber Security Management System elements and the overall program.

During the cyber security journey, it is necessary to identify the unsatisfactory risks that require the proper mitigating controls to reduce the level of risk. A common approach is to launch targeted projects that employ a project-based Plan-Do-Check-Act (PDCA) model. Figure 7 shows how individual projects contribute to a higher level of security procedures as the program matures.

Time " M a t u r i t y o f a C y b e r S e c u r i t y P r o g r a m " Plan Do Check Act DCS Area A, Site 1 Project Plan Do Check Act PLC Area C, Site 3 Project Plan Do Check Act Vendor Interface Improvement Proj. Plan Do Check Act DCS Area B, Site 1 Project

Cybe r Security Mitigatio n Projects

Plan Do Check Act

New Production Area Pro ject Plan Do

Check Act New Value Chain

Project

Plan Do Check Act

Strong Authentica tion Program for Remote

Users

(33)

4.2.2 Acti viti es Required to Develop a Cyber Security Program

As was indicated earlier in the document, the cyber security management system identifies the kinds of procedures that should be in place in a security program. Getting to that end-state is a journey that will be different for each company. However despite company differences, there is a fairly common logical set of activities that lead to the development of the cyber security management system. The figure below attempts to identify the activities and depict the relationship and timing of these activities during the development of the cyber security management system. Section 6 gives a high level overview description for each of the (19)process activities depicted in the figure.

Realize that every company’s approach to the process will be different based on the company’s objectives, tolerance for risk, and degree of maturity of their cyber security program. Some companies may choose to combine or eliminate steps along the journey.

Some activities may be sequential and need to be completed before the next activity can begin; others can be done in parallel. Figure 8 shows the timeframe involved and points out areas where steps can be overlapped. M a t u r i t y Time 1. Develop a Business Case 2. Obtain Leadership Commitment, Support, and Funding

3. Define the Charter and Scope of M&CS Security for Your

Company 4. Form a Team of Stakeholders

6. Characterize the Key M&CS Risks

7. Prioritize & Calibrate Risks

8. Establish High-Level Cyber Security Policies that Support

the Risk Tolerance Level

10. Inventory M&CS Devices &

Networks 9. Organize for Security 11. Screening and Prioritization of M&CS Systems 13. Develop Detailed M&CS Cyber Security

Policies and Procedures

14. Define the Standard Set of M&CS

Security Risk Mitigation Controls 15. Develop Additional

Elements of the Cyber Security Management System Plan

16. Quick Fix

18. Refine and Implement the Cyber Security Management

System

12. Conduct a Detailed Screening Assessment

17. Charter, Design, and Execute Cyber Security Risk Mitigation Projects 19. Adopt Continuous Improvement Operational Measures Plan Phase Do Phase Act Phas e Check Phase Activity MUST be completed before proceeding to next activity Activity DOES NOT need to be completed before proceeding to next activity

Legend 5. Raise Staff Cyber Security Capability Through Training

Figure 8 – Timeline of Projects for a Cyber Security Management System along the Maturity Curve 4.3 How to Use This Document

(34)

system. Some companies question why they need to spend money to address cyber security. Section 5 discusses the business case and bottom line benefit to a company for addressing cyber security. It highlights some business benefits specific to manufacturing and control systems that can be obtained through improved cyber security procedures.

Figure 8 introduced a logical set of (19)process activities that lead up to establishment of the cyber security management system. The details of which were not included to keep the Executive Overview brief. The reader of this document should review Section 6 to gain additional insight to the

process/journey leading to the cyber security management system. It is fairly brief and is meant to be an educational overview to further explain the process.

Once the big picture is understood, the reader should review Section 7 to obtain detailed guidance on the (19)process activities to assist the team of cyber security implementers to layout and execute the plan. Section 7 begins to focus more on the manufacturing and control system aspects of cyber security. Section 7 includes a mapping of the (19)process activities to the (18)key elements in the cyber security management system that result from executing the (19)process activities in the plan. The details of the cyber security management system are described in Section 8. Each of the (18)key elements is discussed in detail along with references to supporting information that is available in other standards and commercially available documents. This section should be used to measure completeness of a company’s cyber security procedures for manufacturing and control system. The section does not describe a one size fits all approach, though. It is meant to stimulate thinking and provide resources that a company can use as it determines its approach to implementing corporate security management procedures throughout its IT and manufacturing and controls systems.

(35)

5 Establis hing the Busin ess Case for Manufacturi ng and Contro l System Security

Within each organization, the journey to develop an effective Cyber Security Program for Manufacturing & Control Systems starts with individuals who recognize the risks the organization is taking and begin to articulate these risks internally, not just in technical terms, but in business terms that resonate with upper management. The negative business consequences of cyber attacks against Manufacturing & Control Systems can include the following:

• Reduction or loss of production at one site or multiple sites simultaneously •_{Injury or death of employees}

• Injury or death of persons in the community • Damage to equipment

• Environmental damage

• Violation of regulatory requirements • Product contamination

• Criminal or civil legal liabilities

• Loss of proprietary or confidential information • Loss of brand image or customer confidence • Economic loss

In prioritizing the risk of these consequences occurring it will also be important to consider the potential source or threat that initiates a cyber attack and the likelihood that such an event would occur. Cyber threats could arise from sources inside or outside of an organization, threats could be the result of either intentional or unintentional actions, and threats could either be directed at a specific target or undirected. Cyber security incidents can result from any of the following types of threat agents:

• Thrill-seeking, hobbyist or alienated individuals who gain a sense of power, control,

self-importance, and pleasure through successful penetration of computer systems either via undirected attacks (viruses and worms) or directed attacks (hacking) to steal or destroy information or disrupt an organization’s activities.

• Disgruntled employees or contractors who damage systems or steal information for revenge or

profit.

• Well-intentioned employees who inadvertently make changes to the wrong controller or process. • Employees who break quality, safety, or security policies or procedures to meet other urgent

needs (production goals, etc.)

(36)

• Adversary nations or groups who use the internet as a military weapon for cyber warfare to

disrupt the command, control and communication capabilities of a foe.

Documented cases provide insight into how and how often one of these threat agents succeeds in inflicting negative business consequences. The rapid adoption of new network technologies has led to the development of new tools to enable cyber attacks. With the lack of a recognized publicly-accessible, incident reporting system, it will be extremely difficult in the near future to determine a quantitative likelihood of any specific type of event occurring. Likelihood will need to be evaluated qualitatively based on an organization’s own internal incident history and on the few cases that have been publicly

documented. Several of these cases are described below:

•

In January, 2003, the SQL Slammer Worm rapidly spread from one computer to another across the internet and within private networks. It penetrated a computer network at Ohio’s Davis-Besse nuclear power plant and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall. It occurred due to an unprotected interconnection between plant and corporate networks. The SQL Slammer Worm downed one utility’s critical SCADA network after moving from a corporate network to the control center LAN. Another utility lost its Frame Relay Network used for communications and some petrochemical

plants lost Human Machine Interfaces (HMIs) and data historians. A 911 call center was taken offline, airline flights were delayed and canceled, and bank ATMs were disabled.

• Over several months in 2001, a series of cyber attacks were conducted on a computerized waste

water treatment system by a disgruntled contractor in Queensland, Australia. One of these attacks caused the diversion of millions of gallons of raw sewage into a local river and park. There were 46 intrusions before the perpetrator was arrested.

• In September, 2001, a teenager allegedly hacked into a computer server at the Port of Houston in

order to target a female chat room user following an argument. It was claimed that the teenager intended to take the woman’s computer offline by bombarding it with a huge amount of useless data and he needed to use a number of other servers to be able to do so. The attack bombarded scheduling computer systems at the world’s eighth largest port with thousands of electronic messages. The port’s web service, which contained crucial data for shipping pilots, mooring companies and support firms responsible for helping ships navigate in and out of the harbor, was left inaccessible.

• The CERT organization has been monitoring and tracking the number of attacks occurring on

internet-connected systems since 1988. As of 2004, they have stopped tracking the number of attacks because the prevalence of automated attack tools has led to attacks becoming so commonplace that the number of incidents reported provides little information with regard to assessing the scope and impact of attacks. A graph of their incident data is shown below to demonstrate the dramatic increase that has occurred over the last 15 years.

(37)

0 20000 40000 60000 80000 100000 120000 140000 N u m b e r R e p o r t e d t o C E R T 1 9 9 8 1 9 8 9 1 9 9 0 1 9 9 1 1 9 9 2 1 9 9 3 1 9 9 4 1 9 9 5 1 9 9 6 1 9 9 7 1 9 9 8 1 9 9 9 2 0 0 0 2 0 0 1 2 0 0 2 2 0 0 3 Year

Attacks on Computer Systems

Figure 9 - C ERT Reported A ttacks on Comp uter Systems

While various industries may find certain types of business impact of more concern and may feel that certain types of threats are more likely, all industries that use manufacturing and control systems should be concerned that they are entering a new risk environment. At the same time that manufacturing and control systems have adapted the use of commercial IT operating systems and network technologies and users have interconnected their private networks with their manufacturing and control systems networks the number of threats has also increased exponentially. In virtually all of these cases the security-related work processes and technologies developed for classical IT applications have not been deployed partly due to ignorance but partly due to valid constraints that don’t exist in classical IT applications. The objective of this standard is to address both issues.