ISA 67 Alexander Drive P.O. Box 12277 Research Triangle Park, NC 27709 PHONE (919) 549-8411 FAX (919) 549-8288 E-MAIL [email protected] www.isa.org

ISA Committee Meeting ISA99: Industrial Automation and Control Systems Security Date/Time/Location

Tuesday, June 23, 2015 to Thursday, June 25, 2015 Frankfurt, Germany

Remote access

At the time of the meeting, dial the toll number and enter the participant code: (To be provided prior to the meeting)

Distribution

ISA99 committee members and stakeholders

Committee Portal

http://isa99.isa.org

Introduction The purpose of this general meeting of the ISA99 committee on Industrial Automation and Control Systems (IACS) security was to review the status of the work products in the ISA/IEC-62443 series of standards, and provide a venue for work and task group meetings on specific topics. Attendance was open to all members of ISA99 committee, as well as any external parties with an interest in this subject. A list of those attending appears in Annex A.

Agenda at a Glance The agenda for the meetings is shown below. Tues June 23

Wed June 24

Thurs June 25

Welcome Sessions and Committee Status Report

62443 Fundamental Concepts (1)

WG4TG6: 62443-4-1 working session.

Time 8:30 10:15

Lunch (12:00 – 13:30) 13:30

WG12 Metrics

WG12 Metrics Clauses 4 and 5

Lessons from 62443-2-4

15:30

Overview of 62443-3-2

Common Committee Topics (2)

Lessons from 62443-3-3

(1) The fundamental concepts discussion will include a presentation from Pierre Kobes on the concept of protection levels, using material from the German national committee. (2) The specific topics addressed in this session will depend somewhat on the issues and questions identified in the Tuesday sessions.

Revised: July 27, 2015

Page 1 of 8

ISA Committee Meeting ISA99: Industrial Automation and Control Systems Security

Session Descriptions Tuesday (08:30) – Welcome Session and Committee Status The purpose of this session was to welcome those who may be new participants, and provide a brief summary of the status of the committee and its work plans. Topics included:   

Committee scope and purpose Membership update Introduction to the committee work plan o Recent changes o Milestones o Current Challenges

The following comments were noted from this discussion: 1. Guidance on interpreting the ISA 62443 documents would be helpful to users, and perhaps could be included in a Frequently Asked Questions format as an annex to one or more of the documents. 2. Related, suggestions were made that the committee should be officially involved in reviewing ISA training courses and materials on ISA 62443 to monitor the interpretation of the standards in those courses. 3. A mechanism that could be used by the committee to better capture the knowledge gained from applying the 62443 standards in industrial applications – perhaps in the form of a handbook or similar – would be valuable. 4. ISA 62443-1-4, envisioned to be a guide on the relationships and usage of the different documents in the ISA 62443 series, needs to be assigned to an ISA99 working group. 5. Scope management and overlap among ISA standards committees is of growing concern to the ISA Standards & Practices Board – especially regarding ISA 62443, which impacts many other ISA committees and their work. 6. Ragnar stating that the US NIST Cybersecurity Framework of 2014 is finding growing use in Europe because it is application oriented – and because it is helpful to supplier companies in benchmarking industry sectors and geographies. It is also finding growing use by cyber insurance providers in assessing risks. 7. It was suggested to align the much-needed 62443-1-1 revision with the NIST Framework – which itself maps primarily to 62443-2-1. The latter was noted as also needing a revision, which too could be aligned with the Framework. 8. Eric Cosman noted that ISA99 has an active relationship with NIST and that NIST has an active outreach internationally. 9. In discussing lifecycle content, it was pointed out that in any given application, product suppliers, system integrators, and asset owners can be the same people or entities. 10. Jeff Potter emphasized that, in the context of 62443-3-3, security levels are based on the perceived capabilities of threats, not on the consequences. As such, all cybersecurity systems must be updated continually to maintain effectiveness. 11. Eric Cosman indicated that ISA99 is likely to adopt the forthcoming IEC 62443-2-4 without modification as soon as it is published. This is the lone document in the 62443 series developed outside of ISA99.

Revised: July 27, 2015

Page 2 of 8

ISA Committee Meeting ISA99: Industrial Automation and Control Systems Security

Tuesday (13:30) – WG12 (Metrics) A recent committee ballot approved the formation of a new work group (WG12) for the purpose of developing the 62443-1-3 work product (System Security Compliance Metrics). This was a work session for this group. The following comments were noted from this discussion: 1. There was a suggestion that it is necessary to define the context and/or target audience before defining a specific metric. 2. The roles identified in the 62443 standards must include that of Service Provider. It is also necessary to clearly distinguish between accountability and responsibility.

Tuesday (13:30) – Overview of 62443-3-2 This session consisted of an overview of the current status and content of this standard. A draft for comment (DC) of 62443-3-2 was circulated in 2013. This resulted in the collection of 600-700 comments. All of these have now been addressed. The title of the standard was subsequently changed to “Security Risk Assessment and System Design” to more accurately describe the purpose of the document. This title change was approved by the committee. The scope of this standard is primarily the assessment phase of the life cycle. The document has two main parts, including a description of the work flow. The primary content is in clauses four and five. There is also an annex that describes how to arrive at a specific target security level (SL-T). Work Group 4 Task Group 3 has now completed a new version of the standard and has submitted it to the committee chairs as a committee draft for vote (CDV). This document is currently with the editors and will be issued soon. The discussion included the following comments and questions: 1. Is the focus of the document on IACS “Solution”, or the more limited “System?” 2. “The SIS should be in a separate zone.” This is not a “shall” because it is permissible to have an integrated SIS (as per ISA84) as long as there is logical separation. 3. Asset owners are under tremendous pressure to assess and document their cyber risk. This pressure is coming from government regulators and from the board of directors of large corporations. There are numerous standards regulations and guidelines that require that asset owners must perform a cyber risk assessment. However, none of them give complete guidance as to how to do that. This was one of the key objectives in the development of 62443-3-2. The group did not want to prescribe a methodology but did want to provide enough guidance, such that an asset owner could map their methodology to the standard or use the standard to drive their own methodology. 4. The risk assessment process described in 62443-3-2 has already been adopted and applied by many asset owners in the oil and gas and chemical sectors. In several cases asset owners have documented their internal cyber risk assessment processes following the basic guidance in this document. This process is not just theoretical but has been successfully applied and adopted by several major asset owners. 5. Although the process shown is an example, some participants observed that the pseudomathematical calculation described in the document could lead to a wrong perception that there is mathematical logic to calculate the target SL from the risk matrix. They suggested that this should be changed to a more qualitative description of the method. Revised: July 27, 2015

Page 3 of 8

ISA Committee Meeting ISA99: Industrial Automation and Control Systems Security 6. Voting members should look at this document from an asset owners’ perspective even if they are not asset owners. 7. Incident management has to be referenced in the description of the life cycle. It is part of the larger “operate and maintain” process.

Wednesday (08:30) – 62443 Fundamental Concepts In the course of developing the second edition of 62443-1-1 several “fundamental concepts” have been identified that form the basis for the entire 62443 series. Currently this list includes:      

Life Cycles Zones and Conduits Security Levels Foundational Requirements Maturity Levels Security and Safety

This session addressed the current situation with respect to several of these concepts for the purpose of identifying any issues or inconsistencies and making plans for resolution. The discussion included the following comments and questions: 1. There is general consensus in support of the view of related life cycles that was originally described by Pierre Kobes and Ragnar Schierholz, based on the VDI/VDE Guideline 2182 on IT Security for Industrial Automation. 2. The zones and conduits concept is introduced in 62443-1-1, as a basis for more detailed description of its application in other standards in the series (especially 62443-3-2). The examples that appeared in the first edition of 62443-1-1 (99.00.01) have been moved to an informative annex. 3. The security levels concept has also been well established in other standards in the 62443 series. 4. The foundational requirements are introduced briefly in 62443-1-1 and described in more detail in 62443-3-3. 5. The best and most concise description of maturity levels appears in 62443-2-4. This will be used as the starting point for the introduction of the concept in 62443-1-1. 6. The security and safety concept is still evolving, but the basic description (in 62443-1-1) will be adapted from the content of current documents such as the ISA-84.00.09 technical report.

Wednesday (13:30) – WG12 (Metrics), continued This session was a continuation of the WG12 session on Tuesday afternoon. Nadya Bartol presented the process-based framework for developing metrics currently in Clause 4 of the document. Macbool Hasim and other WG12 members described process-based framework to develop metrics and the use of SysML to define a minimum set of common data objects for the metric’s records of action. The first attempt to define this model has been based on the content in 62443-2-4. This work was described as a “work in progress.” Dennis Holstein also gave a brief update on the status of clause 6 of 62443-1-3.

Wednesday (15:00) – Committee Topics This session focused on how to address several current and anticipated challenges, as well as proposals for new material. Revised: July 27, 2015

Page 4 of 8

ISA Committee Meeting ISA99: Industrial Automation and Control Systems Security

Proposal for Protection Levels Pierre Kobes described a proposal for the definition of “protection levels.” This information was developed by a group that has been working with the German National Committee. It is being offered to the ISA99 committee for use in the 62443 series. Protection levels are similar in some ways to CMMI maturity levels. A combination of security and maturity levels define the protection level. Protection levels are suitable for use as guidance. There was a consensus that this subject should be assigned to a new task group for further development. The best alignment for this task group would be under work group 3. Pierre volunteered to lead the group and Lee N. agreed to act as editor. The following follow-up actions a required: 1. 2. 3. 4.

Draft a brief description of the effort (Eric, Pierre) Send a call for participation to the ISA99 committee mailing list (Eric) Prepare a more complete task group description (Pierre, Lee) Establish a set of working folders for this TG on the portal (Eric)

Inconsistencies across the 62443 series Jens Wiesner of the German Federal Office for Information Security and a colleague presented several inconsistencies that have been identified in the course of a third part review of the available 62443 standards and technical reports. This information will be used by work and task groups to revise the 62443 documents as required.

Thursday (08:30) – Work Group 4 Task Group 6 working meeting This group is responsible for the 62443-4-1 standard (Product Development Requirements). Mike Medoff led this session to review feedback received on the latest draft document.

Thursday (13:30) – Lessons Learned from Recent Standards This session consisted of a review of the lessons learned in the course of developing two of our more recently completed standards:

62443-2-4 (Requirements for IACS Solution Suppliers) Lee Neitzel presented a summary of the status of 62443-2-4, as well as lessons learned in its development. A copy of his presentation is available in the meeting folder on the portal. The group developing this standard received permission from IEC to present their requirements in the form of a spreadsheet, which allows for more flexibility in the handing of this information. This approach can easily be extended to collect the requirements from all of the standards in the 62443 series.

62443-3-3 (System Security Requirements and Security Levels) Jeff Potter provided a review of the status of 62443-3-3, as well as the lessons learned in its development. Jeff asked if there were any examples of industry use or application of the 62443-3-3 standard. There have been cases where this content was used as the basis for the review of existing security programs. There has been no decision at this time as to when the 62443-3-3 standard should be revised. The IEC maintenance schedule for such documents calls for an interval of 2-5 years and ISA procedures state that the maximum time between such reviews is 5 years. Revised: July 27, 2015

Page 5 of 8

ISA Committee Meeting ISA99: Industrial Automation and Control Systems Security

Meeting Closure Several points were made during the meeting wrap-up: 1. Attendees were encouraged to send copies of their personal notes to Eric Cosman if they have specific points to be included in the formal meeting notes. 2. The committee chairs are using a general “roadmap” to track progress on our various work products. ISA/IEC Designation 62443-1-1

Title

Current Status

Next Milestone

2015 2016 Next Planned Publication Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Date J F M A M J J A S O N D J F M A M J J A S O N D

In revision

DC

Jan 2016

R

Master glossary of terms and abbreviations (technical report)

In development

DC

Oct 2015

D

62443-1-3

System security compliance metrics

In development

DC

Oct 2016

D

62443-1-4

IACS security life cycle and use case

Proposed

DC

TBD

62443-2-1

IACS security management system Requirements

In revision

CDV

TR62443-2-2

IACS security management system Implementation guidance

In development

WD

TR62443-2-3

Patch management in the IACS environment (technical report)

TR62443-1-2

62443-2-4 TR62443-3-1

Terminology, concepts and models

Certification of IACS supplier security policies and practices Security technologies for IACS (technical report)

Ballot comments in review

ISA TR

Plan to adopt

ISA Std

In revision

DC

62443-3-2

Security assurance levels for zones and conduits

In development

CDV

62443-3-3

System security requirements and security assurance levels

Published 2013

TBD

62443-4-1

Product development requirements

In development

CDV

62443-4-2

Technical security requirements for IACS components

In development

DC

C M

V

E P

C M C

R

R

V E P V

V

M

E

P

M

I P R D

I V

P

R Nov 2016

D

V

M

C M

E

E

P

P May 2016

C

V

M V

E M

A P E

A P

Document States: Working Draft Draft for Comment IEC Committee Draft Committee Draft for Vote ISA Standard ISA Technical Report IEC Standard To be determined

WD DC CD CDV ISA Std ISA TR IEC Std TBD

Legend: - Proposed D - Working Draft C - Committee Draft for Comment V - Committee Draft for Vote M - Address comments E - Editorial Review A - ANSI/ISA Approved P - ISA Published I - IEC Approved R - In Revision W - Withdrawn

The master copy of this document is maintained on the portal at: http://isa99.isa.org/Shared/Planning/Work-Product-Roadmap.xlsx 3. Progress towards issuing our documents continues to be limited by the shortage of editors who are experienced with application of the IEC and IEC style guides.

Revised: July 27, 2015

Page 6 of 8

Annex A – Meeting Attendees Eric Cosman, ISA99 Co-Chair Consultant, Midland Michigan, US [email protected]

Mei Ke ITEI, Beijing China [Email]

Nadya Bartol Utilities Telecom Council, Washington DC, US [email protected]

Timothy Klamert BASF SE, Germany [email protected]

Jens Braband Siemens AG, Germany [email protected]

Pierre Kobes Siemens, Karlsruhe, Germany [email protected]

Piotr Ciepiela EY Business Advisory, Warsaw, Poland [email protected]

Erwin Kruschitz Anapur AG, Frankenthal, Germany [email protected]

Dongqin Feng Zhejiang University, China [email protected]

Mike Medoff Exida [email protected]

Kenneth Frische AE Solutions, Chattanooga Tennessee, US [email protected]

A. (Arjan) Meijer Hudson Cybertec, The Hague, NL [email protected]

Stefanie Gierl ZVEI Frankfurt, Germany [email protected]

Roberto Minicucci General Electric Oil & Gas, Florence, Italy [email protected]

Maqbool Hashim Eigen Ltd, Surrey UK [email protected]

Lee Neitzel, Wurldtech, Austin Texas, US [email protected]

Matthias Heckenberger EnBW Energie Baden-Württemberg AG [email protected]

Jeff Potter, Emerson, Minneapolis Minnesota, US [email protected]

Dennis Holstein OPUS, Seal Beach California, US [email protected]

Charles Robinson ISA, Durham North Carolina, US [email protected]

Revised: July 27, 2015

Page 7 of 8

ISA Committee Meeting ISA99: Industrial Automation and Control Systems Security Torsten Rossel Innominate Security Technologies [email protected] Miroslaw Ryba, EY Business Advisory, Warsaw, Poland [email protected] Ragnar Schierholz ABB, Minden, Germany [email protected] Tatsuaki Takebe Yokogawa, Tokyo, Japan [email protected] Yumin Wang ITEI, Beijing, China [email protected] Jens Wiesner Federal Office for Information Security, Germany [email protected] Tsutomu Yamada Hitachi, Ltd, Tokyo, Japan [email protected]

Revised: July 27, 2015

Page 8 of 8