KENEXIS

CYBER SECURITY FOR THE INDUSTRIAL ENV.:

AN INTRO TO ISA/IEC 62443
Copyright KENEXIS
2012
Copyright Kenexis
2012 Security
Kenexis Corporation
Security Corporation
 Twitter @jimgilsinn
Jim Gilsinn LinkedIn linkedin.com/jimgilsinn

Recently Joined Kenexis Consulting

Network & security design
Previously Worked for U.S. National Institute of
Standards & Technology (NIST)
20 years in Engineering Laboratory
Cyber Security
Co-Chair, ISA99 Committee
Co-Chair, ISA99-WG2 Security Program
Co-Chair, ISA99-WG7 Safety & Security
Industrial Ethernet Reliability & Performance
Developed metrics, tests, and tools
Measure, analyze, and report performance for
industrial Ethernet devices & systems

KENEXIS
Copyright 2012 Kenexis Security Corporation
 KENEXIS
Copyright 2012 Kenexis Security Corporation
ISA99 Committee
The International Society of Automation (ISA)
Committee on Security for Industrial
Automation & Control Systems (ISA99)
Formed in 2002
550+ members
50+ active participants
>200 companies across all sectors, including:
Chemical Processing
Petroleum Refining
Food and Beverage
Energy
Pharmaceuticals
Water
Manufacturing
KENEXIS
Copyright 2012 Kenexis Security Corporation
How Does ISA/IEC 62443
Relate to ISA99?
ISA/IEC 62443 is a Series of Standards
Being Developed by 3 Groups
ISA99 ANSI/ISA-62443
IEC TC65/WG10 IEC 62443
ISO/IEC JTC1/SC27 ISO/IEC 2700x

KENEXIS
Copyright 2012 Kenexis Security Corporation
 KENEXIS
Copyright 2012 Kenexis Security Corporation
Other Documents
ISA-TR62443-0-3, Stuxnet Gap Analysis
Look for gaps in ISA-99.02.01-2009 security
program standard
35 gaps identified
33 recommended improvements
ISA-TR62443-0-4, Implications of SIS
Integration with Control Networks
Build on the work of the LOGIIC Consortium

KENEXIS
Copyright 2012 Kenexis Security Corporation
 KENEXIS
Copyright 2012 Kenexis Security Corporation
 Components of Security
)
(AC

Fo
ol
ntr

u
nd
C o

ati
ss
ce

on
c

al
dA

Re
an
on

qu
ti
es

tica

ire
Or
us

Se en

me
ga
Cla

niz c u ri uth

nts
ati ty ,A
Co on Po on

(cu
mm Ph
y Hu As ofl i cy
ficati

rre
s m se
un ica an tM S ec nti C)

n
i c l u Ide (U

tly)
Sy ati an Re an rity
ste on dE so ag ol
ms sa n u r e m o ntr
vir ce I)
ac nd on sS en eC (D
qu Op me ec t Us ty C)
isit
ion
e ra
tio nta u ri e g ri (D
,d ns lS
ec
ty Int alit
y
ev
elo Ma u ri D ata e nti )
pm na ty fid DF
Ac ge n R )
en ce me Co w( RE
Bu ta
nd ss
Co
nt
D ata Flo n t (T
sin
es In cid m n ata ve
sC ain tro tD oE
on
en
tM ten l
s tric e t
tin a n Re ns A)
uit a na ce s po (R
yM ge Re ty
an m en ely ila bili
ag
em
t Tim Av
a
Co e nt ce
mp ur
lian so
ce Re
Relationships

Intent, Buy-In, Support

Motivation vs. Defiance

Decisions and Awareness

Training and Capability

Clauses (new original content to be developed)

KENEXIS
Copyright 2012 Kenexis Security Corporation
Foundational Requirements
FR 1 Identification and authentication control
FR 2 Use control
FR 3 System integrity
FR 4 Data confidentiality
FR 5 Restricted data flow
FR 6 Timely response to events
FR 7 Resource availability

KENEXIS
Copyright 2012 Kenexis Security Corporation
Security Levels

KENEXIS
Copyright 2012 Kenexis Security Corporation
 Zones &
Conduits
Chemical
Truck
Loading
Example

KENEXIS
Copyright 2012 Kenexis Security Corporation
Zones & Conduits
Manufacturing Example

KENEXIS
Copyright 2012 Kenexis Security Corporation
 KENEXIS
Copyright 2012 Kenexis Security Corporation
Questions, Comments,
Contributions
ISA99 Wiki http//isa99.isa.org
Twitter @ISA99Chair
Committee Co-Chairs
Eric Cosman, [email protected]
Jim Gilsinn, [email protected]
ISA Staff Contact
Charley Robinson, [email protected]
Please provide contact info & area of
expertise/interest
KENEXIS
Copyright 2012 Kenexis Security Corporation