Professional Documents
Culture Documents
You should have received Day Two materials via email yesterday.
Objectives
• Provide an understanding of the guiding principles of the IEC 62443 standard and how it
can be applied to secure Operational Technology (OT) systems; and
• Ensure that the participants are equipped with the standard’s applicable and relevant
knowledge for securing their respective projects during the planning, design and
implementation phases.
Scope
• 62443-1-1 – Concepts and Models
• 62443-3-2 – Security Risk Assessment and System Design
• 62443-3-3 – System Security Requirements and Security Levels
• 62443-4-2 – Technical Security Requirements for IACS Components
4
Overview of ISA/IEC
62443 Standards Family
In
Published Developme
nt
(status)
In In
Under
Developme Published Published Developme
revision
nt nt
Published Published
Improving: Using suitable process metrics, product suppliers control the effectiveness and
ML 4 performance of the product and demonstrate continuous improvement in these areas. Protection against intentional violation using sophisticated means with
SL 4 extended resources, IACS specific skills and high motivation.
Defined (Practiced): The process is repeatable across the supplier’s organization. The processes Protection against intentional violation using sophisticated means with
ML 3 have been practiced, and evidence exists to demonstrate that this has occurred. SL 3 moderate resources, IACS specific skills and moderate motivation.
Managed: The product supplier has the capability to manage the Protection against intentional violation using simple means with low
ML 2 development of a product according to written policies. Evidence to show that personnel who will SL 2 resources, generic skills and low motivation.
perform the process have the expertise, are trained and/or follow written procedures. Processes are
repeatable.
Quality Resilience
IEC 62443- IEC 62443- IEC 62443- IEC 62443- IEC 62443-
2-1 2-4 4-1 3-3 4-2
Edition 2
Risk: Expectation of loss expressed as the probability that a particular threat will exploit
a particular vulnerability with a particular consequence.
Severity: Loss of Availability and/or Data Integrity has direct impact and loss of
Confidentiality has indirect impact on Functional safety. (SAIC)
Risk
k
is
Necessary risk
R
reduction
Actual risk
reduction
Severity
Risk reduction
re at
Th
Residual Risk
The risk exposure after risk mitigating controls are Residual Risk Acceptable Risk
considered Likelihood
Zone is defined as groupings of logical or physical assets based upon risk or other criteria
such as criticality of assets, operational function, physical or logical location, required
access, or responsible organization.
Conduit is defined as logical groupings of communication channels that share common
security requirements connecting two or more zones.
Control Center
C1 C2
Industrial Control The intent is to identify those
Systems C3 assets which share common
security characteristics in
order to establish a set of
S1 R1 R2 ICS1 common security requirements
that reduce cybersecurity risk.
The Cybersecurity Bill was passed on 5 Feb 2018 and received the President’s assent on 2 Mar 2018 to become the Cybersecurity
Act:
CCOP is a list of Codes of Practice or Standards of Performance issued by the Commissioner of Cybersecurity for the regulation
of owners of Critical Information Infrastructure (CII) in accordance to the Cybersecurity Act.
https://www.csa.gov.sg/Legislation/Cybersecurity-Act
• Defines a set of engineering measures that will guide an organization through the process of
assessing the risk of a particular IACS, identifying and applying security countermeasures to
reduce the risk to tolerable levels.
• Audience: Asset Owner, System Integrator, Product Supplier, Service Provider, and Compliance
Authority.
• Primary Steps:
Establishi
Defining a
ng the
system Partitionin Assessing Documenti
target
under g the SUC risk for ng the
security
considerat into Zones each security
level (SL-
ion (SUC) and zones and requireme
T) for each
for an Conduits conduits nts
zone and
IACS
conduit
The requirements introduced in ISA/IEC 62443-3-2 are referred to as zone and conduit requirements
(ZCR).
Requirement: Clearly identify the SUC including clear delineation of the security perimeter and
identification of all access points to the SUC.
• SUC can include multiple subsystems, including emerging technologies like IIoT or cloud-based solutions.
(Instead of Process Unit, look at the device individually)
Illustrate connectivity.
• Maintain a list or database of all hardware (physical and virtual) and software.
• Hardware: computers, network equipment, automation devices, Virtual Machines (VMs)
• Software: operation systems, applications, databases, firmware.
• ZCR 5 Requirement:
• Apply to every zone and conduit;
• Allow grouping of zones and conduits if share similar threats, consequences and/or similar assets.
• Any related Risk Assessment Methodology (ISO31000, NIST-SP800-39, ISO/IEC27005) are satisfied by the
methodology selected. The initial and detailed risk assessment methodologies should be derived from the
same framework, standard or source and has to use a consistent risk ranking scale in order to produce
consistent and coherent results.
Each category will be scored but only the highest will be used in risk ranking.
Consequence
Risk Areas
Environmental
Biz Continuity Planning Information Security Process Safety
Safety
Mfg.Outage-
Mfg.Outage- Public People-
Category multiple Cost Legal People-on site Environment
one site Confidence off site
sites
Citation by
Fatality
Regional/national
or Major
> $500 Criminal Loss of Agency or long-
High > 7days > 1day Fatality Commun
million Offense-Felony Brand Image term, significant
ity
damage over
Incident
large area
Complai
nts or
Criminal Loss of
>$5 Lost workday or Local Citation by Local
Medium < 2days > 1hour Offense- Customer
million major injury Commun Agency
Misdemeanor Confidence
ity
Impact
No Small, contained
CONSULTING \\ ENSIGN INFOSECURITY | CONFIDENTIAL <$5 First Aid or 32
Low < 1 day < 1hour None None Complai release below
million recordable injury
ZCR5.4-Determine unmitigated likelihood (UTL)
• Evaluate each threat and vulnerability pair to determine the
unmitigated likelihood that the threat will be realized.
• The measure of likelihood may be qualitative or quantitative. One
method is to use a likelihood scale that is defined by the
organization as part of their risk management system.
• Factors considered:
• Motivation and capability of the threat source,
• History of similar threats
• Known vulnerabilities
• Attractiveness of the target
• Existing cybersecurity countermeasures should NOT be considered
when determining unmitigated likelihood. However, the likelihood
determination recognizes any non-cyber independent protection
layers (IPLs)* such as physical security or mechanical safeguards
that are in place to reduce the likelihood.
• Example of likelihood scale
UTL
ZCR 5.11-Compare residual risk with tolerable risk
• Residual risk shall be compared to the organization’s tolerable risk.
If the residual risk exceeds the tolerable risk, the organization shall
determine if the residual risk will be accepted, transferred or
mitigated based upon the organization’s policy.
• Requirement: for documenting cyber security requirements, assumptions and constraints within
the SUC as needed to achieve the SL-T and provides rationale and supplemental guidance for each
requirement.
Value IT
(M/Bln $)
Value
(k/M $)
Service Life
(20-30 years) Service Life
(..10 years ?)
New Tech
Legacy (short/medium lifecycle,
(long lifecycle)
1980… 2000…2010
2000..2010...2020 (IIoT)...2020
Value IT
(M/Bln $)
Service Life
Value
(k/M $)
Physical Safety!
(long lifecycle)
Availability
Confidentiality Integrity
Confidentialit
Integrity
y
Availability
Physical Safety!
CONSULTING \\ ENSIGN INFOSECURITY | CONFIDENTIAL 46
Functional Safety & Industrial Cyber Security Co-Engineering
Purdue Reference Model Cyber Threats
(intentional, unintentional)
(days)
IT World
Cyber Threats
(unintentional, intentional)
(hrs)
(μs / ms)
(0 / μs)
Basic Process Control System Safety Instrumented
(BPCS) System
CONSULTING \\ ENSIGN INFOSECURITY | CONFIDENTIAL (SIS) 47
Functional Safety & Industrial Cyber Security Co-Engineering
Background
Considerable concerns arose with respect to the impacts of security incidents to safety functions in IACS
(industrial automation and control systems). Many complex systems of that kind are becoming connected systems
(particularly by interaction based on wireless connectivity from sensors/actuators to complete plants, grids, etc.)
for maintenance and operations. The overall question was: "How to design and manage safety and security – in
cooperation, integrated, or separate system?"
DEFINITIONS
OT+IT
OT+IT
DEFINITIONS
DEFINITIONS
Security Environment
Essential functions
=> defined in IEC 62443 (not in functional safety std. IEC
61508)
_
Safety
Functions
Security =>Safety
Threat 1
Threat 3
Threat 4
Read through case study and work through the activities / questions provided in the slides. You will be given approximately 45 minutes
work through the activity. Thereafter, we will discuss the solutions as group. You will be invited to comment and share your solution /
perspectives during the discussion.
You may consider to use MS PowerPoint to draft your solutions, which may include tables or diagrams required as part of risk
assessment activities. You may share screen during the discussion.
Tasks:
(1)Conduct a Threat Assessment against TCMS. Identify at least three different threat actors and describe how they may target TMCS.
Example:
Physical attacks - This type of threats is caused by intentional offensive actions aiming to achieve maximum distraction, disruption,
destruction, exposure, alteration, theft or unauthorized accessing of assets such as hardware or ICT connections.
(2) Conduct a Vulnerability Assessment for TCMS. Identify at least two vulnerabilities that the threats (identified in (1)) could exploit to
target TCMS.
Example:
USB ports to the operator workstation are not disabled - allowing personnel to introduce malware via USB
(3) Conduct Risk Assessment. Based on (1) and (2), carry out a risk assessment. You may use the Detailed Risk Assessment Template
provided (be careful not to overwrite the formula provided in the cells). Complete at least 3 rows.
* Do not be concerned about how the formula in the cells works
(4) Discussion.
Scenario:
Compromising a signalling system leading to a train accident
Tasks:
(1)Identification of Impacted Assets: Identify at least three different assets that could be exploited during this attack.
Example:
Interlocking system: - It is a set of signal apparatus placed on track in order to prevent conflicting movements among trains. In order to
make attack successful, attacker would like to malfunction interlocking system so it should not prevent an accident.
(2)Analysing the Impact: Identify at least four different impact areas and describe how they may be important for management/public.
Example:
Human casualties: - This type of threat is caused by state sponsored/terrorist offensive actions aiming to achieve maximum
destruction.
(3) Identification of Threat Vector:. Identify at least two paths that attackers could have taken to make this attack successful.
Hint: It could be physical and/or logical route to make it happen.
(4) Implement Security Measures:. Based on (1), (2) and (3), identify the possible high level security measure and how it can
implemented to prevent these types of cyberattacks.
(5) Discussion.
© 2021 ENSIGN
©2023 ENSIGNINFOSECURITY
INFOSECURITY| CONFIDENTIAL
| CONFIDENTIAL 70