How can I use ISA/IEC-

62443 (Formally ISA 99)

to minimize risk?
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Presenter

• Senior consultant in Maverick's Operation Consulting

Team. Twenty five year field systems engineer with a
California Professional Engineer license, and BA in
Economics from California State University Fullerton.
Proudly served twenty years as a Marine Safety Officer
in the United States Coast Guard Reserve.

2
What is ISA 62443?

A series of ISA standards that addresses the subject of

security for industrial automation and control systems. The
focus is on the electronic security of these systems,
commonly referred to as cyber security.

3
What is ISA 62443?
What is ISA 62443?

Part 1: Terminology, Concepts and Models

Establishes the context for all of the remaining standards in

the series by defining a common set of terminology,
concepts and models for electronic security in the industrial
automation and control systems environment.

5
ISA/IEC 62443-1-1

Terminology,
Concepts and
Models
What is ISA 62443?

Part 2: Establishing an Industrial Automation and Control

System Security Program

Describes the elements of a cyber security management

system and provide guidance for their application to
industrial automation and control systems.

7
ISA/IEC 62443-2-1
Establishing an
Industrial Automation
and Control Systems
Security ISA/IEC 62443-2-1

Requirements for an
IACS Security
Management System
ISA/IEC 62443-2-3

Patch management in
the IACS
environment
What is ISA 62443?

Part 3: Operating an Industrial Automation and Control

System Security Program

Addresses how to operate a security program after it is

designed and implemented. This includes definition and
application of metrics to measure program effectiveness.

10
ISA/IEC 62443-2-3

System security
requirements and
security levels
Real threats vs. Perceived threats
Potential cyber threats (What management
hears on the news or from IT)

• Database Injection
• Replay
• Spoofing
• Social Engineering
• Phishing
• Malicious Code
• Denial of Service
• Escalation of Privileges

ISA/IEC 62443-1-1 5.5.4

FACTS
Targeted attack on a steel plant in Germany 2010.
METHOD
Using sophisticated spear phishing and social engineering an
attacker gained initial access on the office network of the steelworks.
From there, they worked successively to the production networks.
DAMAGE
More frequent failures of individual control components or entire
plants became evident. The failures resulted in a unregulated blast
furnace in a controlled condition that could not be shut down. The
result was massive damage to the furnace.
Technical skills
The technical capabilities of the attacker were very advanced.
Compromise extended to a variety of internal systems of industrial
components. The know-how of the attacker was very pronounced in
the field of conventional IT security and extended to applied
industrial control and production processes.
Suxtnet is not
your problem

It’s the USB

Or the contractors
laptop
Your current likely cyber threats

• Missing or undocumented DCS/PLC programs

• Missing drivers or configuration software
• Loading old program versions
• Loss of passwords
• Inadvertent virus infections
• Disruptive polling of automation system from business
network
• Curious employees
• Power failure

ISA/IEC 62443-1-1 5.5.4

Your current likely cyber threats

In a report released today, Unisys recommended that

critical infrastructure organizations take on cost effective
security strategies by aligning them with other business
strategies and goals, and through managing identities and
entitlements to improve identity assurance and reduce
"critical employee errors," – as 47 percent of respondents
said an "accident or mistake" was the root cause of their
security breaches in the past year.
What if you could mitigate
your current cyber threats
(what you are interested in)

while also preventing

potential cyber threats?
(what management is
concerned about)
The first step to implementing a cyber security program for
IACS is to develop a compelling business rationale for
the unique needs of the organization to address cyber risk

• Prioritized business consequences

• Prioritized threats
• Estimated annual business impact
• Cost
In a report released today, Unisys recommended that
critical infrastructure organizations take on cost effective
security strategies by aligning them with other business
strategies and goals, and through managing identities and
entitlements to improve identity assurance and reduce
"critical employee errors," – as 47 percent of respondents
said an "accident or mistake" was the root cause of their
security breaches in the past year.
Business risks from current and potential
threats

• Personnel safety risks: death or injury

• Process safety risks: equipment damage or business
interruption
• Information security risk: cost, legal violation, or loss of
brand image
• Environmental risk: notice of violation, legal violations, or
major impact
• Business continuity risk: business interruption
Let’s save some time!

“High-level assessment is required because experience

has shown that if organizations start out by looking at
detailed vulnerabilities, they miss the big picture of cyber
risk and find it difficult to determine where to focus their
cyber security efforts. Examination of risks at a high level
can help to focus effort in detailed vulnerability
assessments.”

ISA/IEC 62443-2-1 Annex C Proposed

ISA/IEC 62443-2-1 4.1
So where do I start?

ISA/IEC 62443-2-1 Annex A

 Annex A soon to be Annex C

• Developing a network diagram of the IACS (see C.3.3.3.8.4).

• Understanding that risks, risk tolerance and acceptability of

countermeasures may vary by geographic region or business
organization.

• Maintaining an up-to-date record of all devices comprising the IACS for

future assessments.
 Annex A soon to be Annex C

• Establishing the criteria for identifying which devices comprise the IACS.

• Identifying devices that support critical business processes and IACS

operations including the IT systems that support these business
processes and IACS operations.

• Classifying the logical assets and components based on availability,

integrity, and confidentiality, as well as HSE impact.
 Developing a network diagram of the IACS

WAN
INTERNET
Remote PLC
Support via LOCAL ISP

Enterprise
Terminal
Services to
PLC Remote DCS
Engineering Support
Internal
Station (Static IP)
Device Adaptive Security
Firewall (Static IP) CEMS VIM CEMS Appliance and VPN
software System BUSINESS LAN
support support
(Static IP) (Static IP)

DMZ VLAN

CEMS PLC

DMZ
Engineering
Workstation
Station
I/P SWITCH

3
Fiber Optic 3 3
Channel B

Operator Operator Operator Windows Domain

Engineering Controller/Anti
Workstation Workstation Workstation Historian Ethernet I/P

DCS
Workstation virus/Management
Radio
(Password
1 2 1 2 1 2 DCS VLAN management)
1 2 1 2
1111 1 22222
1 2
Root Switch Root Switch Fiber Optic Channel A
(exisitng) (exisitng)

FIELD
Replace hub with optional switch to
create subnet to isolate HMI polls
from DCS network

Cooling Air Quality-1 Air Quality-2 ASH FUEL CEMS-1 CEMS-2

RO HMI RO PLC Demin Demin Tower
HMI PLC Chemical
(Future)
30
Developing a network diagram of the IACS

31
Developing a network diagram of the IACS

32
 Developing a network diagram of the IACS

WAN
INTERNET
Remote PLC
Support via LOCAL ISP

Enterprise
Terminal
Services to
PLC Remote DCS
Engineering Support
Internal
Station (Static IP)
Device Adaptive Security
Firewall (Static IP) CEMS VIM CEMS Appliance and VPN
software System BUSINESS LAN
support support
(Static IP) (Static IP)

DMZ VLAN

CEMS PLC

DMZ
Engineering
Workstation
Station
I/P SWITCH

3
Fiber Optic 3 3
Channel B

Operator Operator Operator Windows Domain

Engineering Controller/Anti
Workstation Workstation Workstation Historian Ethernet I/P

DCS
Workstation virus/Management
Radio
(Password
1 2 1 2 1 2 DCS VLAN management)
1 2 1 2
1111 1 22222
1 2
Root Switch Root Switch Fiber Optic Channel A
(exisitng) (exisitng)

FIELD
Replace hub with optional switch to
create subnet to isolate HMI polls
from DCS network

Cooling Air Quality-1 Air Quality-2 ASH FUEL CEMS-1 CEMS-2

RO HMI RO PLC Demin Demin Tower
HMI PLC Chemical
(Future)
33
 Annex A soon to be Annex C

• Conducting a risk assessment through all stages of the technology l

lifecycle (development, implementation, updating and retirement).

• Identifying reassessment frequency or triggering criteria based on

technology, organization or industrial operation changes.
The risk equation

Risk = Likelihood of Event Occurring × Consequence

The risk equation
If you done a HAZOP, you can do a cyber
security risk assessment!

BS IEC 61882:2001 Hazard and Operability

(HAZOP) Studies. HAZOP is a structured and
systematic technique for examining a defined
system, with the objective of:

Identifying potential hazards in the system. The

hazards involved may include both those
essentially relevant only to the immediate area of
the system and those with a much wider sphere
of influence, e.g. some environmental hazards;

Identifying potential operability problems with the

system and in particular identifying causes of
operational disturbances and production
deviations likely to lead to nonconforming
products.
The HAZOP Study Procedure
Risk Response (For the MBAs)

• Assess initial risk

• Implement countermeasures
• Assess residual risk

ISA/IEC 62443-1-1 6.1

Risk Response (For the Engineers)

• Design the risk out

• Reduce the risk
• Accept the risk
• Transfer or share the risk
• Eliminate or fix outdated risk control measures
The goal!

ISA/IEC 62443-1-1 5.6

So why a entire new program
(or why cant we just specify a solution?)

ISA/IEC 62443-1-1 5.6

It takes a team!

ISA/IEC 62443-1-1 5.6

Pitfalls

• Designing the solution during the assessment

• Minimizing or overstating the consequence

• Failing to gain consensus on the risk

assessment results

• Assessing the system without considering the

assessment results from other similar systems
Cyber security is much
less about technology
then it is just good
management.