Industrial Control System System Protection Profile v0'91

1
Industrial Control System System Protection
Profile v0.91

• Ronald B. Melton
• Presented to
• NIST Process Control Security Requirements Forum
• February 18, 2004

2
Objective of Presentation

• Introduce the results of further development and
  refinement of the ICS-SPP
• Promote discussion of specific elements that need
  input from the group before they are completed
• Answer questions about the ICS-SPP

3
Outline of Presentation

• Document Usage
• Basic Security Approach
• Document Summary
• To be done
• Concluding Remarks
• Discussion

4
Document Usage

• ICS-SPP documents security requirements for a
  generic industrial control system
• High level of abstraction
• Analogous to a high level definition in an object
  class hierarchy
• Additional refinement and details will come from
• System security targets for specific systems
• System protection profiles for more specific
  classes of systems, e.g., SCADA or DCS
• Component or product protection profiles may be
  based on subsystems or components identified in
  the system protection profiles

5
ICS-SPP Relationships
Component PPs
System PPs
System STs
Component 1 PP
Component 1 PP
6
Basic Security Approach

• Protection of ICS components
• Physical attack
• Logical attack
• Information flow protection
• Integrity of control signals and related business
  information
• Availability of control signals and related
  business information
• Both insider and external threat agents

7
Basic Security Approach (Contd)

• Protection provided by security controls
• Management controls organization based and
  executed safeguards and countermeasures to manage
  security and risks to information and operations
• Risk assessment, security planning, security
  policy
• Operational controls safeguards and
  countermeasures executed by personnel to support
  system security
• Personnel security, physical and environmental
  protection, contingency planning operations,
  training
• Technical controls safeguards and
  countermeasures implemented within the
  information systems hardware, software or
  firmware
• IA, logical access control, auditing

8
System Target of Evaluation

• Management
• Controls
• Access control
• policy
• Contingency
• operations
• policy

• Technical
• Controls
• IA
• Audit

• Operational
• Controls
• Physical access
• Incident
• monitoring

9
Document Summary Structure

• Chapter 1 Introduction
• Chapter 2 STOE Description
• Chapter 3 STOE Security Environment
• Chapter 4 Risks
• Chapter 5 Security Objectives
• Chapter 6 Security Requirements
• Chapter 7 SPP Application Notes
• Chapter 8 Rationale
• Appendix A Acronyms

10
Risk Variables
11
Threat Definition
12
Risk Analysis Concept
13
Risk Analysis Documentation

• Threat Agents Table 4
• Vulnerabilities Table 5
• Attack Methods Table 6
• Assets Table 7
• Physical assets
• Information assets
• Threats countered by the STOE Table 8
• Organizational Security Policies Table 9
• Risk Categories for the STOE Table 10

14
Specific Risk Analysis

• We are setting the stage for risk analysis
• ICS-SPP identifies generic variables relevant to
  risk analysis e.g. assets, threats
  vulnerabilities
• Further refinement is required
• Refine existing variables
• Identify new variables
• Delete variables if not relevant
• A specific risk analysis can then be completed by
  assigning values to the variables in chapters 3
  and 4 of the ICS-SPP
• Identify the risks according to category
• Prioritize the risks
• Integration into existing organizations risk
  management process (e.g. NIST SP 800-30)

15
Security Objectives

• O.BOUNDARY_PROTECTION
• O.RISK
• O.NON_INTERFERENCE
• O.DATA_BACKUP
• O.DATA_AUTHENTICATION
• O.BACKUP_POWER
• O.CONTINUITY
• O.VERIFY
• O.OWNERSHIP

16
Security Objectives, cont.

• O.MIGRATION
• O.COMPLIANCE
• O.COLLABORATE
• O.ACCESS_CONTROL
• O.COMMS_INTEGRITY
• O.AVAILABLE
• O.CONTROL_INTEGRITY

17
Document Summary Changes

• More formal structure and naming conventions
• Additional detail in chapters 3 and 4 to support
  risk analysis
• Refined security objectives
• Refined security requirements
• Additional detail in security assurance
  requirements

18
To be done General

• Complete chapter 2 STOE description
• Refine security functional and assurance
  requirements based on
• Feedback from PCSRF
• Rationale development
• Definition of minimum set of ICS requirements
• Complete rationale development
• Complete application notes

19
To be done specific - 1

• Chapter 2
• Verify scope of STOE
• STOE diagrams
• Physical / logical scope and external environment
• Chapter 3
• Refine sources / categories of ICS
  vulnerabilities
• Chapter 4
• Confirm specification of risk categories

20
To be done specific 2

• Chapter 6
• Finalize selection of security functional
  requirements (SFRs) and security assurance
  requirements (SARs)
• Chapter 7
• Get comments on basic outline and structure of
  the chapter
• Chapter 8
• Get comments on the skeleton of this chapter

21
Response to comments on v0.88

• Comments responded to directly or indirectly
• Document reorganized for clarity and suitability
  for evaluation as a protection profile
• Some comments relate to how the ICS-SPP will be
  used and will be covered in the application notes.

22
Physical / Implementation View
Enterprise Network
Connection via Gateway/Router
Control Network
WAN, LAN, Microwave Link via Gateway
Field Network
Field/Remote Site Interconnected Via WAN/Microwave
23
Concluding Remarks

• Thank you all for the comments and discussion
  from this and the earlier version of the ICS-SPP
• We believe that we have made good progress in
  continuing to refine the ICS-SPP
• We want the ICS-SPP to be a foundation for
  additional SPPs
• We look forward to your additional comments and
  feedback

24
Contact Information

• Ron Melton Decisive Analytics Corporation
• ron.melton_at_dac.us
• 301-591-1635
• Murray Donaldson Decisive Analytics Corporation
• murray.donaldson_at_dac.us
• 410-884-7000 x225
• Keith Stouffer NIST
• keith.stouffer_at_nist.gov
• 301-975-3877