ICS Cybersecurity Lifecycle PDF 2013

Summary

This white paper from exida discusses the ICS Cybersecurity Lifecycle, a continuous process crucial for industrial control systems (ICS) to prevent cyber-attacks. It highlights the importance of cybersecurity in national security and presents a lifecycle approach to managing cybersecurity throughout an ICS system.

Full Transcript

The ICS Cybersecurity Lifecycle

White Paper
exida
80 N. Main St.
Sellersville, PA
www.exida.com

August 2013

exida White Paper Library
http://www.exida.com/Resources/Whitepapers

Copyright exida.com L.L.C. 2018-2020
 excellence in dependable automation

Abstract
With the ever changing threats posed by cyber events of any nature, it has become critical to recognize
these emerging threats, malicious or not, and identify the consequences these threats may have on the
operation of an industrial control system (ICS). Cyber-attacks over time have the ability to take on many
forms and threaten not only industrial but also national security.

Saudi Aramco, the world's largest exporter of crude oil, serves as a perfect example depicting how
devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi Aramco (SA)
had 30,000 personal computers on its network infected by a malware attack better known as the
"Shamoon" virus. According to InformationWeek Security this was roughly 75 percent of the company’s
workstations and took 10 days to complete clean-up efforts.i

The seriousness of cyber-attacks in regards to national security was addressed by former United States
Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a strong warning to
business executives about cybersecurity as it relates to national security." A cyber-attack perpetrated by
nation states [and] violent extremists groups could be as destructive as the terrorist attack on 9/11. Such
a destructive cyber-terrorist attack could virtually paralyze the nation," he stated. "For example, we know
that foreign cyber actors are probing America's critical infrastructure networks. They are targeting the
computer control systems that operate chemical, electricity and water plants and those that guide
transportation throughout this country."ii

In addition to Panetta’s address, the U.S. Department of Homeland Security has issued several alerts
about coordinated attacks on gas pipeline operators, according to a May 2012 report by ABC News.iii

This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS) and how
these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.

Conclusion
A lifecycle approach to cybersecurity will ensure that cybersecurity is properly addressed, not only during
the initial design stage, but throughout the lifecycle of the system. We recommend that companies adopt
this approach for existing systems (i.e. brownfield) as well as for new

systems (i.e. greenfield) and develop and enforce the appropriate policies and procedures to ensure the
process is consistently followed.

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 2
 excellence in dependable automation

What is the ICS Cybersecurity Lifecycle?
The ICS Cybersecurity Lifecycle is a visual guide that recognizes the principle that cybersecurity is a
continuous process that requires attention and care not only during the initial design stage but
throughout the lifecycle of the system. We have divided the cybersecurity lifecycle into three main
phases; the Assess Phase, the Implement Phase and the Maintain Phase. Each phase consists of multiple
process steps. The major activities performed in each step are described as well as the inputs to and the
outputs from each step. Additionally, there is an overall

Cybersecurity Management Program that must be addressed throughout the lifecycle. This is visualized
as the long white bar that spans all three phases.

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 3
 excellence in dependable automation

Figure 1: The ICS Cybersecurity Lifecycle

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 4
 excellence in dependable automation

The Cybersecurity Management Program, as illustrated by the tall white vertical bar in Figure 1,
includes those activities, such as development of policies and procedures as well as deployment of
training and awareness programs, which are vital to the long term success of the program.

The Assess Phase, as illustrated by the red shaded section in Figure 1, is an assessment typically done
early in the project (e.g. as part of the FEED study). It is focused on identifying and quantifying the current
ICS risks allowing for resources to be applied to the highest-risk items first.

The Implement Phase, as illustrated by the yellow shaded section in Figure 1, includes engineering,
commissioning, and startup phases. This phase focuses on designing and implementing technical controls
or countermeasures to mitigate the identified risks, particularly those that are unacceptably high. It also
consists of verifying and testing the security of the system before deployment.

The Maintain Phase, as illustrated by the green shaded section in Figure 1, as implied by the name,
includes operating and maintaining the system. Security controls can deteriorate within a short amount
of time because new vulnerabilities/threats appear almost daily. This makes planning for ongoing
maintenance extremely important.

Cybersecurity Management Program
As previously stated, the Cybersecurity Management Program embodies those activities that are vital to
the long term success of the program such as policy/procedure development and awareness/training
programs. Such polices, awareness, and training should be in practice throughout all phases of the
lifecycle.

Policies
It is important to establish security policies as a company, as a corporation, or even on a project specific
basis in order to ensure that both the employees and suppliers understand their expectations and how
to achieve them. Establishing security policies also allows for the demonstration of management support
as well as the planning of options in the case of a security breach. Effective policies should describe what
is projected to be achieved rather than how it is expected to be achieved. That being said, such policies
should remain technology independent and solely focus on what aspects need to be accomplished.

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 5
 excellence in dependable automation

Figure 2: Key ICS Security Policy Topics

Figure 2 displays the types of items that should be highlighted within security policies. As you can see, a
significant portion of the items tend to coincide with general IT policy security topics.

Although the items between IT and ICS security policies are highly similar, the application of such to
industrial control system environment can vary quite drastically. Patch management for example is a
typical part of both IT security policies and ICS security policies. However, unlike in an ICS policy, IT policies
will advise a rapid response for the implementation and deployment of security patches from vendors
such as Microsoft. As far as an enterprise setting, a rapid response method is perfectly acceptable if not
expected. However, in a control system environment, patching systems can have significant
repercussions if not tested or done properly. Therefore a rapid response method would not be advised
but rather a slower, more cautious response. Overall, ICS policies may borrow from but must differ from
those of the IT department. It is exida’s experience that the best results occur when IT and control system
personnel collaborate and establish what they believe to be the best policies around control system
security.

Awareness Programs
Aside from effective policies, the steadfastness of a security system is directly dependent on the
awareness of its personnel. Typically an employee or contractor does not fully understand the potential
impact of his or her actions which leads to a high amount of policy violations and social engineering
involved in most security breaches. This is why it is vital to ensure that employees, contractors, and any
other personnel in contact with the control system are aware of what exactly an ICS is, what risks/threats

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 6
 excellence in dependable automation

are present, and why these risks/threats need to be taken seriously. The majority of people believe that
technical solutions take care of the security concerns therefore allowing them to come to the conclusion
that their actions have little impact on the control system as a whole. It is important to remind personnel
on a regular basis to be vigilant and attentive to matters of control system security to eliminate this
misconception.

Training Programs
It is also vital to an ICS to properly train all its stakeholders and inform them of the reasons behind specific
security policies, the acceptable procedures and practices, and the social engineering ploys. Training such
people can aid in the understanding of updated security controls, ideas that can be utilized to reduce
risks, and impacts on the company if security methods are not incorporated. The best training programs
that have been observed by exida have been programs that are tailored and role-based providing
information for someone’s specific skill level and job requirements.

Assess Phase
The Assess phase, as shown in Figure 3, can be divided into three subsections. The first subsection
involves scoping and defining the project. This is followed by assessing the risk and vulnerability of the
system, and lastly documenting the requirements.

Figure 3: Diagram of Assess Phase

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 7
 excellence in dependable automation

Scope Definition and Project Setup
The first step in the Assess Phase is Scope Definition and Project Setup. The purpose of this step is to
define the parameters of the project and clearly identify what it is you will be assessing. Overall goals for
this step are as follows:

Identify and contain the scope of the project
Identify project constraints
Gather and organize information
Define roles and responsibilities
Establish training requirements

The scope definition and project setup can be either a formal or informal process depending on the
current state of the project; greenfield or brownfield. Other factors involved in properly defining the
scope include corporate site policies and procedures, project-specific requirements, architectural
drawings, and relevant regulations and standards.

Once the scope definition and project setup is completed, documentation of all this information should
be placed in a cybersecurity management plan, regardless of whether a corporate security plan is already
in place. The plan should include project-specific issues, such as:

Corporate security plans
Project-specific requirements
Joint venture partner issues
Local regulations
Processes
Roles and responsibilities

Vulnerability Assessment, Risk Assessment, & Target Selection
The next subsection of the Assess Phase consists of determining the vulnerability and risk of the system
and identifying risk reduction targets. The purpose of these steps is to classify the business risk in terms
of impact on health, safety, environment, equipment, business continuity, and others that could result
from compromise of the ICS. This portion requires a vulnerability assessment followed by a risk
assessment in order to quantify or qualify the risks and to ensure that these risks are
prioritized/addressed with the appropriate amount of resources.

The comprehensive goals of this subsection of the assess phase include:

Identifying and classifying key cyber assets
Identifying and quantifying vulnerabilities, threats, and consequences,
Determining risks
Establishing risk reduction targets

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 8
 excellence in dependable automation

Vulnerability Assessment

A vulnerability assessment is performed in order to identify weaknesses within a system. How these
assessments are conducted can vary greatly depending on whether it is being performed on a new system
or an existing system. Assessments on existing systems involve analyzing actual and potential security
vulnerabilities by reviewing the current design, performing a site visit, collecting information, and
analyzing the system as it is currently running. For new systems, an assessment can only be performed
on the system design.

Some of the important items to investigate while conducting a vulnerability assessment include:

Network architecture diagrams
Network component configurations (e.g., switches, routers, firewalls)
Host device configurations (e.g., servers, workstations)
Access control strategies (e.g., how will people and computers access)
Software and firmware versions

Once all items have been thoroughly investigated, a risk assessment can then be conducted.

Risk Assessment

A risk assessment analyzes the vulnerabilities presented in the vulnerability assessment and determines
the consequential risks these vulnerabilities possess.

Required by ISA/IEC 62443-2-1 [Ref. 2 & 3], the major steps of a cybersecurity risk assessment (also known
as a Cyber HAZOP or Cyber PHA) include identifying the threats, vulnerabilities, and consequences, should
the threats be realized or exploited, followed by a qualification of the severity of the consequences and
the likelihood that the threat could occur, taking into account existing safeguards. The outcome of this
process is the residual risk. An example of a Cyber HAZOP is shown in Figure 4.

Characterizing threats is a crucial part of the risk assessment. Threats can vary depending on the type of
process, the location, risks, and hazards. However in general, threat sources can be categorized in one of
four types:

Authorized personnel—non-malicious in nature; someone who may unintentionally misuse the
system
Unauthorized personnel—mischievous if not malicious in nature; someone attempting to do
something beyond his or her level of authority
Outsider—any non-authorized person with malicious intent
Malware—any malicious software that enters the control system such as virus, worm, Trojan
horse

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 9
 excellence in dependable automation

Figure 4: Example Cyber HAZOP

Model the System, Document the Requirements
The last section of the assess phase consists of modeling the system and documenting the requirements.
Typically a zone and conduit model as introduced in ISA/IEC 62443-1-1 [Ref. 1 & 2] will be used to model
the system. Applying this model to a standard control system requires defined security zones and the
communication channels (conduits) between those zones. Possible zones could include: business or
enterprise zone, process information zone, process operations zone, process safety zone, process control
zone, and process measurement zone. Breaking the system down into defined electronic security zones
allows for the containment of the threat within a specific area and the application of a certain level of
security to all aspects in the zone.

The following items must be documented into a cybersecurity requirements specification document for
each zone and conduit to be in accordance with the ISA 61443-3-2 standard [Ref. 5]:

Scope and purpose of the system
Physical and environmental security requirements
General cybersecurity requirements
Zone and conduit-specific requirements
o Name and/or unique identifier
o Logical boundary
o Physical boundary, if applicable
o List of all access points and associated boundary devices
o List of data flows associated with each access point
o Connected zones or conduits
o List of assets and associated consequences

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 10
 excellence in dependable automation

o Security level target
o Applicable security policies
o Assumptions and external dependencies

Implementation Phase
Subsequent to the Assess Phase is the Implementation Phase (Figure 5). The Implementation Phase
consists of two main divisions; conceptual design and detailed design. Unlike conceptual design, detailed
design is focused more on the testing the design rather than the validation of the design.

Figure 5: Diagram of Implement Phase

Conceptual Design
The conceptual design will view and assess the following:

Defense-in-depth strategies
Selection of countermeasures
Revised zone and conduit model
Updated architecture diagrams
Access control strategies

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 11
 excellence in dependable automation

Within the conceptual design, the selection of counter measures can be applied in order to mitigate risk.
ISA 62443-3-3 [Ref. 6] provides excellent guidance on countermeasures. Each countermeasure is
assigned to a category and a Security Level capability. Examples of counter measures include:

Physical access controls
Logical access controls
Portable media management
Malicious code protection
Organizational and operational controls
Communications filtering
Data Encryption

Design Validation
Following the identification and application of proper counter measures, it is essential to verify that the
new secure design has reached its objectives. One method of effectively verifying whether these
objectives have been met is to return back to the risk assessment performed in the assess phase,
document the newly implemented safe guards/mitigations and re-evaluate. If the new design goals have
been achieved the risk following re-evaluation should be reduced to levels that are tolerable.

Test Planning and Acceptance Testing
Once reduced levels of risk have been accomplished, the next step is to develop a test plan. Thorough
and proficient test plans should involve creating test objectives and test plans based on cybersecurity
requirements and design specifications. A checklist to audit security settings is also helpful in
implementing test plans. While such methods are still valid in any test plan, it is important to conduct
more rigorous testing for greenfield projects such as abuse cases. Abuse cases will test the boundaries
of the systems at its entry points to determine if the system operates as designed. Additionally, the abuse
case will negatively test the system in order to conclude if the security in place can be violated.

Abuse cases can be simulated by penetration or pen-testing. As implied by the name, pen-testing refers
to the deliberate attempt to infiltrate safe guards. It is generally not appropriate to conduct such testing
on operational (i.e. online) control systems as the testing may cause the system to behave in an
unpredictable and thus unsafe manner. However, more aggressive testing can safely be performed and
is encouraged during factory acceptance testing or site acceptance testing of a new or updated system.
Conducting rigorous testing of these systems before deployment will ensure the safety of the system as
well as the overall safety of the company and its employees.

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 12
 excellence in dependable automation

Maintain Phase
The final stage of the cybersecurity lifecycle is the maintain phase (Figure 6). This phase encompasses the
maintenance of implemented counter measures, monitoring security, modification/decommissioning,
and periodic assessments of the systems in place.

Figure 6: Diagram of Maintain Phase

Countermeasure Maintenance and Security Monitoring
As previously mentioned, threat environments are perpetually fluctuating and present new
vulnerabilities almost daily. It is for this reason the implication of countermeasures cannot be a one-time
process. The continual overseeing and preservation of the system is undeniably necessary in order to
guarantee proper security. Such security could involve the monitoring of patches, anti-virus software,
and system logs. Inspection of system logs can allow for the detection of unusual events as well as
possible intrusions. Another method to reveal possible intrusions is the usage a technology called
intrusion detection. Intrusion detection will analyze network traffic and indicate if the system is being
invaded, in addition to recognizing any abnormalities/anomalies in the network communications.

Incident Response Planning and Periodic Assessments
Accompanying the monitoring of the system should be proper planning and preparation regarding the
response to a security incident. Planning response mechanisms prior to a security incident is always
recommended.

Periodic audits are also a critical part of security maintenance due to the deterioration of measures and
practices over time as well as the availability of new information and techniques. If it is determined that
a modification must be made during one of these period assessments it is important to re-evaluate the
system by returning to the appropriate phase of the cycle. Where to return in the lifecycle will be
dependent of the severity and implications of the change. Sections of the process may need to be
repeated but this replication will ultimately provide the necessary upto-date security required for proper
system operation.

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 13
 excellence in dependable automation

References
1. ANSI/ISA 99.00.01-2007, “Security for Industrial Automation and Control Systems Part 1: Terminology,
Concepts, and Models”, 2007.

2..
3. IEC/TS 62443-1-1 ED. 1.0 EN:2009, “Industrial communication networks - Network and system security - Part 1-
1: Terminology, concepts and models", 2009..
4. ANSI/ISA 99.02.01-2009, “Security for Industrial Automation and Control Systems: Establishing an Industrial
Automation and Control Systems Security Program”, 2009.
5..
6. IEC 62443-2-1 ED. 1.0 EN:2010, “Industrial communication networks - Network and system security - Part 2-1:
Establishing an industrial automation and control system security program”, 2010.
7. ISA-62443-3-2, “Security for Industrial Automation and Control Systems: Security assurance levels for zones and
conduits”, Draft for Comment, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-2-WD.pdf
8. ISA-62443-3-3, “Security for Industrial Automation and Control Systems: System security requirements and
security assurance levels”, Approved, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-3-WD.pdf

Source Material
The material for this White Paper was adapted from the following exida training courses:

Understanding and Applying the ICS Cybersecurity Lifecycle (4-day)
7 Steps to Industrial Control System Security (1-day)

Revision History
Authors: John Cusimano, Gene Cammack

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 14
 excellence in dependable automation

exida – Who we are.
exida is one of the world’s leading accredited certification and knowledge companies
specializing in automation system cybersecurity, safety, and availability. Founded in 2000
by several of the world’s top reliability and safety experts, exida is a global company with
offices around the world. exida offers training, coaching, project-oriented consulting
services, standalone and internet-based safety and cybersecurity engineering tools,
detailed product assurance and certification analysis, and a collection of online safety,
reliability, and cybersecurity resources. exida maintains a comprehensive failure rate and
failure mode database on electrical and mechanical components, as well as automation
equipment based on hundreds of field failure data sets representing over 350 billion unit
operating hours.
exida Certification is an ANSI (American National Standards Institute) accredited
independent certification organization that performs functional safety (IEC 61508 family
of standards) and cybersecurity (IEC 62443 family of standards) certification
assessments.
exida Engineering provides the users of automation systems with the knowledge to cost-
effectively implement automation system cybersecurity, safety, and high availability
solutions. The exida team will solve complex issues in the fields of functional safety,
cybersecurity, and alarm management, like unique voting arrangement analysis,
quantitative consequence analysis, or rare event likelihood analysis, and stands ready to
assist when needed.
Training
exida believes that safety, high availability, and cybersecurity are achieved when more
people understand the topics. Therefore, exida has developed a successful training suite
of online, on-demand, and web-based instructor-led courses and on-site training provided
either as part of a project or by standard courses. The course content and subjects range
from introductory to advanced. The exida website lists the continuous range of courses
offered around the world.
Knowledge Products
exida Innovation has made the process of designing, installing, and maintaining a safety
and high availability automation system easier, as well as providing a practical
methodology for managing cybersecurity across the entire lifecycle. Years of experience
in the industry have allowed a crystallization of the combined knowledge that is converted
into useful tools and documents, called knowledge products. Knowledge products include
procedures for implementing cybersecurity, the Safety Lifecycle tasks, software tools, and
templates for all phases of design.

Tools and Products for End User Support
exSILentia® – Integrated Safety Lifecycle Tool

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 15
 excellence in dependable automation

o PHAx™ (Process Hazard Analysis)

o LOPAx™ (Layer of Protection Analysis)

o SILAlarm™ (Alarm Management and Rationalization)

o SILect™ (SIL Selection and Layer of Protection Analysis)

o Process SRS (PHA based Safety Requirements Specification definition)

o SILver™ (SIL verification)

o Design SRS (Conceptual Design based Safety Requirements Specification
definition)

o Cost (Lifecycle Cost Estimator and Cost Benefit Analysis)

o PTG (Proof Test Generator)

o SILstat™ (Life Event Recording and Monitoring)

exSILentia® Cyber- Integrated Cybersecurity Lifecycle Tool
o CyberPHAx™ (Cybersecurity Vulnerability and Risk Assessment)

o CyberSL™ (Cyber Security Level Verification)

Tools and Products for Manufacturer Support

FMEDAx (FMEDA tool including the exida EMCRH database)

ARCHx (System Analysis tool; Hardware and Software Failure, Dependent
Failure, and Cyber Threat Analysis)

For any questions and/or remarks regarding this White Paper or any of the services
mentioned, please contact exida:
exida.com LLC
80 N. Main Street
Sellersville, PA, 18960
USA
+1 215 453 1720
+1 215 257 1657 FAX
[email protected]

ICS Cybersecurity Lifecycle, Copyright © exida.com LLC 2018-2020 Page 16