UL SUBJECT 2900-2-2-2016 Outline of Investigation for Software Cybersecurity for Network-Connectable Products Part 2-2 Particular Requirements for Inducstrial Control Systems (Issu.pdf

1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULMARCH 30, 20161UL 2900-2-2Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-2: Particular Requirements for IndustrialControl SystemsIssue Number: 1March

2、 30, 2016Summary of TopicsThe outline aims to provide the minimum set of requirements by whichthe security-related features of industrial control system components areevaluated at the product level and tested for known vulnerabilities whilealso establishing a minimum set of verification activities i

3、ntended toreduce the likelihood of zero-day vulnerabilities that may affect thecomponent.ULs Outlines of Investigation are copyrighted by UL. Neither a printed norelectronic copy of an Outline of Investigation should be altered in any way. All ofULs Outlines of Investigation and all copyrights, owne

4、rships, and rights regardingthose Outlines of Investigation shall remain the sole and exclusive property of UL.COPYRIGHT 2016 UNDERWRITERS LABORATORIES INC.UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULMARCH 30, 2016UL 2900-2-22No Text on Th

5、is PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULCONTENTSINTRODUCTION1 Scope .42 Normative References .53 Glossary .5DOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE4 Product Documentation 75 Product Design Documentation .76 Docu

6、mentation for Product Use .7RISK CONTROLS7 General 88 Access Control, User Authentication and User Authorization .89 Remote Communication .910 Cryptography 911 Product Management .10RISK MANAGEMENT12 Vendor Product Risk Management Process 11VULNERABILITIES AND EXPLOITS13 Known Vulnerability Testing

7、1114 Malware Testing 1115 Malformed Input Testing .1115.1 General .1115.2 Malformed input test I .1215.3 Malformed input test II 1216 Structured Penetration Testing .13SOFTWARE WEAKNESS ANALYSIS17 Software Weakness Analysis .1318 Static Code Analysis 1319 Static Binary and Byte Code Analysis .13MARC

8、H 30, 2016 UL 2900-2-2 3UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULINTRODUCTIONNote: This Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part2-2: Particular Requirements for Industrial Control System

9、s refers to the Outline of Investigation forSoftware Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1.1 Scope1.1 This security evaluation outline applies to the evaluation of industrial control systems components. Itapplies to, but is not limited to, the follow

10、ing products:a) Programmable Logic Controllers (PLC);b) Distributed Control Systems (DCS);c) Process control systems;d) Data acquistion systems;e) Historians, data loggers and data storage systems;f) Control servers;g) SCADA servers;h) Remote Terminal Units (RTU);i) Intelligent Electronic Devices (I

11、ED);j) Human-Machine Interfaces (HMI);k) Input/Output (IO) servers;l) Fieldbuses;m) Networking equipment for ICS systems;n) Data radios;o) Smart sensors;p) Controllers; andq) Embedded system/controllers.1.2 This outline does not contain any requirements regarding functional testing of products unles

12、s whereexpressly specified.MARCH 30, 2016UL 2900-2-24UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL1.3 This outline also describes requirements for the product risk management process carried out by thevendor of the product, including a list

13、 of security controls that the product (or the vendor, as applicable)shall comply with unless a risk assessment done by the vendor shows that the risk of not implementingone of these security controls is acceptable.2 Normative References2.1 All references are for the current published version of the

14、 document unless stated otherwise.a) IEC 62443 (all parts), Security for Industrial Automation and Control Systemsb) NIST FIPS 140-2 (all parts), Security Requirements for Cryptographic Modulesc) NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security3 Glossary3.1 AUTHENTICATION The proce

15、ss of verifying the identity of an entity.3.2 AUTHENTICITY The property that data, information or software originate from a specific entity,which may or may not have been authenticated.3.3 AUTHORIZATION The process of giving an entity permission to access or manipulate the product,or the property th

16、at an entity has such permission.3.4 BYTE CODE Instructions and/or data that are created from source code as an intermediate stepbefore generating binary code. Byte code is independent of a specific processor architecture and istypically handled by a virtual machine or interpreter.3.5 CONFIDENTIALIT

17、Y The property that data, information or software is not made available ordisclosed to unauthorized individuals, entities, or processes.3.6 DATA LOGGER/HISTORIAN An industrial control component that has a primary function ofmeasuring and recording physical and electrical parameters over a period of

18、time.3.7 EMBEDDED PRODUCT Comprises both hardware and software for the execution of a givenfunction where the hardware is not a general purpose computer running a special purpose computingsystem.3.8 EXPLOIT An input or action designed to take advantage of a weakness (or multiple weaknesses)and achie

19、ve a negative technical impact.NOTE: The existence of an exploit targeting a weakness is what makes that weakness a vulnerability.3.9 FILE A collection of data or program instructions stored as a unit with a single name.MARCH 30, 2016 UL 2900-2-2 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER R

20、EPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3.10 GENERATIONAL MALFORMED INPUT TESTING A method of deriving malformed input testcases by using detailed knowledge of the syntax and semantics of the specifications of the protocol or fileformat being tested.3.11 LOCAL INTERFACE An external inte

21、rface potentially allowing access only to individuals, entitiesor systems within a very acute proximity requiring physical access to the product.NOTE: An example is a physically wired direct connection like a USB connection or RS 485 connectionwithin physical proximity.3.12 MALFORMED INPUT TESTING A

22、 black-box testing technique used to reveal softwareweaknesses and vulnerabilities in a product by triggering them with invalid or unexpected inputs on theexternal interfaces of the product.3.13 MALWARE Software designed with malicious intent to disrupt normal function, gather sensitiveinformation,

23、and/or access other connected systems.3.14 NETWORK A collection of nodes and telecommunication links, allowing connected devices,software etc. to exchange data and communicate.3.15 PERSONALLY IDENTIFIABLE INFORMATION Any information belonging to an individual that canuniquely distinguish an individu

24、al or information that can be used to derive their identity.NOTE: This can be, but is not limited to an individuals location, health records and/or financial recordsthat when used can determine the actual individuals identity.3.16 PLC/DCS CONTROLLER An embedded product used for the automation of ind

25、ustrial andelectromechanical processes.3.17 PRODUCT The network-connectable device, software or system under test.3.18 RISK The potential for harm or damage, measured as the combination of the likelihood ofoccurrence of that harm or damage and the impact of that harm or damage.3.19 RISK CONTROL Any

26、action taken or feature implemented to reduce risk.3.20 RISK MANAGEMENT Systematic application of management policies, procedures and practicesto the tasks of analyzing, evaluating, controlling and monitoring risk.3.21 SECURE ELEMENT A tamper-resistant platform like a chip capable of securely hostin

27、gapplications and their confidential and cryptographic data and will prevent unauthorized access.3.22 SECURITY The state of having acceptable levels of confidentiality, integrity, authenticity and/oravailability of product data and/or functionality.3.23 SENSITIVE DATA Sensitive data is any critical

28、security parameter that can compromise the useand security of the product such as passwords, keys, seeds for random number generators, authenticationdata.MARCH 30, 2016UL 2900-2-26UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3.24 SOFTWARE W

29、EAKNESS A mistake in the architecture, design, coding, build process orconfiguration of software in the product, that may render the product vulnerable to a security exploit.3.25 SPLIT KNOWLEDGE A process by which a cryptographic key is split into multiple keycomponents. Use of the split components

30、separately cannot obtain the cryptographic key, only whencombined can it recreate the original cryptographic key.3.26 STATIC ANALYSIS A process in which source code, bytecode or binary code is analyzed withoutexecuting the code.3.27 VULNERABILITY A software weakness found in the product for which an

31、 exploit may exist, suchthat it can be directly used by an attacker.3.28 ZERO-DAY (VULNERABILITY) A vulnerability that is detected in software and is not (yet) publiclyavailable and may not (yet) be known to the vendor of that software.DOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE4 Produc

32、t Documentation4.1 The product shall comply with Product Documentation, Section 4, of the Outline of Investigation forSoftware Cybersecurity for Network-Connectable Products, Part 1: General Requirements, UL 2900-1.5 Product Design Documentation5.1 The product shall comply with Product Design Docume

33、ntation, Section 5, of the Outline ofInvestigation for Software Cybersecurity for Network-Connectable Devices, Part 1: General Requirements,UL 2900-1.6 Documentation for Product Use6.1 The product shall comply with Documentation for Product Use, Section 6, of the Outline ofInvestigation for Software

34、 Cybersecurity for Network-Connectable Devices, Part 1: General Requirements,UL 2900-1.MARCH 30, 2016 UL 2900-2-2 7UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULRISK CONTROLS7 General7.1 The product shall comply with Risk Controls, Section 7

35、, of the Outline of Investigation for SoftwareCybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1.8 Access Control, User Authentication and User Authorization8.1 The product shall comply with Access Control, User Authentication and User Authorization, Section8, of

36、the Outline of Investigation for Software Cybersecurity for Network-Connectable Devices, Part 1:General Requirements, UL 2900-1.8.2 At no time shall the use of remote access compromise the integrity of the product or change theintended use of the product.8.3 If a product allows remote access, the pr

37、oduct shall be able to operate continuously, automatically orremotely without causing a safety hazard and the product shall signal its remote operation visibly on theproduct.8.4 If a local action is initiated on the product, it shall take precedence and priority over a remote actionthat occurs at th

38、e same time.8.5 The strength of the authentication mechanism shall be such that the risk of a successful remoteauthentication by an attacker who is not in possession of valid authentication credentials is defined as partof the risk assessment model. The vendor shall assess this risk as part of the r

39、isk assessment defined inSection 12 of the Outline of Investigation for Software Cybersecurity for Network-Connectable Devices,Part 1: General Requirements, UL 2900-1.8.6 The product shall be configurable to allow once a user is authenticated and granted remote accessto the product, the product shal

40、l reject and record any attempt to setup another remote connection usingthe same user identity.8.7 The product shall allow the ability for an operator to be disabled, deleted, expired or change ofpermissions when the product is not in a critical operator-dependent state transition with the operator

41、tobe disabled, deleted, expired or permission changed.8.8 If the operator is connected and the operator permissions or status changes per 8.7, the operatorshall be disconnected and a record in the audit log shall be made.8.9 An attempt to randomly provide a credential shall have at a minimum a one i

42、n 1,000,000 successrate.8.10 The transmission of the authentication credential to a product via a remote connection covered onthis section cannot be in plaintext or easily intercepted and duplicated unless:a) The information by itself cannot be used for authentication but is input in a split knowled

43、geprocedure. Documentation shall prove that only access of ALL components in the splitknowledge has the ability to determine the information.b) The transmission path is a trusted path, for example a directly connected physical cable thatis not shared by any other system or products.MARCH 30, 2016UL

44、2900-2-28UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL8.11 The storage of the authentication credential on the product shall not be in plaintext and shall beprotected from unauthorized disclosure or modification by using one of the cryptogr

45、aphy mechanismsdefined in Section 10, Cryptography.9 Remote Communication9.1 The product shall comply with Remote Communication, Section 9, of the Outline of Investigation forSoftware Cybersecurity for Network-Connectable Devices, Part 1: General Requirements, UL 2900-1.9.2 Remote connection from di

46、fferent sources shall not disturb the proper function of the product andshall not cause any security flaw. The following measures in 9.3 9.6 shall apply.9.3 Messages sent over a remote connection shall be processed as first in, first out unless a definedmessage priority or connection is specified by

47、 the manufacturer specifications.Exception: If a remote connection is used for a critical operation in a machine to machine connection,then the remote connection does not have to comply.9.4 Any remote operation shall be completed before another remote operation can change the operationof the precedi

48、ng unless specified differently by the manufacturer specifications.Exception: If a remote connection is used for a critical operation in a machine to machine connection,then the remote connection does not have to comply.9.5 To prevent the corruption of data, message alteration, spoofing or replay, t

49、he remote connection shallbe able to detect and/or resist the ability of a message being altered between the sender and the receiver.The product shall protect the confidentiality, authenticity and integrity of all messages exchanged over aremote connection. The product shall prevent message replay. Proprietary protocols that are not openlypublished shall describe the mechanism used to prevent message alteration and shall provide riskassessment to identify they meet the requirements of this section.9.6 The product shall be