ImageVerifierCode 换一换
格式:PDF , 页数:36 ,大小:1.20MB ,
资源ID:789997      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-789997.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ISA TR84 00 09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS).pdf)为本站会员(amazingpat195)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ISA TR84 00 09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS).pdf

1、 ISA-TR84.00.09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS) Approved 6 November 2013 ISA-TR84.00.09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS) ISBN: 978-0-876640-52-4 Copyright 2013 by ISA. All rights reserved. Not for resale. Printed in

2、 the United States of America. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, NC 27709 USA 3 ISA-TR84.00.09-2013 PREFACE This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-TR84.00.09-2013. This document has been prepared as

3、 part of the service of ISA, the International Society of Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and a

4、sks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. It is the policy of ISA to encourage and welcome the participation of all co

5、ncerned individuals and interests in the development of ISA standards, recommended practices and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standards, recommended

6、practices and technical reports that ISA develops. CAUTION ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT.

7、USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO ISAS PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF T

8、HIS DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A LICENSE ON A WORLDWIDE, NONDISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VIS

9、IT WWW.ISA.ORG/STANDARDSPATENTS. OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY O

10、R SCOPE OF PATENTS, OR DETERMINING WHETHER ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR NON-DISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT

11、 MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS OR PROCESS EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL P

12、OSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS TECHNICAL REPORT SHOULD EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USERS PARTICULAR CIRCUMSTANCES. THE USER SHOULD ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATO

13、RY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT. ISA-TR84.00.09-2013 4 The following members of ISA84 Working Group 9 served as active contributors in the development of this technical report: NAME AFFILIATION Harold W Thomas, Working Group Chair exida Ma

14、rc Baque Total Keith Bellville Emerson Michael Corbo ExxonMobil John Cusimano exida Ed Crawford Chevron James Gilsinn Kenexis William Hearn SIS-Tech Kevin Klein Chevron Joel Langill Scadahacker Vic Maggioli Feltronics This technical report was approved for publication by the ISA Standards and Practi

15、ces Board on 6 November 2013. NAME AFFILIATION E. Cosman, Vice President The Dow Chemical Company D. Bartusiak ExxonMobil Chemical Company P. Brett Honeywell Inc. J. Campbell Consultant M. Coppler Det Norske Veritas Certification Inc. B. Dumortier Schneider Electric D. Dunn Aramco Services Co. J. Fe

16、derlein Federlein Inventory (including subsystems, network devices, software); Definition of roles and responsibilities; Cybersecurity risk assessment; Security of operation (including the network segregation re: Annex A, the logical and physical protection); Maintenance policy and contract manageme

17、nt; Maintenance tools; 13 ISA-TR84.00.09-2013 Incident response and disaster recovery plan; Backup and host protection (for example, antivirus, application white listing) management; Patch upgrade management; Confidentiality of its work by limiting the communication of the specific practices employe

18、d to meet the objectives of cybersecurity. Only specific personnel within the organization with the need to fully understand the tactics employed should receive this communication. The organization responsible for security should also be engaged during each phase of the safety life cycle. This helps

19、 to maintain communication between the organizations and assess potential consequences within each groups existing scope to ensure that each areas initiatives complement the others. Persons, departments or organizations involved in cybersecurity life-cycle activities should be competent to carry out

20、 the activities for which they are accountable. As skill requirements change due to new equipment or procedures, senior technical and management personnel should review competency requirements to ensure the desired outcome for their facilitys SIS installations. 5 Hazard and risk analysis (Clause 8)

21、The hazards of significance to a SIS relative to security protection include: Safety instrumented function (SIF) failure to function when needed; SIF spuriously functions; and Common mode failure of basic process control system (BPCS) generating a demand with the SIS in a fail-to-function state. A r

22、isk assessment should be performed that concentrates on the potential likelihood and consequences of an event occurring. This risk assessment should contain aspects of both safety and security and reflect the possible consequences of a failure to provide adequate security countermeasures. Safety ris

23、k assessments are, in general, much more quantitative in nature than those for security due to the different potential threat sources. The security threat landscape is constantly changing, but there are some general classifications of potential threats as described in the ISA/IEC 62443 series that a

24、n organization should consider: Malicious hacker an individual whose objective is to penetrate the security defenses of a third-party computer system or network. (ISO/IEC 27002 - see Bibliography) Professional hackers an organization funded by a government or other entity specifically aimed at penet

25、rating security defenses. Disgruntled employee - an individual working for the organization who may be inclined to do harm resulting from his state of mind regarding the organization. Well-meaning employee an individual working for the organization who, during the course of his work, circumvents a s

26、ecurity countermeasure in order to “get the job done.” Third-party contractor an individual or organization that may have privileged access to the BPCS, SIS and/or other control-related systems through an agreement in order to operate or maintain those systems. ISA-TR84.00.09-2013 14 Automated syste

27、ms (device-to-device) automated portions of the BPCS, SIS and/or other control-related systems that have privileged access. These potential threat sources may exploit vulnerabilities in countermeasures that result in consequences. As with the list of potential threats, the host of potential vulnerab

28、ilities can be quite extensive. A few of the vulnerabilities classes include: Software bugs errors introduced, either intentionally or unintentionally, while programming the software and/or firmware on devices that allow a threat source to circumvent security countermeasures. Hardware failures failu

29、re of devices, for any reason, that results in the potential compromise of a system and/or circumvention of security countermeasures. Security countermeasure degradation security countermeasures whose effectiveness degrades over time and are able to be circumvented due to new security techniques, ad

30、ditional computing performance, and the like such as encryption techniques that are broken or using short passwords (re: ANSI/ISA-62443-1-1 definition of password strength). Credential reuse using the same set of credentials at multiple locations allows a threat source to potentially compromise mult

31、iple systems. Confidential information release releasing confidential information to a potential threat source, whether intentionally or unintentionally, that allows the threat source to circumvent security countermeasures. These vulnerabilities could be in both technical and policy countermeasures,

32、 such as by not securing credential databases, sending passwords in clear text across a network, or targeted social engineering of employees. Systematic errors leading to misconfiguration (for example, failure to change default passwords). Security countermeasures employed by an organization will ne

33、ed to consist of both policy and procedure-level countermeasures as well as technical countermeasures. Policy and procedure-level countermeasures may include staff training and awareness programs, testing programs, change management programs, identification and authorization procedures , and the lik

34、e. Any security management system implemented within an organization should have included in it conditions which dictate re-evaluating the risk assessment. These may include, but are not limited to: Developing a new, or designing a modification to an existing control system or SIS; Implementing a ne

35、w or modified control system or SIS; and Retiring/decommissioning a control system or SIS. Details of the risk assessment work process are not part of the scope of this document. Refer to the ISA/IEC 62443 series of standards for additional guidance. 6 Allocation of safety functions to protection la

36、yers (Clause 9) Countermeasures included in this document should be considered with respect to the SIS in addition to applicable requirements and requirement enhancements in the ISA/IEC 62443 series of standards. Guidance with respect to application of the security countermeasures to the BPCS is cov

37、ered in the ISA/IEC 62443 series of standards. 15 ISA-TR84.00.09-2013 NOTE: The countermeasures referred to in this document may be applicable to other instrumented systems, such as safety controls, alarms and interlocks (see ANSI/ISA 84.91.01-2012, Bibliography). 7 Safety requirements specification

38、 (SRS) for the safety instrumented system (Clauses 10 and 12) The SRS should have a section dedicated to security countermeasures addressing, as a minimum, the following: The impact of the security countermeasures should not impact the performance of the SIS. If a security countermeasure has the pot

39、ential to impact the overall response time of the SIF, then the response time impact of the security countermeasure should be incorporated in the calculation of the overall response time of the SIF (for example, the time from process deviation detection through the process response to final element

40、action). Selection of the security countermeasures should take into account the ability to support interoperability of different manufacturers devices without degrading the safety integrity, the safety integrity level (SIL), the reliability (spurious trip rate), and the communication speed. 8 Design

41、 and engineering of safety instrumented system (Clauses 11 and 12) 8.1 Independence and segregation The support systems for the SIS, such as engineering stations, HMI, historians, and alarm panels, can either be totally separate and independent from the outside world or there can be limited integrat

42、ion with the BPCS. Functional independence and segregation should be provided to address the level of impact from external sources on the security. There are many devices within the SIS that require application programming. The application programming devices range from an independent handheld progr

43、ammer to a common PES engineering station. The functional independence of the programming units needs to be the same as used in the design of the SIS. 8.1.1 Full independence and segregation (Figures A.1 and A.2) Where the network scheme is independent (re: Figures A.1 and A.2), the application can

44、only be accessed by PES devices restricted to the SIS. The management of this type of system is less complex since you only need to focus on access security and revision control for the application program and the vendor software. The SIS HMI is independent and separate from other systems. As one of

45、 the technical measures, consideration should be given to the installation of dedicated controller “stateful firewalls” between the host communicating with the SIS and the network to which they are connected. These devices provide an additional countermeasure, which can control not only the hosts th

46、at can communicate directly with the SIS logic solvers, but also the data that is communicated in these connections that crosses between the Control and Safety Zones (re: Figures A.1 and A.2). Design of security countermeasures should ensure that any failures of the SIS communication interface with

47、the BPCS do not impact any SIF from performing its safety function. ISA-TR84.00.09-2013 16 8.1.2 Integrated (Figures A.3 and A.4) Where the SIS is integrated with other systems, the SIS is not separate from the network and has parts that are integrated with the BPCS. Functional isolation against int

48、rusions from external sources should include installation of dedicated “stateful firewalls” between the integrated system and the network to which they are connected. The network and the firewall should be considered part of the SIS and managed as such. For integrated HMI, validation of inputs from

49、the HMI should be performed b y the SIS logic solver. Access to allow changes should include a time-limited window of opportunity. 8.2 Access Access security can be accomplished following the schemes listed in Annex A. The risk and effort required for each of these schemes vary significantly. Where the consequence from intrusion from the outside is high, providing an Air Gapped (Figure A.1) or Interfaced (Figure A.2) may be required to reduce the risk of an incident. Where

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1