ISA TR84 00 09-2017 Cybersecurity Related to the Functional Safety Lifecycle.pdf

1、 NOTICE OF COPYRIGHT This is a copyright document and may not be copied or distributed in any form or manner without the permission of ISA. This copy of the document was made for the sole use of the person to whom ISA provided it and is subject to the restrictions stated in ISAs license to that pers

2、on. It may not be provided to any other person in print, electronic, or any other form. Violations of ISAs copyright will be prosecuted to the fullest extent of the law and may result in substantial civil and criminal penalties. TECHNICAL REPORT ISA-TR84.00.09-2017 Cybersecurity Related to the Funct

3、ional Safety Lifecycle Approved 10 April 2017 ISA-TR84.00.09-2017, Cybersecurity Related to the Functional Safety Lifecycle ISBN: 978-1-945541-49-0 Copyright 2017 by ISA. All rights reserved. Not for resale. Printed in the United States of America. ISA 67 Alexander Drive P. O. Box 12277 Research Tri

4、angle Park, NC 27709 USA - 3 - ISA-TR84.00.09-2017 PREFACE This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-TR84.00.09-2017. This document has been prepared as part of the service of ISA, the International Society of Automation, toward a

5、 goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and asks that they be addressed t o the Secretary, Standards and Practices Board; I

6、SA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. It is the policy of ISA to encourage and welcome the participation of all concerned individuals and interests in the development of ISA standards, recomm

7、ended practices and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standards, recommended practices and technical reports that ISA develops. CAUTION ISA DOES NOT TAKE

8、ANY POSITION WITH RESPECT TO THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT. USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY PATENT RIGHTS, AN

9、D THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO ISAS PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF THIS DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF

10、 A LICENSE ON A WORLDWIDE, NONDISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VISIT WWW.ISA.ORG/STANDARDSPATENTS. OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR

11、 WHICH A DISCLOSURE OR LETTER OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY OR SCOPE OF PATENTS, OR DETERMINING WHETHER ANY LICENSING TERMS OR CONDITIONS

12、PROVIDED IN CONNECTION WITH SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR NON-DISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACT

13、ICES DEPARTMENT OF THE PATENT AND ITS OWNER. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS OR PROCESS EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL POSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER O

14、F THIS TECHNICAL REPORT SHOULD EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USERS PARTICULAR CIRCUMSTANCES. THE USER SHOULD ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATORY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTIN

15、G THIS TECHNICAL REPORT. ISA (www.isa.org) is a nonprofit professional association that sets the standard for those who apply engineering and technology to improve the management, safety, and cybersecurity of modern ISA-TR84.00.09-2017 - 4 - automation and control systems used across industry and cr

16、itical infrastructure. Founded in 1945, ISA develops widely used global standards; certifies industry professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its 40,000 members

17、 and 400,000 customers around the world. ISA owns A, a leading online publisher of automation-related content, and is the founding sponsor of The Automation Federation (www.automationfederation.org), an association of non-profit organizations serving as “The Voice of Automation.“ Through a wholly ow

18、ned subsidiary, ISA bridges the gap between standards and their implementation with the ISA Security Compliance Institute (www.isasecure.org) and the ISA Wireless Compliance Institute (www.isa100wci.org). The following members of ISA84 Working Group 9 served as active contributors in the development

19、 of this technical report revision: NAME AFFILIATION Harold W Thomas (Hal), Chair exida Kevin Arnold Phillips 66 David Bennett Phillips 66 Rahul Bhojani BP John D. Day Air Products and Chemicals David Deibert Air Products and Chemicals Andrew Feben Eigen Ltd David Gunter Air Products and Chemicals E

20、ric Hopp Rockwell Automation Kevin Klein Chevron ETC Vic Maggioli Feltronics Corp Marcelo Mollicone SYM PCS Nagappan Muthiah Wood Group Eric Persson exida Jeff Potter Emerson Richard Roberts Suncor Energy Eloise Roche SIS-TECH Solutions Byron Schneidau BP Pipelines risk may be quantified - Based on

21、likelihood and severity; risk is currently qualitative - Risk categorization for every cybersecurity requirement - Multi-dimensional problem - Assigned to zone with target SL for each zone/conduit Risk mitigation measures - Relies on independent protection layers concept - Safeguards reduce likeliho

22、od of consequence evaluated - Identifies integrity requirements for safeguards; for SIF assigns target SIL - Relies on cybersecurity countermeasures within zones, conduits interconnecting zones, and defense in depth concept - Countermeasures reduce likelihood - Identifies requirements for countermea

23、sures to meet the zone target SL for each threat vector Implementation of measures - Safety manual for components - Quantitative SIL verification for SIF - Cybersecurity manual for components - Verification through different levels of testing for target SL Operation and maintenance - Restrict access

24、 to IACS components to competent personnel with necessary access privileges - Periodic testing of measures - Demand rate and component failures to be monitored - Awareness and training - Restrict access to IACS components to competent personnel with necessary access privileges - Periodic testing of

25、measures - Frequent reviews to identify new vulnerabilities and take appropriate action, if necessary - Awareness and training - Cyber risk reassessment after each software or hardware change Management system - Defines requirements for competency, training, verification, testing, audit, MOC, and do

26、cumentation - Defines requirements for competency, training, verification, testing, audit, MOC, and documentation ISA-TR84.00.09-2017 - 16 - This page intentionally left blank. - 17 - ISA-TR84.00.09-2017 1 Scope This document is intended to address and provide guidance on integrating the cybersecuri

27、ty lifecycle with the safety lifecycle as they relate to Safety Controls, Alarms, and Interlocks (SCAI), inclusive of Safety Instrumented Systems (SIS). This scope includes the work processes and countermeasures used to reduce the risk involved due to cybersecurity threats to the Industrial Automati

28、on and Control System (IACS) network. This scope provides recommendations to ensure SCAI are adequately secured due to the potential for cyber attacks that can act like common mode failures that initiate a hazardous demand and also prevent instrumented protection functions, including the SIS, from p

29、erforming their intended purpose. The scope is intended to address cybersecurity from both external and internal threats. Although not directly within the scope, enterprise networks, business networks and process information networks (demilitarized zones) that represent a threat vector to the SCAI s

30、ystems, or contain countermeasures that reduce the risk to the SCAI systems from external cyber threats, are included. The scope does not address physical plant protection (for example, fences, bollards, and grounding) that has the intent of preventing unauthorized entry into the plant so as to prev

31、ent theft , vandalism, or physical damage, but does address physical access issues related to cybersecurity of the IACS (12.4 of this technical report). SCAI systems that are constructed exclusively of electrical/electronic components without digital signal technology are not vulnerable to cybersecu

32、rity attacks, and these technologies are not discussed in this technical report. 2 References The following documents are important for understanding this technical report. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (in

33、cluding any amendments) applies. For information on obtaining ISA standards and technical reports, visit: www.isa.org/findstandards In addition, readers should be aware of the ongoing development of additional standards in the ANSI/ISA-62443 series, Security for Industrial Automation and Control Sys

34、tems, listed in the Bibliography. For an update on the status of these standards, visit https:/www.isa.org/isa99/ . IEC-61508-2010, Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems IEC-61511-1, Functional Safety: Safety Instrumented Systems for the Process In

35、dustry Sector Part 1: Framework, Definitions, System, Hardware and Software Requirements . ISA-84.00.01-Part 1 (IEC 61511-1), Functional Safety: Safety Instrumented Systems for the Process Industry Sector Part 1: Framework, Definitions, System, Hardware and Software Requirements. ANSI/ISA-84.91.01-2

36、012, Identification and Mechanical Integrity of Safety Controls, Alarms, and Interlocks in the Process Industry, 2012. ISA-TR84.00.09-2017 - 18 - 3 Terms, definitions, abbreviated terms, acronyms, and conventions 3.1 Terms and definitions Conduit ANSI/ISA-62443-1-1 neither should it be assumed that

37、each type is necessarily separate and independent. Note 2 to entry: Refer to ISA-84.00.01-2004 (IEC 61511 Mod) for additional requirements related to safety instrumented systems. Note 3 to entry: Examples of non-instrumented safeguards include rupture disks, relief valves, dikes, etc. Security level

38、 ANSI/ISA-62443-1-1 Level corresponding to the required effectiveness of countermeasures and inherent security properties of devices and systems for a zone or conduit based on assessment of risk for the zone or conduit. Security level 0 ISA -62443-3-2 Security level with the following attributes: No

39、 specific requirements or security protection. Security level 1 Security level 1 has the following attributes: Intended to protect against casual or coincidental violation Countermeasure and detection effectiveness capable of delaying or denying an attack for a period of 4 to 8 hour Security level 2

40、 Security level with the following attributes: Intended to protect against intentional violation using simple means with low resources, generic skills and low motivation Countermeasure and detection effectiveness capable of delaying or denying an attack for a period of days Order of magnitude improv

41、ement in risk reduction factor (RRF) over a security level 1 Security level 3 Security level with the following attributes: Intended to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Countermeasure and detection e

42、ffectiveness capable of delaying or denying an attack for a period of days to weeks ISA-TR84.00.09-2017 - 20 - Order of magnitude improvement in risk reduction factor (RRF) over a security level 2 Security level 4 Security level with the following attributes: Intended to protect against intentional

43、violation using sophisticated means with extended resources, IACS specific skills and high motivation Countermeasure and detection effectiveness capable of delaying or denying an attack for a period of weeks to months Order of magnitude improvement in risk reduction factor (RRF) over a security leve

44、l 3. Threat 1) Potential for violation of security, which exists when there is a circumstance, capability, action or event that could breach security and cause harm. 2) Circumstance or event with the potential to adversely affect organizational operations (e.g., mission, functions, reputation), orga

45、nizational assets, IACS, or personnel via means contrary to security policy, intentionally or unintentionally cause the destruction, disclosure, modification of data, control logic, SCAI logic, and/or denial of service. Threat agent Method(s), individual(s) or organization(s) that could breach the s

46、ecurity of a facility, operation or system by exploiting a vulnerability Threat vector ISA -62443-1-2 Path or means by which a threat agent can gain access to an asset resulting in a negative outcome Unmitigated cyber risk Level of risk that is present in a system before any cybersecurity countermea

47、sures are considered Vulnerability ISA -62443-1-2 slight revision to no. 2 1) Flaw or weakness in a systems design, implementation, or operation and management that could be exploited to violate the systems integrity or security policy. 2) Weakness in an IACS function, procedure, internal control or

48、 implementation that could be exploited or triggered by a threat source, either intentionally designed into computer components (e.g., remote port access) or accidentally inserted at any time during the lifecycle. Zone ISA -62443-3-3 Grouping of logical or physical assets that share common security

49、requirements. Note to entry: A zone has a clear border. The security policy of a zone is typically enforced by a combination of mechanisms both at the zone edge and within the zone. For additional definitions, see IEC-61511 2, ISA-84.00.01-2004 3, and ISA-62443-1-2 5 3.2 Abbreviated terms and acronyms The abbreviated terms and acronyms used in this document are defined as follows: ACL Access Control List APT Advanced Persistent Threat ALARP As Low as Reasonably Practical - 21 - ISA-TR84.00.09-2017 ANSI American Nati