1、DEPARTMENT OF THE AIR FORCE HEADQUARTERS AIR FORCE CIVIL ENGINEER SUPPORT AGENCY 30 MAR 2011 APPROVED FOR PUBLIC RELEASE: DISTRIBUTION UNLIMITED FROM: HQ AFCESA/CEO 139 Barnes Drive Suite 1 Tyndall AFB FL 32403-5319 SUBJECT: Engineering Technical Letter (ETL) 11-1: Civil Engineer Industrial Control
2、System Information Assurance Compliance 1. Purpose. This ETL provides technical guidance and criteria for information assurance (IA) of civil engineering (CE) industrial control systems (ICS). This ETL applies to all ICSs that utilize any means of connectivity to monitor and control industrial proce
3、sses, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as programmable logic controllers (PLC), which are often found in industrial equipment and critical infrastructures. Note: The use of the name or
4、mark of any specific manufacturer, commercial product, commodity, or service in this ETL does not imply endorsement by the Air Force. 2. Application. This ETL supersedes ETL 09-11, Civil Engineering Industrial Control System Information Assurance Compliance, dated October 26, 2009. Requirements in t
5、his ETL are mandatory. The interpreting authority for this ETL is the Air Force Civil Engineer Support Agency, Operations and Programs Support Division, Engineer Support Branch (HQ AFCESA/CEOA). 2.1. Authority: Air Force instruction (AFI) 32-1063, Electric Power Systems. 2.2. Effective Date: Immedia
6、tely. 2.3. Intended Users: Major command (MAJCOM) engineers Base civil engineers (BCE) ICS information assurance managers (IAM) 2.4. Coordination: MAJCOM engineers responsible for CE ICSs The Air Force Civil Engineer, Resources Division, Information Technology Branch (HQ AF/A7CRT) Air Force Network
7、Integration Center, Information Assurance Directorate (AFNIC/EV) and Air Force certifying authority (CA) Chief, Cyberspace Surety Division (SAF/A6OI), on behalf of Director, Cyberspace Operations (SAF/A6O) and Air Force senior information assurance officer (SIAO) Provided by IHSNot for ResaleNo repr
8、oduction or networking permitted without license from IHS-,-,-2 3. Referenced Publications. 3.1. Air Force (departmental publications available at http:/www.e-publishing.af.mil/): Air Force policy directive (AFPD) 16-14, Information Protection AFI 31-401, Information Security Program Management AFI
9、31-501, Personnel Security Program Management AFI 32-1063, Electric Power Systems AFI 33-112, Information Technology Hardware Asset Management AFI 33-114, Software Management AFI 33-115V1, Network Operations (NETOPS) AFI 33-115V2, Licensing Network Users and Certifying Network Professionals AFI 33-2
10、00, Information Assurance (IA) Management AFI 33-210, Air Force Certification and Accreditation (C however, PITIs are specifically subject to the AFCAP, per AFI 33-210. 5.2.4. Figure 1 shows the applicability of IA policy for PIT systems and IA policy and the AFCAP for PITIs to the AF-GIG. 6. Design
11、ated Personnel Roles, Responsibilities, and Qualifications. Security Boundary/DMZ Platform IT (PIT) AF-GIG Figure 1. AFCAP Applicability (AFI 33-210) PIT Interconnection (PITI) Subject to IA policy and PIT C validate all access privileges annually; and re-evaluate frequency requirements every three
12、years or at any mission change, system change, or other significant change to operating requirements. Ensure appropriate access privileges for all individuals based on their training, qualification, and functional duties. Manage CE ICS access by ensuring that accounts are deactivated or activated in
13、 a controlled manner. Personnel designated to make configuration decisions and responsible for IA controls for both PIT and PITI shall be certified to IAT Level II or IAM Level I in accordance with DOD 8570.01-M. Have full administrative rights to install software updates/patches. Have access to rev
14、iew, modify, and edit the Enterprise Information Technology Data Repository (EITDR) entries as approved by the ICS FAM. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-9 Document and track system configurations for each CE-owned, -operated, and -main
15、tained ICS throughout the system life cycle, including any Air Force CE ICSs operated and maintained by contractors. For each ICS, the ICS IAMs will assemble a PIT determination package in accordance with section 7.1.1 of this ETL and forward the package to the respective ICS FAM. Provide an annual
16、report entitled “Industrial Control System Security Status Report” to the MAJCOM ICS FAM. The report will include a summary of current systems and system changes and will indicate compliance/non-compliance with IA security requirements. This report is due to the ICS FAM in October of each year. 6.1.
17、1.3. The alternate ICS IAM shall: Document and track system configurations for each CE-owned, -operated, and -maintained ICS throughout the system life cycle, including any Air Force CE ICSs operated and maintained by contractors. For each ICS, the ICS IAMs will assemble a PIT determination package
18、in accordance with section 7.1.1 of this ETL and forward the package to the respective ICS FAM. Provide an annual report entitled “Industrial Control System Security Status Report” to the MAJCOM ICS FAM. The report will include a summary of current systems and system changes and will indicate compli
19、ance/non-compliance with IA security requirements. This report is due to the ICS FAM in October of each year. 6.1.2. MAJCOM ICS FAM. The ICS FAM is designated in writing by the MAJCOM A7O (Operations) or equivalent. The ICS FAM is responsible for collecting the base-level PIT determination packages,
20、 reviewing them for completeness, and sending them to the ICS PM. In addition, the ICS FAM will submit an annual report entitled “Industrial Control System Security Status Report” to the ICS PfM. This report will contain a summary of current systems and system changes and will indicate compliance/no
21、n-compliance with IA security requirements. This report is due in November of each year. The ICS FAM may have access to create, modify, or delete EITDR entries as approved by the ICS PM or ICS PfM. 6.1.3. ICS PM. The ICS PM is designated in writing by HQ AFCESA/CEO. The ICS PM is responsible for ens
22、uring appropriate scheduling of all IA aspects of the program to meet the ultimate goals of IA compliance. The ICS PM is also responsible to ensure that the following tasks are accomplished: Review and submit ICS PIT packages to Air Force CA for a PIT determination statement. Complete initial EITDR
23、entries for CE ICS PITs. Provide updates to MAJCOM FAMs on the status of C Phase 2, ICS PIT C and Phase 3, PITI AFCAP. Figure 2 summarizes the CE ICS C Secure Sockets Layer (SSL) v3; Transport Layer Security (TLS); and systems using National Security Agency (NSA) -approved high assurance guards with
24、 link encryption methodology. Exception: Fire alarm reporting systems do not require data encryption for signaling to/from the fire alarm control panel (FACP). See paragraph 8.1.5.3 for requirements for sensitive compartmented information facilities (SCIF). Provided by IHSNot for ResaleNo reproducti
25、on or networking permitted without license from IHS-,-,-18 8.1.1.2. Substituting wireless for wired technology introduces numerous vulnerabilities into the network, which may be unacceptable or not cost-effective to mitigate. Convenience and/or minimal cost savings shall not be the sole justificatio
26、n for the use of wireless technologies. 8.1.1.3. Adding commercial wireless technologies to an existing approved network configuration boundary is considered a major configuration change and requires a review of security controls and the accreditation decision. Note: Data hashing, regardless of the
27、method, is not a form of encryption. 8.1.2. Telephone Modems. 8.1.2.1. PIT systems with modem connections to the Defense Switched Network (DSN) require PITI C however, non-licensed devices may provide valuable and unique supplemental or expendable radio communications services where needed. To ensur
28、e adequate regulatory protection, Federal entities should rely only on devices with frequency assignments in the Federal or military spectrum and in the government master file as principal radio communication systems for safeguarding human life or property. 8.1.4.2. Any wireless transmission in the
29、2.4 gigahertz (GHz) unlicensed frequency range that is not a Combat Information Transport System Program Management Office (CITS PMO) -installed access point should be coordinated with the CITS lead command, AFNIC (afnic.ecnnus.af.mil, (618) 229-5666), for possible interference. 8.1.5. Fire Alarm Re
30、porting Systems. 8.1.5.1. Manually connect/disconnect remote system access (RSA) on all FACPs and/or servers (e.g., D-21) when RSA actions are needed/complete. Section 8.1.2 of this ETL identifies modem connection requirements. 8.1.5.2. Communications modems shall comply with section 8.1.2. 8.1.5.3.
31、 Fire alarm reporting from any SCIF to FACPs shall be wired (e.g., copper, fiber) systems, not wireless, and require an (air gap) isolation device if the available notification appliance device is a speaker. Fire alarm reporting signals sent from the SCIF FACP to the central monitoring station must
32、be encrypted. 8.1.6. Virtual Local Area Networks (VLANs). 8.1.6.1. VLANs divide physical networks into smaller logical networks to increase performance, improve manageability, and simplify network design. VLANs are achieved through the use of managed Ethernet switches. A managed switch provides all
33、the features of an unmanaged switch, plus the ability to configure the switch to allow greater control over how the data Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-21 travels over the network and who has access to it. Each VLAN consists of a sin
34、gle broadcast domain that isolates traffic from other VLANs. Just as replacing hubs with switches reduces collisions, using VLANs limits the broadcast traffic, as well as allowing logical subnets to span multiple physical locations. There are two categories of VLANs: Static, often referred to as por
35、t-based, in which switch ports are assigned to a VLAN so that it is transparent to the end user. Dynamic, in which an end device negotiates VLAN characteristics with the switch or determines the VLAN based on the IP or hardware addresses. 8.1.6.2. Although more than one IP subnet may coexist on the
36、same VLAN, the general recommendation is to use a one-to-one relationship between subnets and VLANs. This practice requires the use of a router or multi-layer switch to join multiple VLANs. Many routers and firewalls support tagged frames so that a single physical interface can be used to route betw
37、een multiple logical networks. 8.1.6.3. VLANs are not typically deployed to address host or network vulnerabilities in the way that firewalls or IDSs are deployed; however, when properly configured, VLANs do allow switches to enforce security policies and segregate traffic at the Ethernet layer. Pro
38、perly segmented networks can also mitigate the risks of broadcast storms that may result from port scanning or worm activity. 8.1.6.4. Switches have been susceptible to attacks such as media access control (MaC) address spoofing, table overflows, and attacks against the spanning tree protocols, depe
39、nding on the device and its configuration. VLAN hopping, the ability for an attack to inject frames to unauthorized ports, has been demonstrated using switch spoofing and double tagging. These attacks cannot be conducted remotely and require local physical access to the switch. A variety of features
40、 such as MaC address filtering, port-based authentication using IEEE 802.1x, and specific vendor-recommended practices can be used to mitigate these attacks, depending on the device and implementation. 8.1.6.5. VLANs have been deployed effectively in ICS networks, with each automation cell assigned
41、to a single VLAN to limit unnecessary traffic flooding and allow network devices on the same VLAN to span multiple switches. ICSs connected to a VLAN shall incorporate the following: 8.1.6.5.1. Firewalls separating base network traffic from external base traffic and the ICS VLAN. The configuration o
42、f the ICS VLAN must ensure that no ICS traffic exits the base firewall. 8.1.6.5.2. Hypertext Transfer Protocol Secure (HTTPS) for remote control of the ICS from the LAN. If Web services are provided to Nonsecure Provided by IHSNot for ResaleNo reproduction or networking permitted without license fro
43、m IHS-,-,-22 Internet Protocol Router Network (NIPRNet) systems, implementation of an AC is required. 8.1.7. Replace any unmanaged switch with a managed switch. While awaiting replacement, add physical security measures, house unmanaged switches in a locked secure area, and/or add tamper-proof featu
44、res. The ICS PM shall approve interim measures. 9. Additional Guidance. 9.1. Privatized ICSs. 9.1.1. For the purposes of this ETL, privatization is defined as the transfer of ownership and operations of Air Force utility systems and associated industrial monitoring/control systems to the private sec
45、tor. The private sector includes all privately owned and publicly owned entities. 9.1.2. DOD and Air Force directives and instructions pertaining to IA and DIACAP requirements apply only to DOD-owned systems, including outsourced services such as operation and maintenance (O&M) by a private entity (
46、e.g., Office of Management and Budget (OMB) Circular A-76, Performance of Commercial Activities, outsourced CE O&M or AF Form 9, Request for Purchase, service contract). A privatized utility is no longer a DOD-owned asset, including the privatized ICS that monitors and controls the privatized utilit
47、y distribution system. Therefore, this formal real estate transaction relieves the US government from any and all planning, financing, designing, constructing, operating, and maintaining responsibilities of this utility infrastructure and associated monitoring and control system. 9.1.3. RF spectrum
48、utilization by a privately owned or publicly owned entity while in garrison requires base or regional spectrum management notification and/or approval. 9.2. Outsourced O&M of ICSs. The following information applies to any OMB Circular A-76 outsourced CE O&M of ICSs, including AF Form 9 service contr
49、acts. DOD IA requirements apply to government-owned PIT and PITI ICSs that are operated and maintained by a private entity. Specific guidance for outsourced IT processes is located below and in section 6.9 of DODI 8510.01. 9.2.1. Outsourced IT-based processes that may also support non-DOD users or processes must still be certified and accredited by DOD entities. IA requirements for DOD in
