1、 ISA-TR84.00.09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS) Approved 6 November 2013 ISA-TR84.00.09-2013 Security Countermeasures Related to Safety Instrumented Systems (SIS) ISBN: 978-0-876640-52-4 Copyright 2013 by ISA. All rights reserved. Not for resale. Printed in
2、 the United States of America. ISA 67 Alexander Drive P. O. Box 12277 Research Triangle Park, NC 27709 USA 3 ISA-TR84.00.09-2013 PREFACE This preface, as well as all footnotes and annexes, is included for information purposes and is not part of ISA-TR84.00.09-2013. This document has been prepared as
3、 part of the service of ISA, the International Society of Automation, toward a goal of uniformity in the field of instrumentation. To be of real value, this document should not be static but should be subject to periodic review. Toward this end, the Society welcomes all comments and criticisms and a
4、sks that they be addressed to the Secretary, Standards and Practices Board; ISA; 67 Alexander Drive; P. O. Box 12277; Research Triangle Park, NC 27709; Telephone (919) 549-8411; Fax (919) 549-8288; E-mail: standardsisa.org. It is the policy of ISA to encourage and welcome the participation of all co
5、ncerned individuals and interests in the development of ISA standards, recommended practices and technical reports. Participation in the ISA standards-making process by an individual in no way constitutes endorsement by the employer of that individual, of ISA or of any of the standards, recommended
6、practices and technical reports that ISA develops. CAUTION ISA DOES NOT TAKE ANY POSITION WITH RESPECT TO THE EXISTENCE OR VALIDITY OF ANY PATENT RIGHTS ASSERTED IN CONNECTION WITH THIS DOCUMENT, AND ISA DISCLAIMS LIABILITY FOR THE INFRINGEMENT OF ANY PATENT RESULTING FROM THE USE OF THIS DOCUMENT.
7、USERS ARE ADVISED THAT DETERMINATION OF THE VALIDITY OF ANY PATENT RIGHTS, AND THE RISK OF INFRINGEMENT OF SUCH RIGHTS, IS ENTIRELY THEIR OWN RESPONSIBILITY. PURSUANT TO ISAS PATENT POLICY, ONE OR MORE PATENT HOLDERS OR PATENT APPLICANTS MAY HAVE DISCLOSED PATENTS THAT COULD BE INFRINGED BY USE OF T
8、HIS DOCUMENT AND EXECUTED A LETTER OF ASSURANCE COMMITTING TO THE GRANTING OF A LICENSE ON A WORLDWIDE, NONDISCRIMINATORY BASIS, WITH A FAIR AND REASONABLE ROYALTY RATE AND FAIR AND REASONABLE TERMS AND CONDITIONS. FOR MORE INFORMATION ON SUCH DISCLOSURES AND LETTERS OF ASSURANCE, CONTACT ISA OR VIS
9、IT WWW.ISA.ORG/STANDARDSPATENTS. OTHER PATENTS OR PATENT CLAIMS MAY EXIST FOR WHICH A DISCLOSURE OR LETTER OF ASSURANCE HAS NOT BEEN RECEIVED. ISA IS NOT RESPONSIBLE FOR IDENTIFYING PATENTS OR PATENT APPLICATIONS FOR WHICH A LICENSE MAY BE REQUIRED, FOR CONDUCTING INQUIRIES INTO THE LEGAL VALIDITY O
10、R SCOPE OF PATENTS, OR DETERMINING WHETHER ANY LICENSING TERMS OR CONDITIONS PROVIDED IN CONNECTION WITH SUBMISSION OF A LETTER OF ASSURANCE, IF ANY, OR IN ANY LICENSING AGREEMENTS ARE REASONABLE OR NON-DISCRIMINATORY. ISA REQUESTS THAT ANYONE REVIEWING THIS DOCUMENT WHO IS AWARE OF ANY PATENTS THAT
11、 MAY IMPACT IMPLEMENTATION OF THE DOCUMENT NOTIFY THE ISA STANDARDS AND PRACTICES DEPARTMENT OF THE PATENT AND ITS OWNER. ADDITIONALLY, THE USE OF THIS DOCUMENT MAY INVOLVE HAZARDOUS MATERIALS, OPERATIONS OR PROCESS EQUIPMENT. THE DOCUMENT CANNOT ANTICIPATE ALL POSSIBLE APPLICATIONS OR ADDRESS ALL P
12、OSSIBLE SAFETY ISSUES ASSOCIATED WITH USE IN HAZARDOUS CONDITIONS. THE USER OF THIS TECHNICAL REPORT SHOULD EXERCISE SOUND PROFESSIONAL JUDGMENT CONCERNING ITS USE AND APPLICABILITY UNDER THE USERS PARTICULAR CIRCUMSTANCES. THE USER SHOULD ALSO CONSIDER THE APPLICABILITY OF ANY GOVERNMENTAL REGULATO
13、RY LIMITATIONS AND ESTABLISHED SAFETY AND HEALTH PRACTICES BEFORE IMPLEMENTING THIS DOCUMENT. ISA-TR84.00.09-2013 4 The following members of ISA84 Working Group 9 served as active contributors in the development of this technical report: NAME AFFILIATION Harold W Thomas, Working Group Chair exida Ma
14、rc Baque Total Keith Bellville Emerson Michael Corbo ExxonMobil John Cusimano exida Ed Crawford Chevron James Gilsinn Kenexis William Hearn SIS-Tech Kevin Klein Chevron Joel Langill Scadahacker Vic Maggioli Feltronics This technical report was approved for publication by the ISA Standards and Practi
15、ces Board on 6 November 2013. NAME AFFILIATION E. Cosman, Vice President The Dow Chemical Company D. Bartusiak ExxonMobil Chemical Company P. Brett Honeywell Inc. J. Campbell Consultant M. Coppler Det Norske Veritas Certification Inc. B. Dumortier Schneider Electric D. Dunn Aramco Services Co. J. Fe
16、derlein Federlein Inventory (including subsystems, network devices, software); Definition of roles and responsibilities; Cybersecurity risk assessment; Security of operation (including the network segregation re: Annex A, the logical and physical protection); Maintenance policy and contract manageme
17、nt; Maintenance tools; 13 ISA-TR84.00.09-2013 Incident response and disaster recovery plan; Backup and host protection (for example, antivirus, application white listing) management; Patch upgrade management; Confidentiality of its work by limiting the communication of the specific practices employe
18、d to meet the objectives of cybersecurity. Only specific personnel within the organization with the need to fully understand the tactics employed should receive this communication. The organization responsible for security should also be engaged during each phase of the safety life cycle. This helps
19、 to maintain communication between the organizations and assess potential consequences within each groups existing scope to ensure that each areas initiatives complement the others. Persons, departments or organizations involved in cybersecurity life-cycle activities should be competent to carry out
20、 the activities for which they are accountable. As skill requirements change due to new equipment or procedures, senior technical and management personnel should review competency requirements to ensure the desired outcome for their facilitys SIS installations. 5 Hazard and risk analysis (Clause 8)
21、The hazards of significance to a SIS relative to security protection include: Safety instrumented function (SIF) failure to function when needed; SIF spuriously functions; and Common mode failure of basic process control system (BPCS) generating a demand with the SIS in a fail-to-function state. A r
22、isk assessment should be performed that concentrates on the potential likelihood and consequences of an event occurring. This risk assessment should contain aspects of both safety and security and reflect the possible consequences of a failure to provide adequate security countermeasures. Safety ris
23、k assessments are, in general, much more quantitative in nature than those for security due to the different potential threat sources. The security threat landscape is constantly changing, but there are some general classifications of potential threats as described in the ISA/IEC 62443 series that a
24、n organization should consider: Malicious hacker an individual whose objective is to penetrate the security defenses of a third-party computer system or network. (ISO/IEC 27002 - see Bibliography) Professional hackers an organization funded by a government or other entity specifically aimed at penet
25、rating security defenses. Disgruntled employee - an individual working for the organization who may be inclined to do harm resulting from his state of mind regarding the organization. Well-meaning employee an individual working for the organization who, during the course of his work, circumvents a s
26、ecurity countermeasure in order to “get the job done.” Third-party contractor an individual or organization that may have privileged access to the BPCS, SIS and/or other control-related systems through an agreement in order to operate or maintain those systems. ISA-TR84.00.09-2013 14 Automated syste
27、ms (device-to-device) automated portions of the BPCS, SIS and/or other control-related systems that have privileged access. These potential threat sources may exploit vulnerabilities in countermeasures that result in consequences. As with the list of potential threats, the host of potential vulnerab
28、ilities can be quite extensive. A few of the vulnerabilities classes include: Software bugs errors introduced, either intentionally or unintentionally, while programming the software and/or firmware on devices that allow a threat source to circumvent security countermeasures. Hardware failures failu
29、re of devices, for any reason, that results in the potential compromise of a system and/or circumvention of security countermeasures. Security countermeasure degradation security countermeasures whose effectiveness degrades over time and are able to be circumvented due to new security techniques, ad
30、ditional computing performance, and the like such as encryption techniques that are broken or using short passwords (re: ANSI/ISA-62443-1-1 definition of password strength). Credential reuse using the same set of credentials at multiple locations allows a threat source to potentially compromise mult
31、iple systems. Confidential information release releasing confidential information to a potential threat source, whether intentionally or unintentionally, that allows the threat source to circumvent security countermeasures. These vulnerabilities could be in both technical and policy countermeasures,
32、 such as by not securing credential databases, sending passwords in clear text across a network, or targeted social engineering of employees. Systematic errors leading to misconfiguration (for example, failure to change default passwords). Security countermeasures employed by an organization will ne
33、ed to consist of both policy and procedure-level countermeasures as well as technical countermeasures. Policy and procedure-level countermeasures may include staff training and awareness programs, testing programs, change management programs, identification and authorization procedures , and the lik
34、e. Any security management system implemented within an organization should have included in it conditions which dictate re-evaluating the risk assessment. These may include, but are not limited to: Developing a new, or designing a modification to an existing control system or SIS; Implementing a ne
35、w or modified control system or SIS; and Retiring/decommissioning a control system or SIS. Details of the risk assessment work process are not part of the scope of this document. Refer to the ISA/IEC 62443 series of standards for additional guidance. 6 Allocation of safety functions to protection la
36、yers (Clause 9) Countermeasures included in this document should be considered with respect to the SIS in addition to applicable requirements and requirement enhancements in the ISA/IEC 62443 series of standards. Guidance with respect to application of the security countermeasures to the BPCS is cov
37、ered in the ISA/IEC 62443 series of standards. 15 ISA-TR84.00.09-2013 NOTE: The countermeasures referred to in this document may be applicable to other instrumented systems, such as safety controls, alarms and interlocks (see ANSI/ISA 84.91.01-2012, Bibliography). 7 Safety requirements specification
38、 (SRS) for the safety instrumented system (Clauses 10 and 12) The SRS should have a section dedicated to security countermeasures addressing, as a minimum, the following: The impact of the security countermeasures should not impact the performance of the SIS. If a security countermeasure has the pot
39、ential to impact the overall response time of the SIF, then the response time impact of the security countermeasure should be incorporated in the calculation of the overall response time of the SIF (for example, the time from process deviation detection through the process response to final element
40、action). Selection of the security countermeasures should take into account the ability to support interoperability of different manufacturers devices without degrading the safety integrity, the safety integrity level (SIL), the reliability (spurious trip rate), and the communication speed. 8 Design
41、 and engineering of safety instrumented system (Clauses 11 and 12) 8.1 Independence and segregation The support systems for the SIS, such as engineering stations, HMI, historians, and alarm panels, can either be totally separate and independent from the outside world or there can be limited integrat
42、ion with the BPCS. Functional independence and segregation should be provided to address the level of impact from external sources on the security. There are many devices within the SIS that require application programming. The application programming devices range from an independent handheld progr
43、ammer to a common PES engineering station. The functional independence of the programming units needs to be the same as used in the design of the SIS. 8.1.1 Full independence and segregation (Figures A.1 and A.2) Where the network scheme is independent (re: Figures A.1 and A.2), the application can
44、only be accessed by PES devices restricted to the SIS. The management of this type of system is less complex since you only need to focus on access security and revision control for the application program and the vendor software. The SIS HMI is independent and separate from other systems. As one of
45、 the technical measures, consideration should be given to the installation of dedicated controller “stateful firewalls” between the host communicating with the SIS and the network to which they are connected. These devices provide an additional countermeasure, which can control not only the hosts th
46、at can communicate directly with the SIS logic solvers, but also the data that is communicated in these connections that crosses between the Control and Safety Zones (re: Figures A.1 and A.2). Design of security countermeasures should ensure that any failures of the SIS communication interface with
47、the BPCS do not impact any SIF from performing its safety function. ISA-TR84.00.09-2013 16 8.1.2 Integrated (Figures A.3 and A.4) Where the SIS is integrated with other systems, the SIS is not separate from the network and has parts that are integrated with the BPCS. Functional isolation against int
48、rusions from external sources should include installation of dedicated “stateful firewalls” between the integrated system and the network to which they are connected. The network and the firewall should be considered part of the SIS and managed as such. For integrated HMI, validation of inputs from
49、the HMI should be performed b y the SIS logic solver. Access to allow changes should include a time-limited window of opportunity. 8.2 Access Access security can be accomplished following the schemes listed in Annex A. The risk and effort required for each of these schemes vary significantly. Where the consequence from intrusion from the outside is high, providing an Air Gapped (Figure A.1) or Interfaced (Figure A.2) may be required to reduce the risk of an incident. Where
