After reading an ISA article related to the application of Security PHA Review (SPR) for the determination of required security levels for Industrial Control Systems (ICS), as required in IEC 62443 [ISA 99], a Kenexis customer had some questions related to whether or not some cyber safeguarding measures make a scenario “non-hackable”, and if not, what actions need to be taken to make the risk of cyber-attack generated scenarios tolerable. The specific questions were as follows:
· Do we need to consider the DCS Systems having Firewall (Hardware / software firewall) as hackable ?
· Do we need to consider every electronic control system (ESD, F&S System) as hackable, irrespective of the robustness provided through hardware / software ?
The answer is “Yes!”, that’s essentially the whole point of the analysis, to find the scenarios where the initiating events and protection layers all exist in a programmable device that can be taken control of remotely and abused. The purpose of the SPR is to identify these scenarios and their components, and then establish the performance requirements (in terms of cyber security) for these systems. The performance requirements are established by defining the security level. The “robustness” requirements of the systems need to be established, defined, and documented – i.e., the security level needs to be defined.
The customer then further pressed the issue by asking, “If higher security levels are selected through the SPR process, does that mean that I need to add more physical security measures to make the situation tolerable?” The answer, is no, not exactly. While adding mechanical safeguards to make a situation non-hackable and thus inherently safe against cyber attack is an option, it is not required. The purpose of the security levels is to establish the design criteria for the cybersecurity measures that are built into the system.
When a security level is assigned, that means that there is a “hackable” scenario and because of that the cybersecurity safeguards need to be in place. The consequence of the scenario being prevented determines the degree of these safeguards Security Level 1 through 4. If additional mechanical safeguards are added that make the scenario non-hackable, then cybersecurity measures are not an issue. The next question should be, “what are the cybersecurity safeguards?”. There are many attributes to cyber security, but I will focus on one of the dozen or so aspects. The one aspect of cyber security for this discussion is “user authentication”.
If no cybersecurity is required because of extensive mechanical safeguarding, then the control system, technically, is not required to use passwords at all (security level 0). If there is a “hackable scenario”, then the control system must be protected to a security level based on the consequence. The requirements for each security level are prescriptive and based on company standards and company security philosophy. As the security level increases, the requirements are more stringent and so the system is more robust against cyber-attack. So, as an example, let me demonstrate how security levels could be typically applied to the control system attribute of “user authentication”.
- For security level 1, user authentication is performed by a single username and single password that is shared between all members of a group. For instance there would be one set of login criteria for operators, one set of criteria for engineering, one set of criteria for maintenance, and so on.
- For security level 2, user identification would be based on a username and password that is unique to each individual that can access the control system.
- For security level 3, user identification is still based on username and password for each unique individual, but the passwords are required to be strong (i.e., mix of letters and characters with minimum acceptable length) and are required to be changed every 90 days.
- For security level 4, user identification is based on “two-factor” authentication of each unique individual using strong passwords that are subject to a 90-day change, and the insertion of an ID badge into a badge reader at the control system.
As the consequence of the hackable scenario increases, the security level increases, thus making the cyber security requirement more difficult to achieve. Again, the above list is just an example of what could be done to implement security levels, the details are up to each individual organization.
Once security levels have been assigned, prior to operating the plant a verification is required for cyber security. The verification has two parts. First, implementation of all of the requirements of a security level need to be verified by physical testing. For instance, if security level 4 (above) is required, the control system should be tested to ensure access requires use of “two-factor” authentication. If, for instance, access is granted without requiring a card-reader, then the control system would fail the verification of achievement of security level. The second part of verification is a cyber vulnerability assessment (CVA) during the FAT/SAT and at regular intervals while the plant is in operation. The CVA verifies that the design of the ICS network conforms with its design documentation and the scans of the system do not identify the presence of any vulnerabilities.