Thesis Process Control Frameworks - Vurore

Executive SummaryProcess controlling has existed for a long time and is essential for controlling industrialprocesses as in, for example, a nuclear power plant or on an oil rig. The process controldomain (PCD) has always been the area of engineers and segregated from the other high ITinvolved business systems and used to be relatively secure for that reason. Recentdevelopments have shown however that the of security has dropped due to increasedconsolidation with the Office IT domain and several incidents which have occurred. This hasresulted in more regulation and legislation (driven by national security regulations) to whichorganizations must comply. In response, the industry created more standards, frameworksand good practices. In this connection, the main research question for this thesis is thefollowing:Which frameworks are available for the security of Process Control Systems andhow do companies experience these frameworks in practice?Information about PCD frameworks was collected from various literature sources, and fromexplorative expert interviews it appeared that the ISA99, NIST 800-82 and NERC CIP arecurrently the most commonly used frameworks. For these framework a comparison was madewhich showed that the number of controls covered by the frameworks were almost the same.However, the comparison also showed two differences; ISA99 does not describe controlsregarding management systems for the controls. However, the ISA99 standard is still underdevelopment and will be added later to a related document within the standard. Anotherdifference is that the NERC CIP does not cover filtering/blocking access control technologies.The reason for this may be that the control description in NERC CIP is often on a higher level.The interviews have shown that PCD frameworks are being used (and in some cases legallyrequired), but mainly as a good practice in order to create a more complete/suitable PCDframework for the organizations. The use of ISO27001 (including the related ISO27002) isnoticeable, as this framework covers most of controls of the PCD frameworks. However,specific controls and descriptions given in the framework are really different from those in thePCD frameworks. Next to that, the interviews have also revealed that a tier model is beingused. One of the organizations interviewed is using this solution to customize the control to itsown operations by matching controls with the level of criticality of the PCS.The interviews have also shown that the PCD frameworks are not used as is but thatcompanies really need to customize the selected controls in order to make them consistentwith how they intend to use and secure the PCD within their organizations.Summarizing the results of the framework analysis and the interviews, it can be said that itdoes not really matter in what sense a framework is the most complete or accurate or relevantfor an organization, as most organizations in the end do not use the frameworks as is butrather as a good practice to compose their own framework. In addition, ISO27001 is still theleading framework for information security, but ISA 99, NIST 800-82, NERC-CIP and otherPCD frameworks are used to create a more specific set of controls in a customizedorganization specific PCD framework.2

Table of contentsExecutive Summary 2Preface 3Table of contents 41 Introduction 61.1 Problem definition 61.2 Goal of the research & research questions 61.3 Research approach 71.4 Scope limitations 71.5 Layout of this thesis 82 What is the Process Control Domain? 92.1 PCD components 92.1.1 Field instruments 92.1.2 Programmable Logic Controller 92.1.3 Human Machine Interface 102.1.4 Remote Terminal Unit 112.1.5 Master Terminal Unit 112.1.6 Composition of these components 122.2 Office IT vs. PCD 132.3 Importance of PCD Security 152.3.1 Regulations 152.3.2 PCD Incidents 162.4 Recap of this chapter 183 Which frameworks can be identified 193.1 ISA99 193.1.1 About the framework 193.1.2 Purpose of the framework 213.1.3 Guidance within the framework 223.2 NIST 800-82 223.2.1 About the framework 223.2.2 Purpose of the framework 223.2.3 Guidance within the framework 233.3 NERC CIP standard 233.3.1 About the framework 233.3.2 Purpose of the framework 243.3.3 Guidance within the framework 243.4 Recap of this chapter 244

4 PCD Frameworks compared 264.1 Overview of controls 264.2 Recap of this chapter 285 Use of the PCD frameworks and lessons learned 295.1 Frameworks used as good practice 295.2 Use of ISO27001 305.3 Tier model 305.4 Management system of the frameworks 315.5 Recap of this chapter 316 Summary 326.1 Conclusion 326.2 Reflection and discussion 346.2.1 Research reflection 346.2.2 Result discussion 346.3 Further research 356.3.1 Tier models & the applicability 356.3.2 Who is responsible for the security of PCS‟s 356.3.3 Self assessment tools 35APPENDIX A – Bibliography 36APPENDIX B – Framework comparison 38APPENDIX C – Unique characteristics of the Office IT versus PCD 42APPENDIX D – Interview questions 435

1. What is the PCD?2. Which frameworks are available for the security of PCSs?3. What are the differences between the frameworks?4. How do companies make use of these frameworks to secure PCSs?5. What are the lessons learned regarding these frameworks?1.3 Research approachThe main research question of this thesis is of an explanatory nature while a substantial partof the research carried out is descriptive. This is visible in the sub-research questions: the firstthree are descriptive; the last two questions are explanatory.A gradual approach was used that consisted of five phases. Phase 1 was to set the scope andboundaries of the research and to define the research questions. In phase 2 a literature reviewwas performed to gain the in-depth knowledge of the PCD required to answer the first andsecond sub-questions. In phase 3, the frameworks determined in the second phase werecompared in order to answer the second sub-research question. Phase 4 consisted of theinterview to discuss the frameworks that have been compared and the lessons learned whichlead to an answer to the fourth and fifth sub-research questions. The goal of the last phase,phase 5, was to draw a conclusion for all previous phases and thus answer the main researchquestion.The answer to the main research question will ultimately follow from the answers to allprevious questions.ResearchquestionsLiteraturereviewFrameworkanalysisResultanalysisConclusionInterviewsFigure 1- Research approach1.4 Scope limitationsThis thesis only covers a comparison of PCD frameworks and their use by businesses. Areference is made to the ISO27001 framework, which is the most commonly used frameworkfor security in the Office IT Domain. However, this ISO framework is only used because it iswidely known and is a good reference point for the PCD frameworks. Any other frameworksregarding the Office IT Domain are beyond the scope of this thesis, and so are regulatory(including health & safety) issues that often are only relevant for the PCD. In addition, thisthesis does not cover research into PCD risks, vulnerabilities and threats.7

1.5 Layout of this thesisThis first chapter now includes the introduction, the research question and the approach toanswering the research question. The following chapters are related to the sub–questions. Thesecond chapter discusses the first sub-question: What is the PCD? The components of the PCDare mentioned as well as its importance. This chapter also explains the differences betweenthe Office IT Domain and the PCD.Chapter 3 covers the next two questions: What are the (major) security frameworks in the PCDframeworks, and how do these frameworks differ from each other and from ISO27001? Thedetails of the differences are presented in a table in Appendix B. ISA99, NIST 800-82 andNERC CIP are selected as major frameworks.The next chapter, chapter 5, concerns two questions: How do companies make use of theseframeworks to secure PCSs? and What are the lessons learned regarding these frameworks?This chapter presents the answers to these questions by experts from various organizations.Finally, chapter 6 describes the summary of my thesis including the conclusion, a reflection onand discussion of the research, the results and topics for further research.8

and act on it, which can mean passing it on to another systembut also controlling other field instruments (Daneels & Salter,1999). Figure 3 shows some examples of PLCs typically usedin the PCD (Google Images, 2012).For example, a sensor (a field instrument) detects that a trainhas passed a certain railway section. The PLC understands andprocesses that information and communicates it to anotherfield instrument (a light) to change the signal to green. Thissignal shows that it is safe for another train to move into thatrailway section.Figure 3- Example of PLCs2.1.3 Human Machine InterfaceThe Human Machine Interface (HMI) takes care of the interaction between a person and a PLC.Like a PLC, a HMI consists of software and hardware which allows human operators to monitorthe state of a process and to act on that by modifying the settings or manually override theautomatic control operations in the event of an emergency. HMI systems may be required toshow information and process information from the human operator or only to showinformation (Peerlkamp & Nieuwenhuis, 2010).Formerly, HMI systems used to contain only some LEDs. HMIsystems are now accessible from desktops/laptops and evenon the Internet via a browser. Figure 4 shows an example of anHMI system typically used in the PCD (Google Images, 2012).In the case of a subway system, an HMI could take care of theinformation for passengers shown on the platform, tellingthem that their train will arrive in four minutes. If two trainsare moving toward each other on the same track, an HMIwould enable an operator (in a central location) to immediatelyswitch off the power on those railway sections to prevent anaccident.Figure 4- Example of a HMI10

2.1.4 Remote Terminal UnitA Remote Terminal Unit (RTU) is an autonomous controlsystem for (simple) logical processes. An RTU device is a kindof PLC, but is also designed to communicate with the MasterTerminal Unit, using the most suitable communication networklike Ethernet, Wi-Fi, GSM, Radio, etc. (NIST Special Publication800-82, 2008). Figure 5 shows an example of an RTU typicallyused in the PCD (Google Images, 2012).An RTU also could receive information from a PLC and redirectit to the MTU. For example, an RTU can be placed at eachFigure 5- Example of a RTUstation (and at each railway track near the station). The RTUwould then communicate the locations of trains to the centrally located control room where itwould become available to the operator via an HMI.2.1.5 Master Terminal UnitMaster Terminal Units (MTUs) are remote central monitoringand control stations (for example, in an office) that control thecomponents (e.g. RTU, PLCs, etc.) in the PCD. The MasterTerminal Unit is usually defined as the master or heart of thePCD and is often located at the operator's central controlfacility office. MTU systems used to be equipped withcustom/UNIX/Linux operating systems, but modern MTUstend to use Microsoft Windows based operating systems. TheFigure 6- Example of a MTUMTU can monitor and control multiple RTUs at remotelocations. Figure 6 shows an example of an MTU typically used in the PCD (Google Images,2012).Within the subway system, the MTU can be the control room with a big screen which shows allrailway tracks and the current locations of trains, as well as any disruptions or congestion.11

2.1.6 Composition of these componentsAs shown by the scheme below, all these components are connected to each other. Multiplesensors are connected to a PLC. Note that their number may vary; there can be one just aswell as twenty. In turn, multiple PLCs can be connected with an RTU. An RTU can beconnected via a MTU to several HMI systems, resulting in the situation as shown in theexample picture above. However, an HMI system can also be connected directly to a PLC orRTU (NIST Special Publication 800-82, 2008).The right side of the scheme shows which part of the subway system is done by which systemas described in the examples above.HMIMTURailway control room to showthe operators informationthey can respond toHMIRTURTULocated at the station tocommunicate the trainlocations to the control roomPLC PLC PLCReceive information that atrain has left a certain railsection and ensure that thesignal turns greenSensor Sensor Sensor SensorSensor Sensor SensorSensor to detect thelocation of a trainFigure 7- Components of the PCD composition12

2.2 Office IT vs. PCDThe Office IT (used for financial administration, accounting, reporting, asset management,payroll, etc. and more commonly combined in an ERP system) and PCD systems (used tocontrol industrial IT systems) used to be on two separate Local Area Networks (LAN). PCSs,often built on specific hardware and software and, hence, not very vulnerable to cybercrime,does not change. More generic devices are replacing proprietary solutions, which also aremore vulnerable to cyber security incidents. A good example of this is the Stuxnet attack,which focused exclusively on Siemens SIMATIC WinCC or STEP 7 SCADA systems (Matrosov,2011). The PCS are also adopting more connectivity options, for example to connect via RTUto MTUs or directly to the Internet. Companies want to become more aware of the currentstate of processes within the company, for which purpose they need access to all informationfrom all systems. For that reason, information from the PCS needs to be shared with thebusiness applications. The business LAN and the PCD LAN are shared and also connecteddirectly to the Internet. This development leads to more risks and threats. Figure 8 shows aschematic representation of this trend.BusinessBusinessInternetInternetOffice ITPCDOffice ITPCDFigure 8 - Integration trend13

The PCD has some characteristics that differ from Office IT systems, including other risks,vulnerabilities and threats. While the risks incurred with an Office IT system include loss oftime, money or data, the risks associated with a PCD potentially involve a loss of lives,environmental disasters, an outbreak of diseases, floods, etc. Furthermore, the goals ofprocess safety and efficiency may conflict with security in the design and operation ofsystems. Table 1 presents a concise overview of the different risks.Potential ineffective ramifications for critical infrastructure companiesImpacts Office IT PCDRevenue and profitability Yes YesReputation Yes YesRegulatory and fines Yes YesHealth and human safety No YesEnvironmental damage No YesNational security No YesTable 1 - Office IT vs. PCD risk overview (Ernst & Young, 2012)Also, the vulnerabilities of the Office IT domains differ from those of the PCD. PCS are oftenvery old legacy systems (some systems have a lifespan of 30 years) which need to be handleddifferently compared with “modern” Windows/Unix like servers. For example, while it is easyto install anti-virus applications on Office IT systems, this is a great deal more complicated foran MTU or RTU running a custom-made operating system and may not even be necessary asno viruses exist for those systems.Next to this, the PCD has some unique characteristics that distinguish it from the Office ITDomain (US-CERT, 2011). Some of these characteristics are also related to each other. PCDsystems have a lifespan of 10-30 years; it will be difficult to find another vendor after thatperiod due to the specific task that the system performed. An Office IT system has a lifespanof approximately 2-3 years and can be sourced from a lot of vendors (for example, laptops aresold by Dell, HP, IBM, Apple, Sony, etc. and the software can differ too (Windows or Linux)).Due to the legacy system within the PCD, some other processes are difficult to perform. Oneexample is patch management. Firstly, it is difficult to find the right moment to update certainPCD systems. Secondly, the vendor should also create some patches and as he is the onlyvendor, the client will simply have to wait until a patch is released. Thirdly, testing is acompletely different process than within the Office IT Domain. See Appendix C for a table withmore control differences (US-CERT, 2011).Vulnerabilities are often detected via penetration tests. On a PCS this is slightly morecomplicated than on an Office IT system. A simple port scan would not have that much impacton an Office IT system. If the same port scan is performed on a PCD system, it might triggeran action (an actual vulnerability). For example, on one occasion a port scan resulted in acompletely unexpected swing of a robotic arm in a factory. Fortunately the engineer wasbeyond the reach of the arm and was not harmed, but the risks are obvious (Duggan, 2005).14

The last difference described in this chapter is the use of the well-known CIA triad. CIA standsfor Confidentially, Integrity and Availability. Information systems are required to comply withthe CIA triad. In general, for Office IT systems (compared with the PCD), confidentiality andintegrity are more important than availability. However, in the PCD the CIA triad is reversed(AIC) (Fenrich, 2007): availability is by far the most important component of the AIC triad. Forreally critical systems a 99.99% uptime is required. Integrity is also important as the PCS willneed to work with the right value. Confidentiality is less important (not counting exceptions).CIA principles of information security, Office IT versus PCDConfidentiality Integrity AvailabilityOffice IT High importance High importance Low importancePCD Low importance Medium importance Very highimportanceTable 2 - CIA of Office IT vs. PCD2.3 Importance of PCD Security2.3.1 RegulationsPCD security is rapidly becoming more important, not least because of intensified regulation.In May 1998, President Clinton signed Presidential Directive PDD-63 regarding “CriticalInfrastructure Protection” (Moteff & Parfomak, 2004). In response to the terrorist attacks on9/11, this Directive was updated in 2003 with the Homeland Security Presidential DirectiveHSPD-7 for Critical Infrastructure Identification, Prioritization, and Protection (Evans, 2009)signed by President Bush. A similar programme in Europe, the “European Programme forCritical Infrastructure Protection” (EPCIP), was introduced in 2006.The programme and directives resulted in the establishment of a number of organizationswhich regulated the critical infrastructure. Examples of critical infrastructure are nuclear orother power plants, water and drainage systems, transportation systems (public transport,airports, roads, tunnels) and information and communication systems (Moteff & Parfomak,2004). All these systems (both in the US and in Europe) were marked as Critical Infrastructureand needed to be protected from emergencies, disasters, hacks, etc. The organizations weregiven the task to regulate this for specific systems, which included the security of informationsystems. As these systems are part of the PCD, this was also included.Since then, in the US, the North American Electric Reliability Corporation (NERC) has beenresponsible for enforcing reliability standards for the bulk power system. The NERC producedthe NERC CIP PCD framework and also performed audits on these controls. The InternationalAtomic Energy Agency (IAEA) and the US Nuclear Regulatory Commission also perform auditson the PCD systems at nuclear power plants all over the world (Glantz et al., 2005). Regardingoil and gas, the American Petroleum Institute (API) regulated this with the API Standard 1164,“Pipeline SCADA Security” (Evans, 2009).15

2.3.2 PCD IncidentsIn addition to the regulations, the actual or near incidents which have occurred over the lastfew years have made organizations more aware of the need for security within the PCD. Thenumber of computer security incidents (generic, so particularly focused on the PCD) handledFigure 9 - Increase in sophistication of attacks (Lipson, 2002)by the CERT Coordination Center (CERT/CC) increased from 6 in 1988, to 137,529 in 2003and after that, the CERT stopped counting incidents as the number was too high (CERTHistorical Statistics, 2009). Not only did the number of attacks increase, but so did their levelof sophistication. The use of widely available scripts and tools could even cause the actions ofan inexperienced hacker to have devastating effects. The graph below shows thesophistication of attacks performed over the years (Lipson, 2002).It is difficult to mention an accurate amount of PCD incidents occurred so far. However,organizations are encouraged to track their PCD incidents in a Repository of Security Incidents(RISI). This repository contains accidental cyber-related incidents as well as incidents causedby illegal access, DDoS attacks, etc. For all the incidents registered, an investigation is doneand rated according to the reliability to ensure that only real incidents are registered. Up toDecember 2009, 175 confirmed incidents have occurred (Number of Security IncidentsContinues to Increase, 2010).16

Table 3 shows a selection of recent PCD security incidents and the impact of these incidents.Repercussions from ineffective cyber security practices in the PCDEvent Location ImpactGasoline pipeline failure exacerbated bycontrol systems not able to perform controlNorth America Three fatalities, total property damage> US$45mand monitoring functions (Whatcom Creek)Sewage spill caused by wireless hacking of Australia > 1m liters of sewage spilledsewage discharge valvesSubstation communication failure fromSlammer work trafficNorth America SCADA failed, resulting in loss ofcontrolTargeted SCADA hack from internet North America No SCADA servers for two weeks; nomapping system for two weeks; fourman-months to recoverControl center communication failure fromunpatched Cisco router by wormAurora experiment at the Idaho NationalLaboratory demonstrated a large dieselgenerator malfunctioning due to a remoteattackControl system workstation failures causedby IT penetration testingEuropeNorth AmericaNorth AmericaLoss of communication to almost halfof the distribution substations foralmost three days; inability to diagnosefor 24 hours; approximately 40 manweeksto clean upRemote destruction of a large dieselgeneratorSlowdown or shutdown of all powerplant control system workstationsLoss of power plant control from hackers North America For a brief period of time, a hackerplayed with the level control on adeaerator control systemStuxnet attack targeting Siemens SCADAsystems resulting in significant setbacks tothe Iran nuclear programTable 3- Recent PCD incidents (Weiss, 2010)IranDamage to the controllers handling thecentrifuges at Iran‟s Natanz facilitiesLocal organization might think that PCD incidents only could happen at big companies becausethere are more incentives. However, regarding the critical infrastructure protection, noincentives are needed. Also small PCD systems need to be protected. Nowadays, the mediaand politicians are also getting knowledge about this topic. Like in The Netherlands were in thevillage Veere, a password of the systems pumping water out of the polders was actually“veere”. Regarding this incident, “kamervragen” were asked in the house of representativesof The Netherlands (Opstelten, 2012) which shows again the importance of this topic.17

2.4 Recap of this chapterThis chapter gave answer to the first research question: What is the PCD? This chapterdescribed that a PCD consist of a collection of components (field instruments, PLC‟s, HMI‟s,RTU‟s and MTU‟s) which are all included in an industrial process. The composition of thesecontrols is also described and an example of a subway system is used to make it moretangible.In addition, the differences between the Office IT domain and the PCD domain are explainedand trend towards moving to each other. Vulnerabilities, risks and threats are different as welland need to be dealt with on another way. The CIA triad for the Office IT is not suitable to usefor the PCD domain is also explained, this is because the availability for is much moreimportant (what will happened if a systems controlling a nuclear power plant fails?).As last part in this chapter, the reason why PCD security becomes more important in theindustry is explained. This is because the introduction of more regulation and legislation dueto introduction of a couple of acts and programme started by the Presidents of the UnitedStates and the European parliament. The recent number of incidents also did lead to morerelevance for the industry.18

3 Which frameworks can be identifiedThere are a large number of frameworks or best practices (which can be used as a framework)available to control the PCD. During the literature review, a scan was performed of relevantliterature on various sources and a large number of PCD frameworks or good practices wereidentified which are stated below in this long-list:Department of Homeland Security guidelinesDepartment of Energy guidelinesISA99NIST 800-82Good practice guide process control and SCADA security (by the CPNI in the UK)NERC CIPFramework for SCADA Security Policy by SandiaCS2SATDNPSecAs the list above contains too many PCD control frameworks, I raised a question during theinterviews in the literature phase which frameworks were best-known and used. Threeframeworks were identified as being most known and most used, which are outlined in theshort-list below:- ISA99 (ANSI/ISA-TR99.00.0X-2007)- NIST 800-82- NERC CIP standardThis chapter continues with a description of the frameworks, the purpose of the frameworksand the form of guidance is described (e.g. how are the controls described)? Is this verydescriptive or more strict (A password should consist of at least 8 characters)? The passwordauthentication control is used as an example to describe these difference forms of guidance.This chapter gives an answer to the second sub-research question: Which frameworks areavailable for the security of PCS’s?3.1 ISA993.1.1 About the frameworkISA99 is actually a set of standards (International Society of Automation, 2007). The ISA99standard committee consists of members with different backgrounds which are working withPCS‟s (like Consultants, Hardware/software vendors, Security specialists, etc.). One of thesestandards is the technical report (ANSI/ISA99.00.01-2007) which provides an evaluation andassessment of many current types of electronic based cyber security technologies, mitigationmethods, and tools that may apply to protecting the PCD against cyber attacks. The focus ofthis thesis is on this technical report (ANSI/ISA99.00.01-2007) as this document actuallydescribes the controls.The ISA99 Series of Standards19

In addition to this technical report, the ISA99 committee is developing a series of standards oncyber security for the industrial automation and control systems environment. This seriesincludes:1. ISA99.00.01 (General) – Security for Industrial Automation and Control Systems Part1: Terminology, Concepts and Models (Published in 2007)Part 1 of this standard establishes the context for all of the remaining standards in theseries by defining a common set of terminology, concepts and models for electronicsecurity in the industrial automation and control systems environment.2. ISA99.00.02(Policies & Procedures) – Part 2: Establishing an Industrial Automation andControl System Security Program (Published in 2009 under the name ANSI/ISA-99.02.01-2009)Part 2 describes the elements of a cyber security management system and providesguidance for their application to industrial automation and control systems.3. ISA99.00.03 (System) – Part 3: Operating an Industrial Automation and Control SystemSecurity ProgramPart 3 will address how to operate a security program after it is designed andimplemented. This part includes guidance for defining and applying metrics to measureprogram effectiveness.4. ISA99.00.04 (Component) – Part 4: Technical Security Requirements for IndustrialAutomation and Control SystemsWork began in mid-2007 on the Part 4 standard, which will define the characteristics ofindustrial automation and control systems that differentiate them from otherinformation technology systems from a security point of view. Based on thesecharacteristics, the standard will establish the security requirements that are unique tothis class of systems.20

Figure 10- ISA99 structure3.1.2 Purpose of the frameworkThe purpose of the ISA99 framework (in specific the technical report focused on in thisresearch paper: ANSI/ISA99.00.01-2007) is to categorize and define cyber securitytechnologies, countermeasures, and tools currently available to provide a common basis fortechnical reports and standards to be produced later by the ISA99 committee.“The intent of this (ANSI/ISA99.00.01-2007) ISA99 framework is to document the knownstate of the art of cyber security technologies, tools, and countermeasures applicable to theIACS environment, clearly define which technologies can reasonably be deployed today, anddefine areas where more research may be needed.” (International Society of Automation,2007). This statement means that the purpose and intent of the ISA99 framework is toprovide some hands on knowledge on the actual availability of security technologies, tools andcountermeasures which are relevant for the PCD. Next to that, with the knowledge of theavailable technologies, tools, etc., the ISA99 framework also provides some insight on what ismissing and what topics require more research.21

3.1.3 Guidance within the frameworkThe ISA99 standard describes the recommended controls in detail. It gives a generaldescription of what the control is about, like the types of passwords (Passcode/PIN, password,passphrase) and also the characteristics of the different types of passwords (length,complexity, etc.).Next to the description of the control, the ISA99 standard also describes the securityvulnerabilities, the typical deployment and the known issues and weaknesses of the controls.For that last topic (known issues and weaknesses), the standard describes the following issuesfor passwords (the example used throughout this paper): default passwords, known simplepasswords (like “password” or “operator”), key loggers to detect the password, hashedpasswords and access to the password file.The ISA99 standard also describes the assessment of the control in a PCD environment andthe problems which could arise. For example, in times of crisis, an operator needs to login intoa device very urgently; however due to the stress the operator types the password a couple oftimes wrong and his account may be blocked. The standard also describes the future directionof the control. For the password control example, the future direction of the control is to makemore use of Role-Based Access (all operators with the same role use a generic role account).The control description ends with some recommendations, guidance and references toliterature for more information. From a qualitative perspective, the level of guidance given bythis framework for this thesis is evaluated as a 4 on a 1-5 scale.3.2 NIST 800-823.2.1 About the frameworkThe NIST 800-82 standard provides an overview of PCS‟s and typical system topologies,identifies typical threats and vulnerabilities to these systems and provides securitycountermeasures to mitigate the associated risks (NIST Special Publication 800-82, 2008).The document describes the generic overview of PCS‟s and next to that, it provides guidanceon how to develop a PCD security program. In the last chapters of the document, a summary isgiven of the NIST 800-53 document (NIST Special Publication 800-53, 2009), which actuallydescribes the controls and provides initial guidance on how these security controls apply tothe PCD.3.2.2 Purpose of the frameworkThe purpose of the NIST 800-82 framework is to provide guidance for securing PCS‟s. TheNIST 800-82 provides an overview of PCS and typical system topologies, identifies typicalthreats and vulnerabilities to these systems, and provides recommended securitycountermeasures to mitigate the associated risks. Because there are many different types ofPCS with varying levels of potential risk and impact, the document provides a list of manydifferent methods and techniques for securing PCS. The NIST 800-82 framework should notbe used purely as a checklist to secure a specific system. Organizations which use the22

framework are encouraged to perform a risk-based assessment on their systems and tocustomize the recommended guidelines and solutions to meet their specific requirements.3.2.3 Guidance within the frameworkThe NIST 800-82 describes the control a bit differently than the ISA99, however we have tonote that the NIST800-82 is related very closely to the NIST 800-53 which describes thecontrol at a more detailed level with less guidance than the NIST 800-82.For each set of controls, a (sub)chapter is created in the standard, like “6.3.1 Identificationand Authentication” for the password authentication control. Within this chapter a genericintroduction is given to all types of measures for the control, like pin code, password,biological identification, location based identification, etc. Also the relation to the NIST 800-53 control-section (IA, Identification and Authentication) and other related NIST documentsare mentioned.Next the subchapters (6.3.1.1 Password Authentication in our example) describe a morespecific formless version of the control. Within an outlined box, PCD specific recommendationsand guidance are given. For the password example, NIST 800-82 also provides examples ofmistakes during made during moments of stress and there is mention that “Organizationsshould carefully consider the security needs and the potential ramifications of the use ofauthentication mechanisms on these critical systems”. Within this box, the recommendationsare also given like length, complexity, use of a master password, etc. From a qualitativeperspective, the level of guidance given by this framework for this thesis is evaluated as a 3 ona 1-5 scale.3.3 NERC CIP standard3.3.1 About the frameworkThe NERC CIP (Critical Infrastructure Protection) standard is created by the NERC (NorthAmerican Electric Reliability Corporation). The NERC is a non-profit organization that definesand enforces reliability standards for the bulk power system in North America (NERC CIPStandard). This standard is made compulsory for all entities responsible for the reliability ofthe Bulk Electric Systems in North America.For its members, the NERC created a framework (as described in the CIP standard) on how thePCS‟s should be controlled. The controls are described on a very detailed level and do not givea lot of guidance and background information.23

3.3.2 Purpose of the frameworkThe purpose of the Critical Infrastructure Protection (CIP) program and framework is tocoordinate all of NERC‟s efforts to improve physical and cyber security for the bulk powersystem of North America as it relates to reliability. These efforts include standardsdevelopment, compliance enforcement, assessments of risk and preparedness, disseminatingcritical information via alerts to industry and raising awareness of key issues. The Frameworkalso recognizes the differing roles of each entity in the operation of the Bulk Electric System,the criticality and vulnerability of the assets needed to manage Bulk Electric System reliability,and the risks to which they are exposed.3.3.3 Guidance within the frameworkThe NERC CIP standard is described quite differently compared to the ISA 99 and NIST 800-82. Each control is divided into smaller (sub)chapters. The first one, A. Introduction, onlydescribes that this control is part of the larger NERC CIP standard and who is responsible forthis control and which types of companies are exempt for this particular control.Chapter, B. Requirements, describes the requirements to which the PCS should comply to. Forexample: for R5.3, the requirement is that a password should have a minimum length of 6characters, should contain numbers, letter and special characters and that each passwordshould be changed annually.Chapter, C. Measures, describes what the responsible entity should document for this controland chapter D. Compliance, describe how to be compliant to the framework. At last, chapter E.Regional Variances describes some control differences. For example, in the US when stateshave different laws which influence the control. Some controls also have an Appendix which isused as a Frequently Asked Questions section. From a qualitative perspective, the level ofguidance given by this framework for this thesis is evaluated as a 3 on a 1-5 scale.3.4 Recap of this chapterThis chapter answered the following sub-research question: Which frameworks are availablefor the security of PCS’s? The question was answered by describing the different frameworks.Our focus is on the ISA99, NIST 800-82 and NERC CIP standards because the first explorativeinterviews revealed that these frameworks were best-known and most used.The ISA99 standard is actually a set of standards which are still under development. Theframework consists of four parts each focused on a different topic (General, Policies &Procedures, System and Component). Only a few parts of this standard are already published.For this thesis, the particular ISA-TR99.00.01-2007 document is used. The standard givesguidance for each control in the form of a general description, known vulnerabilities, typicaldeployment, known issues and weaknesses of the control. The standard also describes thelimitations of the control implementation in practice and it describes the future direction andrecommendations and finally some literature references. From a qualitative perspective, thelevel of guidance given by this standard for this thesis is evaluated as a 4 on a 1-5 scale.24

The NIST 800-82 framework describes a generic overview of the PCD and gives someguidance on how to develop a PCD control framework. The framework also describes the PCDcontrols as defined in the NIST 800-53. The framework gives guidance in the form of adescription of the control and practical examples, there is no more extensive predefinedstructure of topics (which is available in the ISA99). From a qualitative perspective, the levelof guidance given by this framework for this thesis is evaluated as a 3 on a 1-5 scale.The NERC CIP standard is made compulsory for all entities responsible for the reliability of theBulk Electric Systems in North America. The controls are described in different sections.Starting with the Applicability of the control, the Requirements to which the company shouldcomply to, Measurement rules on how the company should keep documentation, Compliancerules and Regional variances. From a qualitative perspective, the level of guidance given bythis framework for this thesis is evaluated as a 3 on a 1-5 scale.The main difference in these standards is the way the NERC CIP describes the control, this isstricter with less flexibility in the guidance compared to the ISA99 and NIST 800-82frameworks. Also the purpose of the frameworks is different: The ISA99 provides hands-oninformation about the availability of security technologies, tools and countermeasures andalso what is missing and needs more research. The purpose of the NIST 800-82 is to providean overview of PCS and typical system topologies, identify typical threats and vulnerabilitiesto these systems, and to provide recommended security countermeasures to mitigate theassociated risks. The NERC CIP purpose is to coordinate all NERC‟s efforts to improve physicaland cyber security for the bulk power system of North America.25

4 PCD Frameworks comparedAs described in chapter 3, during the first explorative meetings many PCD control frameworkswere identified but only a limited number of frameworks are widely spread used byorganizations. Three frameworks were most known, as mentioned by the interviewees:- ISA99 (ANSI/ISA-TR99.00.0X-2007)- NIST 800-82- NERC CIP standardTherefore the comparison in this chapter focuses on these three PCD control frameworks.It is also interesting to see how the PCD frameworks relate to the well known and office ITdefault security framework ISO 27001. This is especially interesting because it is oftensuggested that the security in the PCD is less developed than in the Office IT domain. See forexample the recent article “Procesbesturing: onbewust onveilig” (Luiijf, March 2012).This chapter answers the sub-research question: What are the differences between theframeworks?4.1 Overview of controlsAs a starting point, the ISA99 standard has been selected as the index for the comparison.The motivation for that is that the ISA99 standard is the most explicit in describing theguidance categories and controls. Next step was to add the NIST800-82 framework to theoverview, the related controls were mapped and controls which were not mentioned in theISA99 standard were added to the list. Next the NERC CIP standard was added; we havemapped these standards controls to the ISA 99 and NIST800-82 standards. Controls whichcould not be mapped were added into the table in the appropriate category.For reference purposes, we also matched the ISO27001 standard but we did not add thecontrols which were not covered by the other frameworks. The reason for that is that thecontrols in the ISO 27001 standard cover a much broader area of information security, manyof which have no relation with process control systems. A specific example is changemanagement. In the office IT domain, this is one of the most important control areas, but inthe PCD it is of less importance because the software is immediately written for the specifichardware. A change to that software is not very likely. It is mentioned that implementingchanges is the most vulnerable activity in the PCD area and should be avoided as much aspossible. Activities such as maintenance and patch management are of course also applicablein the PCD and also covered in the comparison.The controls were not always defined on exactly the same level. For example, a single controlcould exist in one framework, but exist as two separate controls in another framework.This resulted in an extensive list which is presented in Appendix B. Table 4, which shows asummarized overview of the table comparing the level of control/topic category between thefour frameworks. The first number represents the number of controls that the frameworkcovers and the second number represents the number of controls identified in total from thethree PCD frameworks.26

For the first category, security program development and deployment, 6 distinctive controlshave been found (see appendix A for these 6 controls). The ISA99 standard does not coverthis category, thus the score in this table is written as 0/6; the NERC CIP standard addressed1 out of the 6 controls.Control/topics ISA99 NIST 800-82 NERC CIP ISO 27001Security Program 0/6 6/6 1/6 2/6Development andDeploymentAuthentication and 9/9 5/9 4/9 2/9AuthorizationtechnologiesFiltering/Blocking/Access 3/3 3/3 0/3 3/3Control TechnologiesCommunication,3/5 5/5 3/5 5/5Encryption Technologiesand Data ValidationManagement, Audit, 7/14 9/14 10/14 7/14Measurement,Monitoring, andDetection ToolsIndustrial Automation 3/3 1/3 1/3 1/3and Control SystemsComputer SoftwarePhysical Security 2/2 2/2 2/2 2/2ControlsTable 4- Controls comparison summarized overviewWhen summing the number of controls covered by the frameworks, we can conclude that theframeworks are roughly balanced and that not a single framework consists of more topics thanthe others. An exception is for ISA99 for the first category. The explanation for this is that thisis covered in another part of the framework, to be more specific in the ISA99.00.02 partwhich is not taken into account for this comparison. Another exception is for the NERC CIPthat does not cover the filtering/blocking access control technologies. The reason for this maybe that the control description in the NERC CIP is often on a higher level and only in theexplanatory notes (which were not covered as controls in the comparison) more details aregiven in the form of examples or questions.The categories of controls which the frameworks cover is not the same, however a distinctionthat one framework covers the technical controls more than another framework could not bemade. What is visible is that the Physical Security Controls are covered by all threeframeworks.27

4.2 Recap of this chapterThis “PCD Frameworks compared” chapter explained the differences between the frameworksand gives answer to the sub-research question: What are the differences between theframeworks? For a number of controls, the frameworks described almost the same controls;however, some other differences were noted. The ISA99 does not describe controls regardinga management system for the controls. A second difference is that the NERC CIP does notcover the filtering/blocking access control technologies.28

5 Use of the PCD frameworks and lessons learnedThe interview findings will be presented in this chapter. A total of three extended (or in-depth)interviews were conducted for the purpose of this study:The first interview was held with the Global Group IT Security Officer at a largeinternational energy company.The second interview was held with a professional PCD researcher at a large researchcompany in The Netherlands.The third interview was held with a security expert at a large international oil and gascompany.On request of the interviewees, all information obtained during the interviews is processedand noted anonymously, to maintain the confidentiality of the sources. At the end of thischapter, the answers to the following sub-research questions are presented: How docompanies make use of these frameworks to secure PCS’s? and What are the lessons learnedregarding these frameworks?5.1 Frameworks used as good practiceThe first important finding of the interviews is that the PCD specific frameworks are knownand used. However, the frameworks were not implemented as is, rather, these frameworkswere used in terms of good practice.In one organization, a dedicated new PCD security framework was created. The intervieweeindicated that the source of this framework were the PCD-specific frameworks; the ISA99 andNIST 800-82.Another interview showed that a generic Information Security framework was created basedon ISO27001. All systems within the organization should comply with this informationsecurity framework. This framework was applicable for the Office IT systems and also the PCDsystems. For the PCD systems, an add-on framework was added to the generic InformationSecurity framework. This add-on framework is a company-specific framework that iscomposed of controls as described in the ISA99, NIST 800-82 (and 800-53 for the details) andVGB R175e framework. This last framework is developed in Germany.One of the organizations defined the controls per criticality of the application: for very criticalsystems (often PCD systems) more severe security controls were needed than for less criticalsystems. This is further explained in the chapter 5.3 Tier model.Furthermore, the controls mentioned in the frameworks were always adjusted toorganizations‟ specific needs, or policies, to avoid too restrictive rules. A practical examplethat is given was that many standards prescribe that a password should have a minimumlength of 8 characters. Yet, an interviewee stated that a password should have a sufficientminimum length, while it was up to the designer of the system/application owner to motivatewhat the minimum should be. Likewise, as described in the previous chapter, in case ofemergencies PCD systems should be accessible at a moment‟s notice. In that case, other rulesapply in comparison to an outgoing payment application, which has stricter rules.29

In addition, one of the interviewees indicated that in general, a security officer lacks detailedknowledge of all the different systems within the organization to be able to prescribe a certainlevel of detail to the systems.5.2 Use of ISO27001During the interviews, a remarkable finding was that the PCD specific frameworks are initiallycomposed of controls in the ISO27001. Moreover, as noted in the previous subchapter, oneinterviewee indicated that the PCD systems should also comply with the (organization specificmade) ISO27001 controls. This shows that the ISO27001 is still by default the major overallsecurity framework for all systems, including the process control systems. The PCDframeworks are used for additional PCD controls compared to the ISO27001.5.3 Tier modelOne of the interviewees showed the PCD control framework of that organization, whichincludes a tier model. The difference with the classification in the NERC CIP standard is thatthe NERC CIP is referring to a control and the applicability of that control to a completeindustry (e.g. nuclear plants). The interviewees‟ organization used the tier model to refer to asystem category (or zone as called in that framework).The organization of the interviewee has a list of all PCD IT Assets and classified these into sixtiers/zones (The Vattenfall group uses a similar model which is showed in Figure 11, (Zerbst,Hjelmvik, & Rinta-Jouppi, 2009)). For all of the controls within their PCD framework it isdetermined to which tiers/zones this control is applicable. For example, the organization has acontrol in place about connections to the internet. In their case, from a zone 5, a system isallowed to have a connection to the internet and a zone 2 system is not allowed to have adirect internet connection. However, a zone 2 system is allowed to have a connection to asecured system in zone 3 only. When using the secured internal route via a zone 3 and then azone 5 systems (the proxy server), a zone 2 systems could have access to the informationretrieved from the internet in a secure way. Suppliers often make use of this kind ofconnection but have to identify themselves on each zone within the network. In this case, thezone 3 is used as gate and DMZ zone for the PCD systems which are usually identified in thezones 1, 2 and 3. Office IT systems, including proxy servers to the Internet, are normallylocated in zones 4, 5 and 6.Figure 11- Example of a six-tier model30

5.4 Management system of the frameworksOne of the interviewee also indicated that the management process for implementation andmaintenance is very important, and should be part of the framework itself. In itself, this isinsufficient for the prescription of the controls, without having a management process in placefor the plan-do-check-act cycle.The ISO 27001 standard is a part of a series of security standards, sometimes referred to asthe ISO 2700x series. The complete series do not only define the detailed controls, but alsoinclude guidelines for a management system for Information Security process, calledInformation Security Management System (ISMS). Specifically, the NERC CIP frameworkmerely describes the controls. The ISA99 framework describes the controls, while the ISMS isdescribed in another part of the ISA99 framework (called the ANSI/ISA-99.02.01-2009). TheNIST 800-82 framework itself also does not describe the ISMS, as this is covered in otherframeworks of the NIST. With all the related publications NIST created a complete SecurityLife Cycle consisting of the NIST 800-37, NIST 800-53, NIST 800-53A, NIST800-60 and NIST800-82 special publications.For the interviewee the different descriptions of ISMS‟s were a good reason to promote theISO2700x as the core information security framework, and to have additions from the PCDframeworks on specific topics.5.5 Recap of this chapterThis chapter answered the following research questions: How do companies make use of theseframeworks to secure PCS’s? and What are the lessons learned regarding these frameworks?This chapter primarily focused on the results of the expert interviews. Outcomes are that thePCD frameworks are used, however, in terms of good practice in order to create a morecomplete and suitable PCD framework for the organizations. The use of the ISO27001 is alsoremarkable, as this framework covers most of controls of the PCD frameworks. However theISO27001 describes controls on a different level than the PCD frameworks do.The use of the tier model is also discussed, which enables organizations to make certainsystems more secure than other systems, therefore, enabling organizations to work towardsmore efficient information security.31

6 SummaryThe final chapter of this thesis presents the conclusion that answers the main researchquestion of this study. Finally, a reflection upon the research, a discussion of the results, andsuggestions for further research are offered.6.1 ConclusionFor this study, the following main research question was defined:Which frameworks are available for the security of PCS’s and how do companiesexperience these frameworks in practice?Many frameworks are available for the security of PCS‟s, for this research, we did a scanamong various sources and we already identified 9 different commonly referred to PCDframeworks. The most known and widely used framework that we also applied in this study todetermine the experiences in practice, are the ISA99, NIST 800-82 and the NERC CIP.To determine how organizations are using the PCD frameworks in practice, we first comparedthe frameworks in order to understand the choices of organizations for a certain framework.The comparison led to an overview which, shows that the three PCD frameworks cover asimilar number of controls. However, the comparison also showed two differences; the ISA99does not describe controls regarding a management system for the controls. This ISA99standard is still under development, and this will be added later to a related document withinthe standard. Another difference is that the NERC CIP does not cover the filtering/blockingaccess control technologies. A reason for this may be that the control description in the NERCCIP is often on a higher level. During the interviews, these differences were confirmed, butwere not classified as having a positive or negative effect on the framework when missing oneof the set of controls.The practical use of frameworks became clear in the interviews that were conducted. The PCDframeworks are mainly used as good practice. According to the interviewees this is not apositive development as the use as good practice implicates that the frameworks are notmature enough to use them as leading practice. Currently, as leading practice, theinterviewees make use of the “classic” ISO 27001, which is a negative development as well,because of the different angle the standard should be used. ISO 27001 is used for informationsecurity, instead of the PCD framework which focuses on infrastructure/process security.Currently, the organizations of the interviewees alternatively select a set of controls from theISO 27001 and use PCD specific controls as an add-on to the information security framework.32

In support of the conclusion of the main research questions, the following sub-researchquestions were answered;1. What is the PCD?The PCD is a combination of different real-time industrial process systems also knownas SCADA systems. The PCD consists of different connected components which allhave their own specific task in the process. The infrastructure of a PCD is often verycomplex (a PCD could consist of thousands of units) and often consists of old legacysystems. As a result, the PCD is difficult to control and the systems also demand highavailability.2. Which frameworks are available for the security of PCS’s?Many security frameworks for PCS‟s could be identified. During the explorativeinterviews, the interviewees mentioned the ISA99, NIST 800-82 and NERC CIP as mostknown and widely used, therefore, we limited the scope in this thesis to these specificframeworks.3. What are the differences between the frameworks?Differences in the three PCD frameworks, which were selected for this study, wereidentified in the form of guidance. However, no clear signs were found that one isbetter than the other. Differences were also found in the controls of the selectedframeworks. However, the control comparison has shown that the PCD frameworkscover about the same amount of controls, and also a special focus on some topics bythe PCD frameworks that are not shown in the comparison overview.4. How do companies make use of these frameworks to secure PCS’s?As first, organizations make use of the PCD frameworks, but they are used as a goodpractice (instead of a leading practice) to create a complete/suitable PCD framework incombination with the ISO 27001 framework for the organizations. In addition, the useof a tier model is one of the solutions that one of the interviewed organizations hadadded to their PCD frameworks to match controls to the level of criticality of the PCS.5. What are the lessons learned regarding these frameworks?The lessons learned are that PCD frameworks are used within organizations but asinput for extra controls above the security controls from the ISO 27001, which isnegative for the PCD frameworks. The interviewees also have mentioned that the PCDframeworks are not used as is, rather their organizations customized the controls (indescription as in form and example controls) in order to fit the organizational use ofthe PCD.33

6.2 Reflection and discussionThis chapter reflects my personal opinion on the process of writing this thesis; I will alsodiscuss the subject related results of the thesis.6.2.1 Research reflectionWhen having thoughts about the subject of the thesis, it became clear at an early stage to doresearch on a topic in the PCD but on which topic exactly was not directly clear. As the topic isrelatively new and, there was hardly any prior research available, a lot of topics were hard toresearch in the short time I had. After three failed research plans, the plan for this researchwas accepted. Next time, I should try to make the topic more realistic to perform. What I didwell was to set a clear scope and also defining the boundaries at an early stage in thisresearch. When I started with the actual research, the most difficult part of the literatureresearch was to find the right literature that could help me elaborate more on the researchquestions. It was also a challenge to arrange meetings with companies for the interviews. Imade a lot of phone calls and after a few weeks of talking to voicemails, leaving messages,etc. I managed to have enough interview partners. The last challenge was to combine allinformation gathered in this thesis, which was good enough for submission. It took a lot ofevenings and it wasn‟t fun all time but I managed it!6.2.2 Result discussionWhen looking back at the results of the thesis, one of the things that surprised me is that thatmany companies are still using the ISO 27001 as leading practice for their PCS as well, whilethe ISO 27001 is explicitly created for information security instead of infrastructure/processsecurity. What also astonished me was that there are that many different frameworks that Iidentified in the relatively short time of this study. The industry should consider creating oneleading practice (which also eliminates the use of the ISO 27001) instead of the manydifferent frameworks.The last thing that surprised me (not completely related to the research topic) was what actionwas taken on PCD incidents. For example; the incident that happened at the water pumpstation in Veere. The password was that easy (it was just “veere”) so anyone could haveaccess to these pumps. Upon discovering that, a letter was sent to the authorities regardingthe safety related issues. It was simply replied to that it would be investigated and that thesafety was not in danger. That was all we heard about that incident in the media. We expectedthat an audit would be announced on similar systems but this was not the case. This showsthat the PCS security does not have a high priority (yet) and the possible danger is notrecognized enough by the regulators.34

6.3 Further researchDuring this study, a number of topics were identified during the interviews that could be usedfor future research, three of these topics are discussed below:6.3.1 Tier models & the applicabilityIn this study, a small paragraph was dedicated to tier models that are used at one of theorganizations interviewed for this study. The question that came up after the interviews towhich an answer could not be found (yet) is, if these models could contribute to a more securePCD domain, and could provide cost savings, due to the fact that not all controls would needto be implemented and audited.6.3.2 Who is responsible for the security of PCS’sGiven the way in which controls are described, the question was raised who is responsible forthe security of the PCD? As an interview showed that the strictness of controls which weredescribed is low, and that the security specialist should decide what the actual control shouldbe. The relevant question here is who is the security specialist? Is this an engineer directlyworking with the systems and could assess the risks of it probably the best or an IT securityspecialist who knows everything about security.6.3.3 Self assessment toolsDuring one of the interviews, the discussion reached the topic of audit and how theseare/should be performed. One of the things mentioned that some self-assessment tools areavailable for download (some even for free). Further research is needed to identify these selfassessmentstools, specifically design for the PCD domain and if the results of a selfassessmentscan be used in practice, as support to an audit.35

APPENDIX A – BibliographyThe following literature is used in this thesis:CERT Historical Statistics. (2009, 02 12). Retrieved 04 02, 2012, fromhttp://www.cert.org/stats/Culter, T., & Barber, A. (2001). Gasoline Pipeline Rupture and Explosion at Whatcom Creek: AFocus on Response Management.Daneels, A., & Salter, W. (1999). What is SCADA? International Conference on Accelerator andLarge Experimental Physics Control Systems, (p. 5). Trieste, Italy.Duggan, D. P. (2005). Penetration Testing of Industrial Control Systems. Sandia Report .Ernst & Young. (2012). Insights on IT risk - Bringing IT into the fold.Evans, R. P. (2009). Control Systems Cyber Security Standards Support Activities.Fenrich, K. (2007). Securing Your Control System.Glantz, C., Bass, R., Cash, J., Coles, G., Gower, D., Heilman, J., et al. (2005). An Examinationof Cyber Security at Several U.S. Nuclear Power Plants.Google Images. (2012). Retrieved from http://www.google.com/images/Igure, V. M., Laughter, S. A., & Williams, R. D. (2006). Security issues in SCADA networks.Charlottesville: University of Virginia.International Society of Automation. (2007). ANI/ISA-TR99.00.01-2007. ISA.Landau, S. (2008). Security and Privacy Landscape in Emerging Technologies. IEEE Security &Privacy , 74-77.Lipson, H. F. (2002). Tracking and Tracing Cyber-Attacks: Technical Challenges and GlobalPolicy Issues.Luiijf, E. (March 2012). Procesbesturing: onbewust onveilig. Beveiliging Managementblad .Matrosov, e. a. (2011). Stuxnet under the microscope.Moteff, J., & Parfomak, P. (2004). Critical Infrastructure and Key Assets: Definition andIdentification.36

NERC CIP Standard. (n.d.). CIP Standard. Retrieved March 12, 2012, from North AmericanElectric Reliability Coorporation: http://www.nerc.com/page.php?cid=2%7C20NIST Special Publication 800-53. (2009). NIST 800-53; Recommended Security Controls forFederal Information Systems and Organizations. NIST.NIST Special Publication 800-82. (2008). NIST 800-82; Guide to Industrial Control Systems(ICS) Security. NIST.Number of Security Incidents Continues to Increase. (2010, 04 29). Retrieved 04 02, 2012,from ControlDesign.com: http://www.controldesign.com/industrynews/2010/023.htmlOpstelten, I. (2012). Brief - Beveiliging van SCADA-systemen.Peerlkamp, S. F., & Nieuwenhuis, M. B. (2010). Process Control Network Security. VU Thesis.Poulsen, K. (2003, 08 19). Slammer worm crashed Ohio nuke plant network. Retrieved May26, 2011, from SecurityFocus.com: http://www.securityfocus.com/news/6767Simonsson, M., & Hultgren, E. (2005). Administrative systems and operation support systems– A comparison of IT governance maturity. Sweden: Colloquium SC D2.US-CERT. (2011). Recommended Practice: Improving Industrial Control Systems Cybersecuritywith Defense-In-Depth Strategies.Weiss, J. (2010). Protecting Industrial Control Systems from Electronic Threats. MomentumPress.Zerbst, J.-T., Hjelmvik, E., & Rinta-Jouppi, I. (2009). Zoning principles in electricitydistribution and energy producten environments. 20th International Conference on ElectricityDistribution. Prague.37

APPENDIX B – Framework comparisonThis table shows a mapping of the ISA99, NIST 800-82 and NERC CIP frameworks. In addition,controls which were mentioned in the ISO 27001 are mentioned next to this for referencepurposes.Control ISA99 NIST 800-82 NERC CIP ISO 27001Security ProgramDevelopment andDeploymentSecurity Assessmentand AuthorizationPlanningRisk AssessmentSystem and serviceacquisitionProgram managementAwareness andtraining6.1.1 SecurityAssessment andAuthorization6.1.2 Planning6.1.3 Riskassessment6.1.4 System andserviceacquisition6.1.5 Programmanagement6.2.9 Awarenessand trainingCIP-004-3, CIP-004-4Personnel andtrainingA6.1 InternalorganizationA8.2.1 ISawareness,education andtrainingAuthentication andAuthorizationtechnologiesRole-BasedAuthorization Tools5.1 Role-BasedAuthorization Tools6.3.2.1 RolebasedaccesscontrolA11.2.2 PrivilegemanagementPasswordAuthentication5.2 PasswordAuthentication6.3.1.1 PasswordauthenticationCIP 007-3 –System securitymanagementA11.2.3 UserpasswordmanagementChallenge/ResponseAuthentication5.3Challenge/ResponseAuthentication6.3.1.2.Challenge/response authenticationPhysical/TokenAuthentication5.4 Physical/TokenAuthentication6.3.1.3 PhysicalTokenauthenticationSmart CardAuthentication5.5 Smart CardAuthenticationCIP-006-3c –Physicalsecurity38

Control ISA99 NIST 800-82 NERC CIP ISO 27001BiometricAuthenticationLocation-BasedAuthenticationPassword Distributionand ManagementTechnologiesDevice-to-DeviceAuthentication5.6 BiometricAuthentication5.7 Location-BasedAuthentication5.8 PasswordDistribution andManagementTechnologies5.9 Device-to-DeviceAuthentication6.3.1.4 BiometricauthenticationCIP-006-3c –PhysicalsecurityCIP 007-3 –System securitymanagementFiltering/Blocking/Access ControlTechnologiesNetwork FirewallsHost-based FirewallsVirtual Networks6.1 Network Firewalls 5.1 Firewalls A11.4.6 Networkconnection controlA11.4.7 Networkrouting control6.2 Host-basedFirewalls5.3 NetworkSegregation6.3 Virtual Networks 5.2 Logicallyseparated controlnetwork6.3.2.3 Virtuallocal areanetworkA11.4.6 Networkconnection controlA11.4.7 Networkrouting controlA11.4.5Segregation innetworksCommunication,EncryptionTechnologies andData ValidationSymmetric (Secret)Key Encryption7.1 Symmetric (Secret)Key Encryption6.3.4.1EncryptionA12.3CryptographiccontrolsPublic Key Encryptionand Key Distribution7.2 Public KeyEncryption and KeyDistribution6.3.4.1EncryptionA12.3CryptographiccontrolsVirtual PrivateNetworks (VPNs)7.3 Virtual PrivateNetworks (VPNs)6.3.4.2 Virtualprivate networkCIP-005-03 –ElectronicsecurityperimetersA10.6 Networksecuritymanagement39

Control ISA99 NIST 800-82 NERC CIP ISO 27001Dial-up modems6.3.2.4 Dial-upmodemsCIP-005-03 –ElectronicsecurityperimetersWireless 6.3.2.5 Wireless CIP-005-03 –ElectronicsecurityperimetersA11.7 Mobilecomputing andteleworkingA11.7 Mobilecomputing andteleworkingManagement, Audit,Measurement,Monitoring, andDetection ToolsLog Auditing Utilities8.1 Log AuditingUtilitiesCIP-005-03 –ElectronicsecurityperimetersA10.10.1 AuditloggingVirus and MaliciousCode DetectionSystems8.2 Virus and MaliciousCode DetectionSystems6.2.6.1 Maliciouscode detectionCIP 007-3 –System securitymanagementA10.4.1 Controlsagainst maliciouscodeIntrusion DetectionSystems8.3 Intrusion DetectionSystems6.2.6.2 Intruderdetection andpreventionCIP-006-3c –PhysicalsecurityCIP007-3 -System SecurityIncident response6.2.8 IncidentresponseCIP 008-03Incidentreporting andResponseplanning13.1.1 Reportinginformationsecurity eventsVulnerability Scanners8.4 VulnerabilityScannersCIP-005-03 –ElectronicsecurityperimetersCIP007-3 -SystemsSecurityA12.6 TechnicalvulnerabilitymanagementForensics and AnalysisTools (FAT)8.5 Forensics andAnalysis Tools (FAT)Host ConfigurationManagement Tools8.6 Host ConfigurationManagement ToolsAutomated SoftwareManagement Tools8.7 AutomatedSoftware ManagementTools40

Control ISA99 NIST 800-82 NERC CIP ISO 27001Contingency PlanningConfigurationmanagementMaintenancePatch managementMedia protectionAudit andaccountability6.2.3ContingencyPlanning6.2.4Configurationmanagement6.2.5Maintenance6.2.6.3 Patchmanagement6.2.7 Mediaprotection6.3.3 Audit andaccountabilityCIP 009-03 –Recovery plansfor critical cyberassetsCIP 003-04SecurityManagementControlsCIP 003-04SecurityManagementControlsCIP 007-3 –System securitymanagementCIP 007-3 –System securitymanagementA14 Businesscontinuity planningA10.7 MediaHandlingA15.3 Informationsystems auditconsiderationsIndustrial Automationand Control SystemsComputer SoftwareServer andWorkstation OperatingSystems9.1 Server andWorkstation OperatingSystemsCIP 007-3 –System securitymanagementA11.5 Operatingsystem accesscontrolReal-time andEmbedded OperatingSystems9.2 Real-time andEmbedded OperatingSystemsWeb Technologies9.3 Web Technologies 6.3.2.2 WebserversPhysical SecurityControlsPhysical Protection10.1 PhysicalProtection6.2.2 PhysicalandenvironmentalprotectionCIP-006-3c –PhysicalsecurityA9.1 Secure areasPersonnel Security10.2 PersonnelSecurity6.2.1 PersonnelsecurityCIP-004-3, CIP-004-4Personnel andtrainingA8.1.2 Screening41

APPENDIX C – Unique characteristics of the Office IT versus PCDThis table describes the unique characteristics of the Office IT domain and what the relevanceof that topic is within the PCD domain.Unique characteristics of ICS devices that increase the challenge in securing the environmentSecurity topic Office IT PCDAntivirus and mobile codePatch managementTechnology support lifetime(outsourcing)Cyber security testing and audit(methods)Change managementAsset classificationIncident response and forensicsPhysical and environmentsecuritySecure systems developmentVery common; easily deployedand updatedEasily defined, enterprise-wideremote and automated2-3 years, multiple vendors;ubiquitous upgradesUse modern methodsRegular and scheduled; alignedwith minimum-use periodsCommon practice and doneannually; results drive cybersecurity expenditureEasily developed and deployed,some regulatory requirements,embedded in technologyEasily developed and deployed,some regulatory requirements,embedded in technology)Integral part of developmentprocessCan be very difficult due toimpact on PCD; legacy systemscannot be fixedVery long runway to successfulpatch install; OEM-specific, mayimpact performance10-30 years, same vendorsTesting has to be tuned tosystem; modern methodsinappropriate for ICS; fragileequipment breaksStrategic scheduling; nontrivialprocess due to impactOnly performed when obligated,critical asset protectionassociated with budget costsUncommon beyond systemresumption activities; noforensics beyond event recreationExcellent (operations centers,guards, gates, guns)Usually not an integral part ofsystems developmentSecurity compliance Limited regulatory oversight Specific regulatory guidance(some sectors)42

APPENDIX D – Interview questionsResearch on the use of PCD frameworks and the lessons learned ofthose frameworksOverview of questions for the research with of When we are discussing the PCD (acronym of SCADA), we are discussing:A collection of process control systems that are used in myriad applications, includingmanufacturing, communications, distribution (water, gas, power) and heating, cooling andsecurity in buildings. PCD systems collect data from sensors in local and remote locations andsend them to central computers to control local machinery.Goal of this interview is to discuss the way how PCD frameworks are used and what accordingto the business the lessons learned were of these frameworks. The results of this interview willbe used, together with the interview at other organizations, in qualitative analyses. Thisanalysis is a (part of the) result of the thesis of the postgraduate study program on EDPauditing at VU University Amsterdam.As a token of appreciation for the willing to cooperate in an interview, a copy of the finalthesis will be send to the interviewee. All information gathered from the interview will betreated confidentially and in the thesis will be working with the data anonymously.This interview is 'open' in nature. Which means, that the subjects are fixed but the questionsare not, the questions are only indicative.Subject 1; Information about the interviewee and the company:1. Could you describe shortly on your (professional) background?2. Could you describe on how your organization makes use of the PCD and howdependent the organization is of the PCD?Subject 2; Information about the PCD framework of the organization (or organizationrelated frameworks):1. Within your organization, do you make use of a specific PCD framework?2. What is this framework based on?a. A generic PCD framework (like ISA99, NIST 800-82, NERC CIP) orb. A generic Office IT framework (like ISO27001, CobiT, etc.) orc. Something else?3. How do you use this framework?a. As a good practiceb. For regulation/legislation purposes43

4. Do you have experience with generic frameworks like ISA99, NIST 800-82 or NERCCIP?Subject 3; Comparison of the PCD frameworks:1. I created a comparison between the PCD frameworks ISA99, NIST800-82 and NERCCIP. Are there any components which stand-out?2. Are there any components of which is know which are not (or almost not) relevant forcontrolling the PCD systems?3. Are any components missing?Subject 4; PCD General:1. Are there any topics in the PCD of which you think they still are underexposed?44