De Facto industrial CyberSecurity standard developments


An industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM).  

It helps cloud service providers and their customers to gauge the security posture and determine if their cloud services are suitably secure. In addition to improving the clarity and accuracy, it also supports better auditability of the CCM controls.

https://cloudsecurityalliance.org/artifacts/consensus-assessments-initiative-questionnaire-v3-1/

The Industrial Internet Security Framework (IISF) is a cross-industry-focused security framework comprising expert vision, experience and security best practices. It reflects thousands of hours of knowledge and experiences from security experts, collected, researched and evaluated for the benefit of all IIoT system deployments.
It builds on the ‘Industrial Internet of Things Reference Architecture’ (IIRA), that lays out the most important architecture components, how they fit together and how they influence each other. Each of these components must be made secure, as must the key system characteristics that bind them together into a trustworthy system.

It reviews security assessment for organizations, architectures and technologies. It outlines how to evaluate attacks as part of a risk analysis and highlights the many factors that should be considered, ranging from the endpoints and communications to management systems and the supply chains of the elements comprising the system. Different roles are identified that should be considered in conjunction with the key characteristics, including, owner/operator, system integrator/builder and equipment vendor. Each role offers different risk management perspectives that affect the decisions regarding security and privacy.

https://www.iiconsortium.org/IISF.htm
https://www.iiconsortium.org/pdf/IIC_PUB_G4_V1.00_PB-3.pdf

 

NAMUR, the "User Association of Automation Technology in Process Industries", is an international association of user companies (established in 1949) and represents their interests concerning automation technology. NAMUR numbers over 150 member companies. The achievement of added value through automation engineering is at the forefront in all NAMUR member company activities. NAMUR conducts a frank and fair dialogue with manufacturers.

NAMUR’s Automation Security working group 4.18 addresses issues including the following topics in the context of its experience exchange, its concept developments, formulation of requirements to be met by automation solutions and its involvement in national and international standardisation.

Relevant recommendations and worksheets

  • NA 163    Security Risk Assessment of SIS (Safety Instrumented Systems)
  • NA 169    Automation Security Management in the Process Industry.  NA 169 describes the steps to systematically build a Cyber Security Management System (CSMS) for automation systems in the process industry in order to ensure the correct operation of the functional safety devices, to protect critical data and to ensure the availability and reliability of the plants

See Namur website WG 4.18 pages

OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.
(see https://en.wikipedia.org/wiki/OPC_Unified_Architecture)

See https://www.plattform-i40.de/PI40/Redaktion/EN/Standardartikel/working-group-03.html

Asociated content:

  • Associated Metamodel Asset Administration Shell for Security
  • Access control for Industrie 4.0 components for application by manufacturers, operators and integrators
  • Specification - Details of the Asset Administration Shell - Part 1
  • Artificial Intelligence (AI) in Security Aspects of Industrie 4.0
  • Cybersecurity Regulatory Framework in Germany/EU and USA (GER/ENG/CHN)Industrie 4.0 Security Guidelines
  • Access control for Industrie 4.0 components for application by manufacturers, operators and integrators
  • Metamodel Asset Administration Shell for Security

    The overall concept is the use of the Admnistrative Asset Shell (AAS). It is requesting access to an object.  In the context of an AAS an object typically is a submodel or a property or any other submodel element connected to the asset. The implemented access control mechanism of the AAS evaluates the access permission rules (2a) that include constraints that need to be fulfilled w.r.t. the subject attributes (2b), the object attributes and the environment conditions (2d). The focus is on access control. An object in the context of ABAC corresponds typically to a submodel or to a submodel element. The object attributes again are modelled as submodel elements. Subject Attributes need to be accessed either via an external policy information point or they are defined as properties within a special submodel of the AAS. A typical subject attribute is its role. The role is the only subject attribute defined in case of role based access control. Optionally, environment conditions can be defined. In role based access control no environment conditions are defined. Environment conditions can be expressed via formula constraints. To be able to do so the values needed should be defined as property or reference to data within a submodel of the AAS.

    https://www.plattform-i40.de/PI40/Redaktion/EN/Downloads/Publikation/Details-of-the-Asset-Administration-Shell-Part1.html