Process for Security Policy and Requirements Development

Abstract

Abstract Control systems such as Supervisory Control and Data Acquisition (SCADA) and Drilling Control Systems (DCS) are part of the critical infrastructures of the oil and gas industry. These systems were originally designed to be in physically secured and isolated areas. However, the need of integrating the DCS with IT networks and the increased use of commercial off the shelf components (COTS), such as USB, Windows etc., has resulted in less isolation. In addition, the new industrial targeted cyber security attacks have demonstrated that this air gap isolation strategy is no longer a viable security model. The first industrial cyber-attack was Stuxnet discovered in June 2010. Stuxnet is so far considered to be by far the most complex and sophisticated malware ever discovered. Stuxnet targeted specific SCADA systems that were configured to control and monitor the Iranian uranium enrichment facilities. It targeted a special model of Siemens 400 PLC series, commonly used in the oil and gas industry. While Stuxnet did spread to oil and gas control systems it did no harm on these systems because Stuxnet was so specifically designed to attack it’s Iranian targets. However, according to the statistics from the Department of Homeland Security (DHS) more than 40% of cyber-attacks against critical infrastructure in 2012 targeted the energy industry. Stuxnet represents a paradigm shift and confirms the need for a holistic and preventive security strategy and model. One important aspect of this holistic approach is security policy and requirements. There are three internationally recognized cyber security standards relevant for security policy and requirements development and these are: ISO/IEC 27001ISO/IEC 27002ISO/IEC 15408 ISO/IEC 27001 and ISO/IEC 27002 cover organizational and physical security, while ISO/IEC 15408 covers technical security. This paper describes a process that properly addresses security throughout the lifecycle of a DCS. The process is built on the above mentioned cyber security standards and does a stepwise development of security policies and requirements. The process starts with analyzing the system architecture and understanding the existing security barriers of the system, follows with defining the security architecture, and ends with creating a set of security policies that are refined into security requirements. This process has four benefits: Ensures the fulfillment of the three core security objectives: availability, integrity, and confidentially.Produces documents aligned with international standards.Enables change and requirements tracking.Eases product evolution. The security policy and development process has been developed for DCS, but can easily be extended to support other types of control systems.