Comment from Stephan Beirer
Time: April 8, 2008, 11:53 am

being a German IT security consultant I know both the IT Grundschutz (Baseline Protection) and pure ISO27001- based information security management approaches.

I fully agree with Mr Daniel’s statement that the Grundschutz is not directly applicable to SCADA security - actually it’s the prototypical example why classical office IT security can not readily be applied to industrial IT. All SCADA-ISMS projects I have worked on or which I heard about take the IMHO more flexible pure ISO27001 approach. (Why do I use the word ‘pure’ here - cause Grundschutz has adopted to the success of 27001 recently and changed its ansatz to “IS027001 based on IT-Grundschutz”). The ISO2700x controls are abstract enough so that they can be adopted to the special environment of every industry.

but Mr Daniel’s is right - the Grundschutz is an overwhelming source of ideas how to mplement the particular controls..

here is a link to the English version of the IT Grundschutz:
http://www.bsi.de/english/gshb/index.htm

stephan

Comment from Ralph Langner
Time: April 8, 2008, 12:23 pm

Two more thoughts, fellows…

A SCADA security standard that will come somewhat close to BSI Grundschutz is the upcoming VDI/VDE 2182. (Think of VDI/VDE as the German counterpart of ISA.) It explicitly addresses SCADA and DCS systems, automation peripherals, and plants.

Second, it is worthwhile to mention that BSI does have a CIP department which is in the process of expanding. So we can be prepared to hear more SCADA related stuff from the BSI guys soon.

Comment from Stephan Beirer
Time: April 8, 2008, 12:54 pm

Mr Langner,

do you know if VDI/VDE 2182 is geared to any ‘classical’ security standards like IT-Grundschutz or ISO2700x? Or does it implement its very own approach to address the specifics of the industrial automation world?

Comment from Ralph Langner
Time: April 8, 2008, 1:37 pm

Many elements of VDI/VDE 2182 are similar to BSI Grundschutz, if not to say modeled after it. The main difference is that the standards committee, i.e. GMA working group 5.22, acknowledges that most security controls from office IT cannot be applied to plant floor applications, devices, and procedures, and tries to define alternatives.

The official draft, a.k.a. Gründruck, of part 1 (out of 4 parts) is available in print through VDI publishing. Or you just convince one of the committee members that you will provide some significant feedback and get a copy for free.

Comment from Stephan Beirer
Time: April 8, 2008, 1:52 pm

ok, I’ll try that

Comment from Ron Southworth
Time: April 9, 2008, 8:55 am

Thanks Stephan for the link Some interesting reading material

Comment from Hans Daniel
Time: April 11, 2008, 4:08 am

Think twice!!

In 2006, Alberto Stefanini (JRC, Ispra) made some pertinent comments about the state of SCADA security standardization, in particular:
“There [is] a lack of standards, because the same few experts are involved in all initiatives and thus have nowhere the time to actually produce something.
“Another problem is that [the involved] have diverging interests and stall each other.
“Unusable, unrealistic standards and requirements (e.g. certification), cost, further dispersion of efforts through creation of even more working groups look to be obstacles.”

These statements still apply: VDI 2182 is just another, probably well meant standardization attempt, work of experts many of whom are also involved in IEC and ISA!

VDI 2182 is diverting the German expert availability from the only serious present effort - ISA.

And worse, US and other ISA experts accept loosing time on this diversion …

An appeal to ISA and all SCADA security experts:

- forget proposing IT Grundschutz, the related VDI and other new standards to ISA

- if an expert discovers elements in those and other standards which seem complementary or better, bring them in as actual worded contribution text, together a motivated proposal

- speed up with the ISA work to make it the only broadly and internationally accepted standard

Comment from Marc Tritschler
Time: April 11, 2008, 8:46 am

I have some general comments on IT Grunschutz and its applicability to SCADA security, based on discussions over the last couple of days with my KEMA colleagues in Germany. They have used this methodology quite extensively on projects in German speaking countries, and have also extended the associated GSTOOL software tool to include specific assets such as SCADA systems and substation control systems. Of course, the key element to the applicability of these (and other similar) methodologies and tools is that they can help to automate some of the more routine aspects of a security programme, but they do not replace assessment and judgement of risks, priorities and applicability of controls.

These comments can be extended to most standards. Application of the controls in most standards is dependant on the applicability of those controls to the environment (as well as being dependant on the results of risk assessment etc.); you should not apply controls blindly. However, exceptions to this do exist, such as NERC CIP. I guess I don’t really know which type of standard ISA-99 is planning on becoming; one where everyhting is mandatory

To respond to Hans comment about focusing only on ISA - I would be keen to understand if people feel that this would work together with, for example, NERC CIP in North America, or any mandatory standard that may be put in place in Europe (which I know would be a number of years away), or in any other country? Also, I suggest that it may be very difficult culturally to use ISA to replace existing established standards such as IT Grundschutz in non-English speaking countries.

Comment from Hans Daniel
Time: April 14, 2008, 4:23 am

Marc -

Your comment on ‘applying controls blindly’ really is hitting the target: The Grundschutz is misleading to use a huge perfected precise automatism without questioning its basis, the risk analysis in SCADA.

In this context I question the applicability of Grundschutz ‘assets’ approach to SCADA.

In my mind, expressed in a simplified manner, in SCADA there is ONE asset, the continued operation of the automated factory, while in office automation there is a multitude of individual systems with a flexible universal back-up system, the human.

The Grundschutz is geared towards office automation where we have bunches of assets which can be considered individually.

Again, this is ‘typically’ and ’simplified’ - of course, there are also critical large transaction systems in office automation.

Now, concerning the German speaking context, Grundschutz is not dominant despite of the millions of German tax payer money poured into it. As a proof, as the google hit count in the .de domain we get 77100 for ‘Grundschutz OR Grundschutzhandbuch’ over 184,000 for ‘17799 OR 27001′.

However, most of the .de sites concerned with Grundschutz are written in German, and most of the .de sites concerned with ISO are written in English.

So is Germany ‘non-English speaking’ ? This litle exercise is showing that Germany is an ‘English speaking’ country. Actually, there is a big effort going on teach university courses in English to attract foreign students and to keep German elite students.

Finally, ISA presently is the leading SCADA security standardization effort.

I am supporting ISA not because I particularily like what ISA is doing, but because I would like to see something finally coming out.

Personally, I was involved in SCADA standardization as the editor of IEC 62443 PAS. Unluckily, my 62443 projects were stalled by the same activities presently seem to hit ISA:

*** too few active experts and too many opinions of bystanding experts and dissidents ***

Please support ISA by active contribution!!

- Hans

Comment from Ralph Langner
Time: April 14, 2008, 9:41 am

Hans,

unfortunately ISA did not invite me to participate in SP99, but the VDI/VDE guys did — so I ended up in GMA working group 5.22.

Humor aside, there is one interesting detail in 2182 that is not addressed with the same priority in SP99. It’s the idea that any level of security can be reached and maintained only if asset owners, integrators, and component+software vendors do their contribution to the security puzzle. Therefore, 2182 part 2 covers component security. Part 3 covers security at the machine level. And finally, part 4 covers plant security.

Besides such details, I would not argue that SP99 is the more mature and detailed standard (proposal), and as a matter of fact we are teaching SP99 basics in our seminars. Be it as it may from a technical point of view, there is one killer argument for 2182. Market players and asset owners in Germany don’t listen to ISA (with the exception of a very limited number of big dogs). Most of them have never heard about ISA. Believe it or not, many even haven’t heard about BSI. But ALL have heard about VDI/VDE, and tend to listen to these folks. So whatever the level of expertise and the executability is that you are going to find in 2182, at least it will remind A LOT of people that SCADA security isn’t something that consultants like myself have invented from vapor to create some new field of business. For me, this makes participating in 2182 worthwhile, as my impression is that raising awareness still remains our #1 priority.

Comment from Hans Daniel
Time: April 14, 2008, 3:45 pm

Ralph:

(This is somewhat of the track “Grundschutz” but related to its German aspect)

1 - Sorry, ISA is very well known to SCADA engineers in Germany. Of course, VDI is known to *every* German for its legacy standards. Usually VDE took care of IT issues like this and I do not understand why VDI got involved.

2 - I am not impressed by VDI Part 1. Worse, in my opinion the approach of the version I know (v17) is wrong by principle.

3 - Is there a new version of Part 1? Are there Parts 2, 3 and 4 now? Maybe I’ll change my mind.

4 - Now, I believe that if ISA does not make it, VDI will not be any more likely to make it, at least not on an international scale.

5 - If no one will make it in the US, many fear the HSA will make it …

6 - Who is to blame? The people who “were not invited”. Much more than the people who did not invite.

7 - Actually, I have excellent experience with US committees where I always felt welcome as long as I had something to contribute. E.g., Part 1 of SP99 contains some contributions of mine. All it took was a few e-mails …

8 - Why does VDI not try to find common grounds with ISA? Why did VDI not try to find common grounds with DKE and IEC with whom they shared a number of experts? It mus be the language.

–> You certainly express yourself very well in English. Appoint yourself as ambassador to ISA - I’m sure they’ll accept you.

- Hans

Comment from Ralph Langner
Time: April 14, 2008, 4:17 pm

Hans. (Ok Dale, you just stop is if this is getting too far off topic.)

2. I’m not impressed either. However it’s better than nothing.

3. No, part 1 is frozen until the deadline for comments ends (this summer).

6. I have made it a habit to accept all the blame for pretty much everything.

8. You are German. You know Germans simply CAN’T just accept something from the US, be it as good as it gets. Besides that, there are some issues in SP99 that are worth of debate, and that are certainly not applicable very well to the situation in Germany (or in Scandinavia, with a similar high level of automation).

9. I tend not to appoint myself. I can be some pain in the ***, so just for politeness I leave it to the victim to deliberately request my help.

10. Having just recently met Mr. Honecker and Dr. Jendricke from the BSI CIP department, I am optimistic that the situation in Germany can and will improve.

So long!