exida Consulting LLC

White Paper
Version 1.2
Published August 26, 2013

The ICS Cybersecurity Lifecycle

INTRODUCTION ..................................................................................................................................2
WHAT IS THE ICS CYBERSECURITY LIFECYCLE? .......................................................................................2
CYBERSECURITY MANAGEMENT PROGRAM ............................................................................................5
Policies ....................................................................................................................................................................... 5
Awareness Programs ................................................................................................................................................ 6
Training Programs .................................................................................................................................................... 7
ASSESS PHASE ....................................................................................................................................7
Scope Definition and Project Setup .......................................................................................................................... 8
Vulnerability Assessment, Risk Assessment, & Target Selection ............................................................................ 8
Model the System, Document the Requirements ...................................................................................................10
IMPLEMENTATION PHASE .................................................................................................................. 11
Conceptual Design ...................................................................................................................................................11
Design Validation .....................................................................................................................................................12
Test Planning and Acceptance Testing ...................................................................................................................12
MAINTAIN PHASE .............................................................................................................................. 13
Countermeasure Maintenance and Security Monitoring .......................................................................................13
Incident Response Planning and Periodic Assessments ........................................................................................14
CONCLUSION .................................................................................................................................... 14
REFERENCES .................................................................................................................................... 15

Copyright 2013 exida Consulting LLC

Authors
John Cusimano, CISSP, CFSE
Director of Security
exida Consulting LLC
jcusimano@exida.com
www.exida.com

Gene Cammack
Director, Gulf Coast Region
exida Consulting, LLC
GCammack@exida.com
www.exida.com

Copyright 2013 exida Consulting LLC

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

Introduction
With the ever changing threats posed by cyber events of any nature, it has become critical to
recognize these emerging threats, malicious or not, and identify the consequences these threats
may have on the operation of an industrial control system (ICS). Cyber-attacks over time have the
ability to take on many forms and threaten not only industrial but also national security.
Saudi Aramco, the world's largest exporter of crude oil, serves as a perfect example depicting how
devastating a cyber-attack can truly be on an industrial manufacturer. In August 2012, Saudi
Aramco (SA) had 30,000 personal computers on its network infected by a malware attack better
known as the "Shamoon" virus. According to InformationWeek Security this was roughly 75
percent of the companys workstations and took 10 days to complete clean-up efforts.i
The seriousness of cyber-attacks in regards to national security was addressed by former United
States Secretary of Defense Leon W. Panetta in his speech on October 2012. Panetta issued a
strong warning to business executives about cybersecurity as it relates to national security." A
cyber-attack perpetrated by nation states [and] violent extremists groups could be as destructive
as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze
the nation," he stated. "For example, we know that foreign cyber actors are probing America's
critical infrastructure networks. They are targeting the computer control systems that operate
chemical, electricity and water plants and those that guide transportation throughout this
country."ii
In addition to Panettas address, the U.S. Department of Homeland Security has issued several
alerts about coordinated attacks on gas pipeline operators, according to a May 2012 report by
ABC News.iii
This whitepaper will focus on the significance of cyber-attacks on industrial control systems (ICS)
and how these attacks can be prevented by proper practice of the ICS Cybersecurity lifecycle.

What is the ICS Cybersecurity Lifecycle?

The ICS Cybersecurity Lifecycle is a visual guide that recognizes the principle that cybersecurity is
a continuous process that requires attention and care not only during the initial design stage but
throughout the lifecycle of the system. We have divided the cybersecurity lifecycle into three
main phases; the Assess Phase, the Implement Phase and the Maintain Phase. Each phase
consists of multiple process steps. The major activities performed in each step are described as

September 16, 2013

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

well as the inputs to and the outputs from each step. Additionally, there is an overall
Cybersecurity Management Program that must be addressed throughout the lifecycle. This is
visualized as the long white bar that spans all three phases.

September 16, 2013

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

INPUT

PROCESS

OUTPUT

exida services

Corporate / site policies and

procedures

Analyze and create existing architecture

drawing(s)
Policy development and/or review
Cybersecurity Awareness Training

Project Specific Requirements

Scope Definition and Project

Setup

Architecture Drawing(s)
Regulations
(e.g. NERC CIP, CFATS, etc.)

Project Management Plan

(ISA/IEC 62443.3.2)

Cybersecurity Risk
Assessment

Cybersecurity Risk Assessment

Report

(ISA/IEC 62443.3.2)

Cybersecurity Target
Selection

Tolerable Risk Guidelines

(ISA/IEC 62443.3.2)

Standards
(e.g. ISA/IEC 62443.3.2)
Reference Architectures & Best
Practices

Zone and Conduit Model

Zone and Conduit Drawing(s)

(ISA/IEC 62443.3.2)

Document Requirements

Cybersecurity Requirements
Specification (CRS)

Conceptual Design

Cybersecurity Design Spec (CDS)

(ISA/IEC 62443.3.2)

Cybersecurity Requirements
Specification (CRS)

(ISA/IEC 62443.3.2)

Design Validation

Validation Report

(ISA/IEC 62443.3.2)

Implement Phase

NO
Cybersecurity Design Spec (CDS)

Adequate
Design?

Design Package (Drawings,

Configurations, Procedures)

Detailed Design

Cybersecurity Requirements
Specification (CRS)
Security Manuals of ICS Products

Cybersecurity Factory
Acceptance Test (CFAT) Plan
Cybersecurity Site Acceptance
Test (CSAT) Plan

Develop Test Plans

(ISA/IEC 62443.3.2)

Design Package (Drawings,

Configurations, Procedures)

Implement Design

Cybersecurity Factory
Acceptance Test (CFAT) Plan

Cybersecurity Factory
Acceptance Test (CFAT)

Cybersecurity Factory Acceptance

Test (CFAT) Report

(ISA/IEC 62443.2.4)

Installation/ Commissioning
(ISA/IEC 62443.2.4)

Cybersecurity Site Acceptance

Test (CSAT)

Cybersecurity Site Acceptance

Test (CSAT) Plan

CSAT Test Report

(ISA/IEC 62443.2.4)

Patch Management Procedure

Security Monitoring Procedure

Change Management Procedure

ICS Cybersecurity Assessment

Procedure

To aappropriate
ppropriate llifecycle
ifecycle pphase
hase
To

Maintain Phase

Antivirus Management
Procedure

Countermeasure
Maintenance

Maintenance Records

Security Monitoring

System Logs (IDS / SIEM)

Change Request

Zone and Conduit Modeling

- Development of corporate reference models
- High-level diagrams
- Detailed design
- Design reviews
Cybersecurity Requirements Specification (CRS)
Template
CRS Development
CRS Review

Cybersecurity Design Specification (CDS)

Consultation
CDS Review
Technology Investigation

Defense-in-Depth Analysis (analysis of

effectiveness of defense layers)
Detection-in-Depth Analysis (analysis of
effectiveness of monitoring layers)

Development of Procedures
ACL Development/Review
Design Reviews
Cybersecurity Factory Acceptance Test (CFAT)
Plan Development
Cybersecurity Site Acceptance Test (CSAT) Plan
Development
Test plan review

Cybersecurity Factory Acceptance Testing (CFAT)

Windows Cybersecurity Vulnerability Assessment
(WCVA)

Cybersecurity Site Acceptance Test (CSAT)

Windows Cybersecurity Vulnerability Assessment
(WCVA)

Vulnerability Management Service

Develop logging requirements

Design monitoring methods
Review

Impact Analysis Review

Modifications?

ICS Cybersecurity Assessment

Report

Periodic Assessment

Figure 1: The ICS Cybersecurity Lifecycle

September 16, 2013

Facilitate Cybersecurity Target Selection

Impact Analysis

Modifications or
Decommision
YES

Perform Cybersecurity Vulnerability Assessment

Update Architecture Drawing(s)
Evaluation of existing countermeasures
Windows Security Vulnerability Assessment (WSVA)
Cybersecurity Scorecard

Development of cybersecurity risk assessment

procedure
Train staff on risk assessment procedure
Facilitate and Document Risk Assessment
Threat Modeling

(ISA/IEC62443.2.1 formerly ISA99.02.01)

HAZOP & SIL Selection

Cybersecurity Risk Assessment
Procedure
Knowledge of process and
business impact

Cybersecurity Vulnerability
Assessment Report

Cybersecurity Vulnerability
Assessment

Control System Security Management Program: Policy, Standards, Procedures, Training, Awareness

Assess Phase

Standards
(e.g. ISA/IEC 62443.3.3)

Perform ICS Cybersecurity Assessment

Windows Cybersecurity Vulnerability Assessment
(WCVA)
Cybersecurity Scorecard

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

The Cybersecurity Management Program, as illustrated by the tall white vertical bar in Figure 1,
includes those activities, such as development of policies and procedures as well as deployment
of training and awareness programs, which are vital to the long term success of the program.
The Assess Phase, as illustrated by the red shaded section in Figure 1, is an assessment typically
done early in the project (e.g. as part of the FEED study). It is focused on identifying and
quantifying the current ICS risks allowing for resources to be applied to the highest-risk items
first.
The Implement Phase, as illustrated by the yellow shaded section in Figure 1, includes
engineering, commissioning, and startup phases. This phase focuses on designing and
implementing technical controls or countermeasures to mitigate the identified risks, particularly
those that are unacceptably high. It also consists of verifying and testing the security of the
system before deployment.
The Maintain Phase, as illustrated by the green shaded section in Figure 1, as implied by the
name, includes operating and maintaining the system. Security controls can deteriorate within a
short amount of time because new vulnerabilities/threats appear almost daily. This makes
planning for ongoing maintenance extremely important.

Cybersecurity Management Program

As previously stated, the Cybersecurity Management Program embodies those activities that are
vital to the long term success of the program such as policy/procedure development and
awareness/training programs. Such polices, awareness, and training should be in practice
throughout all phases of the lifecycle.

Policies
It is important to establish security policies as a company, as a corporation, or even on a project
specific basis in order to ensure that both the employees and suppliers understand their
expectations and how to achieve them. Establishing security policies also allows for the
demonstration of management support as well as the planning of options in the case of a security
breach. Effective policies should describe what is projected to be achieved rather than how it is
expected to be achieved. That being said, such policies should remain technology independent
and solely focus on what aspects need to be accomplished.

September 16, 2013

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

Figure 2: Key ICS Security Policy Topics

Figure 2 displays the types of items that should be highlighted within security policies. As you can
see, a significant portion of the items tend to coincide with general IT policy security topics.
Although the items between IT and ICS security policies are highly similar, the application of such
to industrial control system environment can vary quite drastically. Patch management for
example is a typical part of both IT security policies and ICS security policies. However, unlike in
an ICS policy, IT policies will advise a rapid response for the implementation and deployment of
security patches from vendors such as Microsoft. As far as an enterprise setting, a rapid response
method is perfectly acceptable if not expected. However, in a control system environment,
patching systems can have significant repercussions if not tested or done properly. Therefore a
rapid response method would not be advised but rather a slower, more cautious response.
Overall, ICS policies may borrow from but must differ from those of the IT department. It is
exidas experience that the best results occur when IT and control system personnel collaborate
and establish what they believe to be the best policies around control system security.

Awareness Programs
Aside from effective policies, the steadfastness of a security system is directly dependent on the
awareness of its personnel. Typically an employee or contractor does not fully understand the
potential impact of his or her actions which leads to a high amount of policy violations and social

September 16, 2013

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

engineering involved in most security breaches. This is why it is vital to ensure that employees,
contractors, and any other personnel in contact with the control system are aware of what exactly
an ICS is, what risks/threats are present, and why these risks/threats need to be taken seriously.
The majority of people believe that technical solutions take care of the security concerns
therefore allowing them to come to the conclusion that their actions have little impact on the
control system as a whole. It is important to remind personnel on a regular basis to be vigilant
and attentive to matters of control system security to eliminate this misconception.

Training Programs
It is also vital to an ICS to properly train all its stakeholders and inform them of the reasons
behind specific security policies, the acceptable procedures and practices, and the social
engineering ploys. Training such people can aid in the understanding of updated security
controls, ideas that can be utilized to reduce risks, and impacts on the company if security
methods are not incorporated. The best training programs that have been observed by exida have
been programs that are tailored and role-based providing information for someones specific skill
level and job requirements.

Assess Phase
The Assess phase, as shown in Figure 3, can be divided into three subsections. The first
subsection involves scoping and defining the project. This is followed by assessing the risk and
vulnerability of the system, and lastly documenting the requirements.

Figure 3: Diagram of Assess Phase

September 16, 2013

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

Scope Definition and Project Setup

The first step in the Assess Phase is Scope Definition and Project Setup. The purpose of this step
is to define the parameters of the project and clearly identify what it is you will be assessing.
Overall goals for this step are as follows:

Identify and contain the scope of the project

Identify project constraints
Gather and organize information
Define roles and responsibilities
Establish training requirements

The scope definition and project setup can be either a formal or informal process depending on
the current state of the project; greenfield or brownfield. Other factors involved in properly
defining the scope include corporate site policies and procedures, project-specific requirements,
architectural drawings, and relevant regulations and standards.
Once the scope definition and project setup is completed, documentation of all this information
should be placed in a cybersecurity management plan, regardless of whether a corporate security
plan is already in place. The plan should include project-specific issues, such as:

Corporate security plans

Project-specific requirements
Joint venture partner issues
Local regulations
Processes
Roles and responsibilities

Vulnerability Assessment, Risk Assessment, & Target Selection

The next subsection of the Assess Phase consists of determining the vulnerability and risk of the
system and identifying risk reduction targets. The purpose of these steps is to classify the
business risk in terms of impact on health, safety, environment, equipment, business continuity,
and others that could result from compromise of the ICS. This portion requires a vulnerability
assessment followed by a risk assessment in order to quantify or qualify the risks and to ensure
that these risks are prioritized/addressed with the appropriate amount of resources.
The comprehensive goals of this subsection of the assess phase include:

Identifying and classifying key cyber assets

September 16, 2013

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

Identifying and quantifying vulnerabilities, threats, and consequences,

Determining risks
Establishing risk reduction targets

Vulnerability Assessment
A vulnerability assessment is performed in order to identify weaknesses within a system. How
these assessments are conducted can vary greatly depending on whether it is being performed on
a new system or an existing system. Assessments on existing systems involve analyzing actual and
potential security vulnerabilities by reviewing the current design, performing a site visit,
collecting information, and analyzing the system as it is currently running. For new systems, an
assessment can only be performed on the system design.
Some of the important items to investigate while conducting a vulnerability assessment include:

Network architecture diagrams

Network component configurations (e.g., switches, routers, firewalls)

Host device configurations (e.g., servers, workstations)

Access control strategies (e.g., how will people and computers access)

Software and firmware versions

Once all items have been thoroughly investigated, a risk assessment can then be conducted.
Risk Assessment
A risk assessment analyzes the vulnerabilities presented in the vulnerability assessment and
determines the consequential risks these vulnerabilities possess.
Required by ISA/IEC 62443-2-1 [Ref. 2 & 3], the major steps of a cybersecurity risk assessment (also
known as a Cyber HAZOP or Cyber PHA) include identifying the threats, vulnerabilities, and
consequences, should the threats be realized or exploited, followed by a qualification of the
severity of the consequences and the likelihood that the threat could occur, taking into account
existing safeguards. The outcome of this process is the residual risk. An example of a Cyber
HAZOP is shown in Figure 4.
Characterizing threats is a crucial part of the risk assessment. Threats can vary depending on the
type of process, the location, risks, and hazards. However in general, threat sources can be
categorized in one of four types:

Authorized personnelnon-malicious in nature; someone who may unintentionally

misuse the system
Unauthorized personnelmischievous if not malicious in nature; someone attempting to
do something beyond his or her level of authority

September 16, 2013

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

Outsiderany non-authorized person with malicious intent

Malwareany malicious software that enters the control system such as virus, worm,
Trojan horse

Figure 4: Example Cyber HAZOP

Model the System, Document the Requirements

The last section of the assess phase consists of modeling the system and documenting the
requirements. Typically a zone and conduit model as introduced in ISA/IEC 62443-1-1 [Ref. 1 & 2]
will be used to model the system. Applying this model to a standard control system requires
defined security zones and the communication channels (conduits) between those zones.
Possible zones could include: business or enterprise zone, process information zone, process
operations zone, process safety zone, process control zone, and process measurement zone.
Breaking the system down into defined electronic security zones allows for the containment of
the threat within a specific area and the application of a certain level of security to all aspects in
the zone.
The following items must be documented into a cybersecurity requirements specification
document for each zone and conduit to be in accordance with the ISA 61443-3-2 standard [Ref. 5]:

Scope and purpose of the system

Physical and environmental security requirements

September 16, 2013

10

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

General cybersecurity requirements

Zone and conduit-specific requirements
o
Name and/or unique identifier
o
Logical boundary
o
Physical boundary, if applicable
o
List of all access points and associated boundary devices
o
List of data flows associated with each access point
o
Connected zones or conduits
o
List of assets and associated consequences
o
Security level target
o
Applicable security policies
o
Assumptions and external dependencies

Implementation Phase
Subsequent to the Assess Phase is the Implementation Phase (Figure 5). The Implementation
Phase consists of two main divisions; conceptual design and detailed design. Unlike conceptual
design, detailed design is focused more on the testing the design rather than the validation of the
design.

Figure 5: Diagram of Implement Phase

Conceptual Design
The conceptual design will view and assess the following:

September 16, 2013

11

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

Defense-in-depth strategies
Selection of countermeasures
Revised zone and conduit model
Updated architecture diagrams
Access control strategies

Within the conceptual design, the selection of counter measures can be applied in order to
mitigate risk. ISA 62443-3-3 [Ref. 6] provides excellent guidance on countermeasures. Each
countermeasure is assigned to a category and a Security Level capability. Examples of counter
measures include:

Physical access controls

Logical access controls
Portable media management
Malicious code protection
Organizational and operational controls
Communications filtering
Data Encryption

Design Validation
Following the identification and application of proper counter measures, it is essential to verify
that the new secure design has reached its objectives. One method of effectively verifying
whether these objectives have been met is to return back to the risk assessment performed in the
assess phase, document the newly implemented safe guards/mitigations and re-evaluate. If the
new design goals have been achieved the risk following re-evaluation should be reduced to levels
that are tolerable.

Test Planning and Acceptance Testing

Once reduced levels of risk have been accomplished, the next step is to develop a test plan.
Thorough and proficient test plans should involve creating test objectives and test plans based on
cybersecurity requirements and design specifications. A checklist to audit security settings is also
helpful in implementing test plans. While such methods are still valid in any test plan, it is
important to conduct more rigorous testing for greenfield projects such as abuse cases. Abuse
cases will test the boundaries of the systems at its entry points to determine if the system
operates as designed. Additionally, the abuse case will negatively test the system in order to
conclude if the security in place can be violated.
Abuse cases can be simulated by penetration or pen-testing. As implied by the name, pen-testing
refers to the deliberate attempt to infiltrate safe guards. It is generally not appropriate to conduct

September 16, 2013

12

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

such testing on operational (i.e. online) control systems as the testing may cause the system to
behave in an unpredictable and thus unsafe manner. However, more aggressive testing can
safely be performed and is encouraged during factory acceptance testing or site acceptance
testing of a new or updated system. Conducting rigorous testing of these systems before
deployment will ensure the safety of the system as well as the overall safety of the company and
its employees.

Maintain Phase
The final stage of the cybersecurity lifecycle is the maintain phase (Figure 6). This phase
encompasses the maintenance of implemented counter measures, monitoring security,
modification/decommissioning, and periodic assessments of the systems in place.

Figure 6: Diagram of Maintain Phase

Countermeasure Maintenance and Security Monitoring

As previously mentioned, threat environments are perpetually fluctuating and present new
vulnerabilities almost daily. It is for this reason the implication of countermeasures cannot be a
one-time process. The continual overseeing and preservation of the system is undeniably
necessary in order to guarantee proper security. Such security could involve the monitoring of
patches, anti-virus software, and system logs. Inspection of system logs can allow for the
detection of unusual events as well as possible intrusions. Another method to reveal possible
intrusions is the usage a technology called intrusion detection. Intrusion detection will analyze
network traffic and indicate if the system is being invaded, in addition to recognizing any
abnormalities/anomalies in the network communications.

September 16, 2013

13

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

Incident Response Planning and Periodic Assessments

Accompanying the monitoring of the system should be proper planning and preparation
regarding the response to a security incident. Planning response mechanisms prior to a security
incident is always recommended.
Periodic audits are also a critical part of security maintenance due to the deterioration of
measures and practices over time as well as the availability of new information and techniques. If
it is determined that a modification must be made during one of these period assessments it is
important to re-evaluate the system by returning to the appropriate phase of the cycle. Where to
return in the lifecycle will be dependent of the severity and implications of the change. Sections of
the process may need to be repeated but this replication will ultimately provide the necessary upto-date security required for proper system operation.

Conclusion
A lifecycle approach to cybersecurity will ensure that cybersecurity is properly addressed, not
only during the initial design stage, but throughout the lifecycle of the system. We recommend
that companies adopt this approach for existing systems (i.e. brownfield) as well as for new
systems (i.e. greenfield) and develop and enforce the appropriate policies and procedures to
ensure the process is consistently followed.

September 16, 2013

14

exida Consulting White Paper

The ICS Cybersecurity Lifecycle

References
Standards
1.

ANSI/ISA 99.00.01-2007, Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts,
and Models, 2007.
<http://www.isa.org/Template.cfm?Section=Shop_ISA&Template=/Ecommerce/ProductDisplay.cfm&Productid=9
661>.

2.

IEC/TS 62443-1-1 ED. 1.0 EN:2009, Industrial communication networks - Network and system security - Part 1-1:
Terminology, concepts and models", 2009. <http://webstore.iec.ch/webstore/webstore.nsf/Artnum_PK/43215>.

3.

ANSI/ISA 99.02.01-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial
Automation and Control Systems Security Program, 2009.
<http://www.isa.org/Template.cfm?Section=standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=
10243>.

4.

IEC 62443-2-1 ED. 1.0 EN:2010, Industrial communication networks - Network and system security - Part 2-1:
Establishing an industrial automation and control system security program, 2010
<http://webstore.iec.ch/preview/info_iec62443-2-1%7Bed1.0%7Den.pdf>.

5.

ISA-62443-3-2, Security for Industrial Automation and Control Systems: Security assurance levels for zones and
conduits, Draft for Comment, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-2-WD.pdf

6.

ISA-62443-3-3, Security for Industrial Automation and Control Systems: System security requirements and
security assurance levels, Approved, http://isa99.isa.org/Documents/Drafts/ISA-62443-3-3-WD.pdf

Source Material
The material for this White Paper was adapted from the following exida training courses:

Understanding and Applying the ICS Cybersecurity Lifecycle (4-day)

7 Steps to Industrial Control System Security (1-day)

About exida
exida is a world leading engineering services & certification body focused on helping automation suppliers and users
improve the safety, security and reliability of their industrial automation systems. Established by several of the worlds top
safety, security, and reliability experts, the company is owned by these partners and independent of any vendor ownership.
exidas main offices are located in Sellersville, PA, USA and Munich, Germany with service centers worldwide.
www.exida.com/cybersecurity

https://www.informationweek.com/security/attacks/saudi-aramco-restores-network-after-sham/240006278
http://www.defense.gov/speeches/speech.aspx?speechid=1728
iii
http://abcnews.go.com/Blotter/dhs-hackers-mounting-organized-cyber-attack-us-gas/story?id=16304818#.UeX941QFTQ
ii

September 16, 2013

15