Guide To Industrial Control System (ICS) Security Systems SecurityãNIST SP.800 82R2ããJPCERTåèš
Guide%20to%20Industrial%20Control%20Systems%20(ICS)%20Security%E3%80%90NIST%20SP.800-82R2%E3%80%91%E3%80%90JPCERT%E5%92%8C%E8%A8
User Manual:
Open the PDF directly: View PDF .
Page Count: 490
Download | |
Open PDF In Browser | View PDF |
Japan Computer Emergency Response Team Coordination Center é»å眲åè : Japan Computer Emergency Response Team Coordination Center DN : c=JP, st=Tokyo, l=Chiyoda-ku, email=office@jpcert.or.jp, o=Japan Computer Emergency Response Team Coordination Center, cn=Japan Computer Emergency Response Team Coordination Center æ¥ä» : 2016.04.12 09:20:04 +09'00' NIST Special Publication 800-82 Revision 2 Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC) Keith Stouffer Victoria Pillitteri Suzanne Lightman Marshall Abrams Adam Hahn This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-82r2 éŠèš³ïŒ äžè¬ç€Ÿå£æ³äºº JPCERT ã³ãŒãã£ããŒã·ã§ã³ã»ã³ã¿ãŒ NIST SP800-82 第2ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒ ã»ãã¥ãªãã£ã¬ã€ã SCADAãDCSãPLC ãã®ä»ã®å¶åŸ¡ã·ã¹ãã èšå® Keith Stouffer Victoria Pillitteri Suzanne Lightman Marshall Abrams Adam Hahn æ¬åºçç©ã¯æ¬¡ã®ãµã€ãããç¡æã§å ¥æå¯èœïŒ http://dx.doi.org/10.6028/NIST.SP.800-82r2 NIST Special Publication 800-82 Revision 2 Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) Keith Stouffer Intelligent Systems Division Engineering Laboratory Victoria Pillitteri Suzanne Lightman Computer Security Division Information Technology Laboratory Marshall Abrams The MITRE Corporation Adam Hahn Washington State University This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-82r2 May 2015 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Under Secretary of Commerce for Standards and Technology and Director NISTSP800-82 第2ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã (ICS) ã»ãã¥ãªãã£ã¬ã€ã SCADAãDCSãPLCããã®ä»ã®å¶åŸ¡ã·ã¹ãã ã®èšå® Keith Stouffer ãšã³ãžãã¢ãªã³ã°ç 究æ(EL) ã€ã³ããªãžã§ã³ãã·ã¹ãã ãã£ããžã§ã³ Victoria Pillitteri Suzanne Lightman æ å ±æè¡ç 究æ(ITL) ã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ãã£ããžã§ã³ Marshall Abrams MITRE 瀟 Adam Hahn ã¯ã·ã³ãã³å·ç«å€§åŠ æ¬åºçç©ã¯æ¬¡ã®ãµã€ãããç¡æã§å ¥æå¯èœïŒ http://dx.doi.org/10.6028/NIST.SP.800-82r2 2015 幎 5 æ ç±³åœååç é·å® Penny Pritzker ååçæšæºæè¡æ åœæ¬¡å® ç±³åœåœç«æšæºæè¡ç 究æ æé· Willie May SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3541 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Technology Special Publication 800-82, Revision 2 Natl. Inst. Stand. Technol. Spec. Publ. 800-82, Rev. 2, 247 pages (May 2015) This publication is available free of charge from :http://dx.doi.org/10.6028/NIST.SP.800-82r2 CODEN: NSPUE2 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at http://csrc.nist.gov/publications. Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Electronic Mail: nist800-82rev2comments@nist.gov v SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ¬ææžã«ã€ã㊠æ¬åºçç©ã¯ã2014 幎é£éŠæ å ±ã»ãã¥ãªãã£è¿ä»£åæ³ïŒFISMAïŒ44 U.S.C. § 3541 åã³äžè¬æ³ ïŒP.L.ïŒ113-283 ã«åºã¥ããç±³åœåœç«æšæºæè¡ç 究æïŒNISTïŒããã®æ³ç責åãéè¡ããããã« äœæããã NIST ã¯ãé£éŠæ å ±ã·ã¹ãã ã®æäœéã®èŠä»¶äºé ãå«ãã æ å ±ã»ãã¥ãªãã£æšæºåã³ã¬ã€ãã©ã€ ã³ãäœæãã責åããããããã®ãããªæšæºåã³ã¬ã€ãã©ã€ã³ã¯ãåœå®¶å®å šä¿éã«ä¿ããã·ã¹ã ã ã«ãããŠã¯ãé£éŠåœå±ã«ããåœè©²ã·ã¹ãã ã«å¯Ÿããããªã·ãŒæš©éãè¡äœ¿ããæ瀺çæ¿èªããªã ãã°é©çšãããªããæ¬ã¬ã€ãã©ã€ã³ã¯ãè¡æ¿ç®¡çäºç®å±ïŒOMBïŒéé A-130ã8b(3)æ¡ããæ¿åº æ©é¢æ å ±ã·ã¹ãã ã®ä¿å šãïŒéé A-130 ä»é² IVãäž»èŠæ¡æã®åæãã«èšèŒïŒã®èŠä»¶ã«äžèŽããã è£è¶³æ å ±ã¯ãéé A-130 ä»é² IIIãé£éŠèªååæ å ±ãªãœãŒã¹ã®ã»ãã¥ãªãã£ãã«èšèŒãããŠããã æ¬åºçç©ã®ãããªãèšè¿°ããååé·å®ã®æ³çæš©éã«ããé£éŠæ¿åºæ©é¢ã«é©çšãããæšæºåã³ã¬ã€ ãã©ã€ã³ãåŠå®ãããã®ã§ã¯ãªãããŸãã¬ã€ãã©ã€ã³ã¯ãååé·å®ãè¡æ¿ç®¡çäºç®å±é·å®ããŸã ã¯ãã®ä»é£éŠåœå±ã®æ¢åã®æš©éã«å€æŽãå ãããã代æ¿ãããã®ãšè§£éããŠã¯ãªããªãã æ¬åºçç©ã¯ãæ¿åºä»¥å€ã®çµç¹ãä»»æã«äœ¿çšããããšãã§ããç±³åœã«ãããèäœæš©ã®å¯Ÿè±¡ãšãªã㪠ãããNIST ã¯èäœæš©ã®åž°å±ãæèšããããšã«æè¬ããã ç±³åœåœç«æšæºæè¡ç 究æïŒNISTïŒSP800-82 第 2 çã Natl. Inst. Stand. Technol. Spec. Publ. 800-82, Rev. 2, 247 ããŒãžïŒ2015 幎 5 æïŒ æ¬åºçç©ã¯æ¬¡ã®ãµã€ãããå ¥æå¯èœ(ç¡æ) ïŒhttp://dx.doi.org/10.6028/NIST.SP.800-82r2 CODEN:NSPUE2 æ¬ææžã§ã¯ãç¹å®ãããå¶å©å£äœåãè£ çœ®åã¯è³æã¯ãå®éšçãªæé åã¯æŠå¿µãé©åã«èª¬æããã ãã®ãã®ã§ããããããã£ãŠãNIST ã«ããæšå¥šãä¿èšŒãããã®ã§ã¯ãªããåœè©²å¶å©å£äœãè£ çœ®å ã¯è³æãããã®ç®çã«é¢ããŠåŸãããæè¯ã®ãã®ã§ããããšãæå³ãããã®ã§ããªãã æ¬åºçç©ã§ã¯ãNIST ããã®è² èšãããæ³ç責åã«åŸã£ãŠçŸåšäœæäžã®ä»ã®åºçç©ãåç §ããå Žå ããããæ¬åºçç©ã®æŠå¿µãæ¹æ³è«ãå«ãæ å ±ã¯ãåè¿°ã®é¢é£åºçç©ã®å®æåã§ãã£ãŠããé£éŠæ¿åº æ©é¢ã䜿çšããå Žåãããããã£ãŠãååºçç©ãå®æãããŸã§ã¯ãçŸåšã®å¿ é èŠä»¶ãã¬ã€ãã©ã€ã³ åã³æé ãååšããå Žåããããã¯åŒãç¶ãæå¹ã§ãããé£éŠæ¿åºæ©é¢ã¯èšç»äœæãšç§»è¡ã®ç®çãš ããŠãNIST ã«ãããããæ°èŠåºçç©ã®äœæç¶æ³ã確èªããããã åçµç¹ã¯ããããªãã¯ã³ã¡ã³ãã®å ¬åæéäžã«ãå šãŠã®å ¬éãã©ããææžãé²èŠ§ããã³ã¡ã³ãã NIST ã«æ瀺ãããããå šãŠã® NIST ã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ãã£ããžã§ã³ã®åºçç©ã¯ãäžèšã®ãã® ãé€ããhttp://csrc.nist.gov/publications ããå ¥æã§ããã æ¬åºçç©ã«é¢ããæèŠã¯ã以äžã®å®å ã«æåºããããã AttnïŒComputer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 é»åã¡ãŒã«ïŒnist800-82rev2comments@nist.gov vi SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nationâs measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITLâs responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITLâs research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations. Abstract This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Keywords Computer security; distributed control systems (DCS); industrial control systems (ICS); information security; network security; programmable logic controllers (PLC); risk management; security controls; supervisory control and data acquisition (SCADA) systems vii SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã³ã³ãã¥ãŒã¿ã·ã¹ãã æè¡ã«é¢ããã¬ããŒã ç±³åœåœç«æšæºæè¡ç 究æïŒNISTïŒã®æ å ±æè¡ç 究æïŒITLïŒã¯ãåœã®èšæž¬åã³åºæºã€ã³ãã©ã«é¢ ããæè¡ççµ±çãå³ãããšã«ãããç±³åœã®çµæžã»å ¬å ±çŠç¥ãä¿é²ããŠãããITL ã¯è©Šéšãè©Šéšæ³ã åºæºããŒã¿ãæŠå¿µã®å®èšŒåã³æè¡è§£æã®éçºãé²ããæ å ±æè¡ã®éçºãšçç£çå©çšãä¿é²ããŠã ããITL ã®è²¬åã«ã¯ãé£éŠæ å ±ã·ã¹ãã ã«ãããåœã®ã»ãã¥ãªãã£é¢é£æ å ±ä»¥å€ã®ãè²»çšå¹æã® é«ãã»ãã¥ãªãã£åã³ãã©ã€ãã·ãŒã«é¢ããéå¶ã管çãæè¡åã³ç©ççåºæºã»ã¬ã€ãã©ã€ã³ã® äœæãå«ãŸãããSP800 ã·ãªãŒãºã¯ãITL ã®ç 究ãã¬ã€ãã©ã€ã³åã³æ å ±ã·ã¹ãã ã»ãã¥ãªã㣠ã«ãããå ¬å ±çŠç¥ã«åããåçµäžŠã³ã«ç£å®åŠãšã®é£æºã«é¢ããå ±åæžã§ããã æé² æ¬ææžã¯ãSCADAãDCSãPLC ãã®ä»ã®å¶åŸ¡ã·ã¹ãã èšå®ãå«ãç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã® ä¿å šæ¹æ³ã«é¢ããã¬ã€ãã³ã¹ã§ããããã®ç¬ç¹ãªæ§èœã»ä¿¡é Œæ§ã»å®å šæ§èŠä»¶ã«ã€ããŠåãäžããã ICS ã®æŠèŠãšå žåçãªã·ã¹ãã ããããžãŒãè¿°ã¹ããããã·ã¹ãã ãžã®äžè¬çãªè åšãšè匱æ§ã æããã«ããé¢ä¿ãããªã¹ã¯ãæžããããã®ã»ãã¥ãªãã£å¯Ÿçã«ã€ããŠæèšããã ããŒã¯ãŒã ã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ãDCSãICSãæ å ±ã»ãã¥ãªãã£ããããã¯ãŒã¯ã»ãã¥ãªãã£ã PLCããªã¹ã¯ç®¡çãã»ãã¥ãªãã£å¯ŸçãSCADA viii SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Acknowledgments for Revision 2 The authors gratefully acknowledge and appreciate the significant contributions from individuals and organizations in the public and private sectors, whose thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness of this publication. A special acknowledgement to Lisa Kaiser, Department of Homeland Security, the Department of Homeland Security Industrial Control System Joint Working Group (ICSJWG), and Office of the Deputy Undersecretary of Defense for Installations and Environment, Business Enterprise Integration Directorate staff, Daryl Haegley and Michael Chipley, for their exceptional contributions to this publication. Acknowledgments for Previous Versions The original authors, Keith Stouffer, Joe Falco, and Karen Scarfone of NIST, wish to thank their colleagues who reviewed drafts of the original version of the document and contributed to its technical content. The authors would particularly like to acknowledge Tim Grance, Ron Ross, Stu Katzke, and Freemon Johnson of NIST for their keen and insightful assistance throughout the development of the document. The authors also gratefully acknowledge and appreciate the many contributions from the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of the publication. The authors would particularly like to thank the members of ISA99. The authors would also like to thank the UK National Centre for the Protection of National Infrastructure (CPNI)) for allowing portions of the Good Practice Guide on Firewall Deployment for SCADA and Process Control Network to be used in the document as well as ISA for allowing portions of the ISA-62443 Standards to be used in the document. Note to Readers This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include: Updates to ICS threats and vulnerabilities. Updates to ICS risk management, recommended practices, and architectures. Updates to current activities in ICS security. Updates to security capabilities and tools for ICS. Additional alignment with other ICS security standards and guidelines. New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays. An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS. ix SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 第 2 çã«é¢ããè¬èŸ æ¬ææžã®èè ãã¯ãå®æ°ã®å人åã³çµç¹ããå€å€§ã®è²¢ç®ããã£ãããšãèªããããã«è¬æãè¡šã ãããã®ç€ºåã«å¯ã¿å»ºèšçãªæèŠã«ãããæ¬åºçç©ã®å šäœçãªè³ªãå æ¬æ§åã³æçšæ§ãåäžããã ç¹ã« Lisa KaiserïŒåœåå®å šä¿éçïŒãåœåå®å šä¿éçã® Industrial Control System Joint Working Group (ICSJWG)åã³ Office of the Deputy Undersecretary of Defense for Installations and Environmentã Business Enterprise Integration Directorate ã®è·å¡ãDaryl Haegley åã³ Michael Chipley ã«å¯ŸããŠãã ãããã®ç¹å¥ãªè²¢ç®ã«è¬èŸãè¡šãããã®ã§ããã æ§çã«é¢ããè¬èŸ æ§çã®èè ã§ãã NIST ã® Keith StoufferãJoe Falco åã³ Karen Scarfone ã¯ãæ¬ææžã®åæ¡ãç²Ÿæ» ãããã®æè¡çå 容ã«å¯äžããååè«žæ°ã«è¬æãè¡šãããèè ã¯ç¹ã«ãNIST ã® Tim GranceãRon RossãStu Katzke åã³ Freemon Johnson ã«å¯Ÿããææžã®äœæå šè¬ã«ãããéãæŽå¯ãäžããŠããã ããšã«è¬æãè¡šããããŸããå®æ°ããå€å€§ã®è²¢ç®ãããã瀺åã«å¯ã¿å»ºèšçãªæèŠã«ããåºçç© ã®è³ªãšæçšæ§ãåäžããããšã«ãè¬æãè¡šããããšããã ISA99 ã®ã¡ã³ããŒã«ã¯æè¬ããŠããã ãŸããSCADA åã³ããã»ã¹å¶åŸ¡ãããã¯ãŒã¯ã®ãã¡ã€ã¢ãŠã©ãŒã«ã«ä¿ãé©æ£èŠç¯ã¬ã€ããã®äž éšãæ¬ææžã§å©çšãããŠãããè±åœã€ã³ãã©ã¹ãã©ã¯ãã£é²è·ã»ã³ã¿ãŒïŒCPNIïŒåã³ ISA62443 èŠæ Œãåæ§ã«å©çšãããŠããã ISA ã«å¯ŸããŠããè¬æãè¡šããã èªè ãžã®æ³šèš æ¬ææžã¯ NIST SP 800-82ãGuide to Industrial Control Systems (ICS) SecurityïŒç£æ¥çšå¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ã¬ã€ããã®ç¬¬ 2 çã§ãããæŽæ°å 容ã¯ä»¥äžã®ãšããã ICS ã®è åšãšè匱æ§ã«é¢ããæ¹èš ICS ãªã¹ã¯ç®¡çãæšå¥šèŠç¯ããã³ã¢ãŒããã¯ãã£ã«é¢ããæ¹èš ICS ã»ãã¥ãªãã£ã«ãããçŸåšã®æŽ»åã«é¢ããæ¹èš ICS ã®ã»ãã¥ãªãã£æ§èœãšããŒã«ã«é¢ããæ¹èš ä»ã® ICS ã»ãã¥ãªãã£åºæºããã³ã¬ã€ãã©ã€ã³ãšã®è£è¶³èª¿æŽ ãªãŒããŒã¬ã€ã®çŽ¹ä»ãå«ã NIST SP 800-53 ã®æ°ã¬ã€ãã³ã¹ç¬¬ 4 çã»ãã¥ãªãã£å¯Ÿç äœã»äžã»é«ã€ã³ãã¯ã ICS ã«åã£ãã»ãã¥ãªãã£ç®¡ççã®ããŒã¹ã©ã€ã³ãäžããŠã ã NIST SP 800-53 第 4 çã®ã»ãã¥ãªãã£ç®¡ççã«å¯Ÿå¿ãã ICS ãªãŒããŒã¬ã€ æ¬ææžã¯ãè±èªçã®åå žã«æ²¿ã£ãŠå¯Ÿèš³ããããåªããŠããŸãããå®å šæ§ãæ£ç¢ºæ§ã ä¿èšŒãããã®ã§ã¯ãããŸãããæ¬ææžã«èšèŒãããŠããæ å ±ããçããæ倱ãŸã㯠æ害ã«å¯ŸããŠãJPCERT/CC ã¯è²¬ä»»ãè² ããã®ã§ã¯ãããŸããã x SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Table of Contents Executive Summary .............................................................................................................................. 1 ãšã°ãŒã¯ãã£ããµããªãŒ ......................................................................................................................... 2 1. Introduction ..................................................................................................................................... 9 1.1 Purpose and Scope................................................................................................................................... 9 1.2 Audience ................................................................................................................................................... 9 1. ã¯ããã«.......................................................................................................................................... 10 1.1 ç®çåã³é©çšç¯å² ................................................................................................................................. 10 1.2 察象è ................................................................................................................................................... 10 1.3 Document Structure ................................................................................................................................ 11 1.3 ææžã®æ§æ............................................................................................................................................ 12 2. Overview of Industrial Control Systems .................................................................................... 13 2.1 Evolution of Industrial Control Systems................................................................................................... 13 2. ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã®æŠèŠ............................................................................................................. 14 2.1 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã®é²å................................................................................................................... 14 2.2 ICS Industrial Sectors and Their Interdependencies ............................................................................... 15 2.2.1 Manufacturing Industries ............................................................................................................. 15 2.2.2 Distribution Industries .................................................................................................................. 15 2.2.3 Differences between Manufacturing and Distribution ICS............................................................ 15 2.2.4 ICS and Critical Infrastructure Interdependencies ....................................................................... 15 2.2 ICS ã®ç£æ¥éšéãšãã®çžäºäŸåæ§ ......................................................................................................... 16 2.2.1 補é æ¥ç .................................................................................................................................... 16 2.2.2 é éæ¥ç .................................................................................................................................... 16 2.2.3 補é ICS ãšé é ICS ã®çžé ...................................................................................................... 16 2.2.4 ICS ãšéèŠã€ã³ãã©ã®çžäºäŸåæ§ ............................................................................................. 16 2.3 ICS Operation and Components ............................................................................................................. 17 2.3 ICS ã®æäœåã³ã³ã³ããŒãã³ã ............................................................................................................ 18 2.3.1 ICS System Design Considerations ............................................................................................. 19 2.3.1 ICS ã®ã·ã¹ãã èšèšäžã®èæ ®äºé ............................................................................................. 20 2.3.2 SCADA Systems.......................................................................................................................... 21 2.3.2 SCADA...................................................................................................................................... 22 2.3.3 Distributed Control Systems ........................................................................................................ 31 2.3.3 åæ£å¶åŸ¡ã·ã¹ãã ..................................................................................................................... 32 2.3.4 Programmable Logic Controller Based Topologies...................................................................... 35 2.3.4 ããã°ã©ã å¯èœè«çã³ã³ãããŒã©ããŒã¹ã®ããããžãŒ ............................................................ 36 2.4 Comparing ICS and IT Systems Security ................................................................................................ 39 2.4 ICS ã·ã¹ãã ãš IT ã·ã¹ãã ã®ã»ãã¥ãªãã£æ¯èŒ.................................................................................. 40 2.5 Other Types of Control Systems ............................................................................................................. 45 2.5 å¥çš®ã®å¶åŸ¡ã·ã¹ãã ............................................................................................................................. 46 3. ICS Risk Management and Assessment..................................................................................... 49 3.1 Risk Management ................................................................................................................................... 49 3. ICS ã®ãªã¹ã¯ç®¡çãšãªã¹ã¯è©äŸ¡...................................................................................................... 50 3.1 ãªã¹ã¯ç®¡ç............................................................................................................................................ 50 3.2 Introduction to the Risk Management Process ........................................................................................ 51 3.2 ãªã¹ã¯ç®¡çããã»ã¹ã®çŽ¹ä»................................................................................................................... 52 3.3 Special Considerations for Doing an ICS Risk Assessment .................................................................... 55 3.3.1 Safety within an ICS Information Security Risk Assessment ....................................................... 55 3.3 ICS ãªã¹ã¯è©äŸ¡ã®å®æœã«éããŠã®ç¹å¥ãªèæ ®äºé ............................................................................... 56 xi SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 3.3.1 ICS æ å ±ã»ãã¥ãªãã£ãªã¹ã¯è©äŸ¡ã«ãããå®å šæ§ .................................................................... 56 3.3.2 Potential Physical Impacts of an ICS Incident ............................................................................. 57 3.3.3 Impact of Physical Disruption of an ICS Process ......................................................................... 57 3.3.2 ICS ã€ã³ã·ãã³ãã«ããç©çç圱é¿ã®å¯èœæ§ ........................................................................... 58 3.3.3 ICS ããã»ã¹ã®ç©ççäžæã«ããåœ±é¿ ...................................................................................... 58 3.3.4 Incorporating Non-digital Aspects of ICS into Impact Evaluations ............................................... 59 3.3.4 ICS ã®éããžã¿ã«é¢ã圱é¿è©äŸ¡ã«å«ãã .................................................................................. 60 3.3.5 Incorporating the Impact of Safety Systems ................................................................................ 61 3.3.6 Considering the Propagation of Impact to Connected Systems ................................................... 61 3.3.5 å®å šã·ã¹ãã ã®åœ±é¿ãå«ãã.................................................................................................... 62 3.3.6 æ¥ç¶ã·ã¹ãã ãžã®åœ±é¿æ³¢åã«å¯Ÿããèæ ® .................................................................................. 62 4. ICS Security Program Development and Deployment .............................................................. 63 4. ICS ã»ãã¥ãªãã£ããã°ã©ã ã®éçºåã³å±é ................................................................................ 64 4.1 Business Case for Security ..................................................................................................................... 65 4.1.1 Benefits ................................................................................................................................................ 65 4.1 ã»ãã¥ãªãã£ã®äºæ¥äºäŸ ...................................................................................................................... 66 4.1.1 䟿ç ................................................................................................................................................... 66 4.1.2 Potential Consequences .............................................................................................................. 67 4.1.2 çãåŸãçµæ............................................................................................................................. 68 4.1.3 Resources for Building Business Case ........................................................................................ 69 4.1.4 Presenting the Business Case to Leadership .............................................................................. 69 4.1.3 äºæ¥äºäŸäœæã®ããã®ãªãœãŒã¹ ................................................................................................ 70 4.1.4 äºæ¥äºäŸãçµç¹ã®é·ã«æ瀺ãã ................................................................................................ 70 4.2 Build and Train a Cross-Functional Team ............................................................................................... 71 4.3 Define Charter and Scope ....................................................................................................................... 71 4.2 æ©èœæšªæããŒã ã®çµæã»æè²èšç·Ž ........................................................................................................ 72 4.3 æ²ç« åã³é©çšç¯å²ã®æ確å................................................................................................................... 72 4.4 Define ICS-specific Security Policies and Procedures ............................................................................ 73 4.5 Implement an ICS Security Risk Management Framework ..................................................................... 73 4.4 ICS åºæã®ã»ãã¥ãªãã£ããªã·ãŒåã³æé ã®æ確å ............................................................................ 74 4.5 ICS ã»ãã¥ãªãã£ãªã¹ã¯ç®¡çäœå¶ã®å®è¡.............................................................................................. 74 4.5.1 Categorize ICS Systems and Networks Assets ........................................................................... 75 4.5.2 Select ICS Security Controls ....................................................................................................... 75 4.5.1 ICS ã·ã¹ãã ãšãããã¯ãŒã¯è³ç£ã®åé¡ .................................................................................. 76 4.5.2 ICS ã»ãã¥ãªãã£ç®¡çã®éžæ .................................................................................................... 76 4.5.3 Perform Risk Assessment ........................................................................................................... 77 4.5.4 Implement the Security Controls .................................................................................................. 77 4.5.3 ãªã¹ã¯è©äŸ¡å®æœ ......................................................................................................................... 78 4.5.4 ã»ãã¥ãªãã£ç®¡çã®å®è£ ........................................................................................................... 78 5. ICS Security Architecture ............................................................................................................ 79 5.1 Network Segmentation and Segregation ................................................................................................. 79 5. ICS ã»ãã¥ãªãã£ã¢ãŒããã¯ã㣠.................................................................................................. 80 5.1 ãããã¯ãŒã¯ã®åå²ãšåé¢................................................................................................................... 80 5.2 Boundary Protection................................................................................................................................ 83 5.2 å¢çã®ä¿è· .............................................................................................................................................. 84 5.3 Firewalls .................................................................................................................................................. 85 5.3 ãã¡ã€ã¢ãŠã©ãŒã« ................................................................................................................................. 86 5.4 Logically Separated Control Network ...................................................................................................... 89 5.4 è«ççã«åé¢ãããå¶åŸ¡ãããã¯ãŒã¯ ................................................................................................. 90 5.5 Network Segregation............................................................................................................................... 91 5.5.1 Dual-Homed Computer/Dual Network Interface Cards (NIC) ...................................................... 91 5.5.2 Firewall between Corporate Network and Control Network ......................................................... 91 xii SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.5 ãããã¯ãŒã¯ã®åé¢ ............................................................................................................................. 92 5.5.1 ãã¥ã¢ã«ããŒã ïŸïŸã³ã³ãã¥ãŒã¿/ãã¥ã¢ã«ãããã¯ãŒã¯ã€ã³ã¿ãã§ãŒã¹ã«ãŒãïŒNICïŒ .......... 92 5.5.2 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã«.................................................. 92 5.5.3 Firewall and Router between Corporate Network and Control Network....................................... 95 5.5.3 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã«ãšã«ãŒã¿ ...................................... 96 5.5.4 Firewall with DMZ between Corporate Network and Control Network ......................................... 97 5.5.4 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã® DMZ ä»ããã¡ã€ã¢ãŠã©ãŒã« ................................. 98 5.5.5 Paired Firewalls between Corporate Network and Control Network .......................................... 101 5.5.5 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¢ãŒããã¡ã€ã¢ãŠã©ãŒã« ................................. 102 5.5.6 Network Segregation Summary ................................................................................................. 103 5.6 Recommended Defense-in-Depth Architecture ..................................................................................... 103 5.5.6 ãããã¯ãŒã¯åé¢ã®ãŸãšã ..................................................................................................... 104 5.6 æšå¥šå€å±€é²åŸ¡ã¢ãŒããã¯ã㣠............................................................................................................. 104 5.7 General Firewall Policies for ICS........................................................................................................... 105 5.7 ICS ã®å šè¬çãã¡ã€ã¢ãŠã©ãŒã«ããªã·ãŒ............................................................................................ 106 5.8 Recommended Firewall Rules for Specific Services ............................................................................. 109 5.8 ç¹å®ãµãŒãã¹ã®æšå¥šãã¡ã€ã¢ãŠã©ãŒã«ã«ãŒã« .................................................................................... 110 5.8.1 Domain Name System (DNS) .................................................................................................... 111 5.8.2 Hypertext Transfer Protocol (HTTP) .......................................................................................... 111 5.8.3 FTP and Trivial File Transfer Protocol (TFTP) ........................................................................... 111 5.8.4 Telnet......................................................................................................................................... 111 5.8.1 é ååã·ã¹ãã ïŒDNSïŒ ........................................................................................................ 112 5.8.2 ãã€ããŒããã¹ã転éãããã³ã«ïŒHTTPïŒ .......................................................................... 112 5.8.3 FTP åã³ããªãã¢ã«ãã¡ã€ã«è»¢éãããã³ã«ïŒTFTPïŒ ........................................................ 112 5.8.4 ãã«ãããïŒTelnetïŒ ............................................................................................................. 112 5.8.5 Dynamic Host Configuration Protocol (DHCP)........................................................................... 113 5.8.6 Secure Shell (SSH).................................................................................................................... 113 5.8.7 Simple Object Access Protocol (SOAP) .................................................................................... 113 5.8.8 Simple Mail Transfer Protocol (SMTP) ...................................................................................... 113 5.8.9 Simple Network Management Protocol (SNMP) ........................................................................ 113 5.8.5 åçãã¹ãæ§æãããã³ã«ïŒDHCPïŒ .................................................................................... 114 5.8.6 ã»ãã¥ã¢ã·ã§ã«ïŒSSH) ........................................................................................................... 114 5.8.7 ã·ã³ãã«ãªããžã§ã¯ãã¢ã¯ã»ã¹ãããã³ã«ïŒSOAPïŒ ........................................................... 114 5.8.8 ã·ã³ãã«ã¡ãŒã«è»¢éãããã³ã«ïŒSMTPïŒ ............................................................................. 114 5.8.9 ã·ã³ãã«ãããã¯ãŒã¯ç®¡çãããã³ã«ïŒSNMPïŒ .................................................................. 114 5.8.10 Distributed Component Object Model (DCOM) ........................................................................ 115 5.8.11 SCADA and Industrial Protocols .............................................................................................. 115 5.9 Network Address Translation (NAT)...................................................................................................... 115 5.8.10 åæ£ã³ã³ããŒãã³ããªããžã§ã¯ãã¢ãã«ïŒDCOMïŒ............................................................ 116 5.8.11 SCADA åã³ç£æ¥çšãããã³ã« ............................................................................................. 116 5.9 ãããã¯ãŒã¯ã¢ãã¬ã¹å€æïŒNATïŒ .................................................................................................. 116 5.10 Specific ICS Firewall Issues ................................................................................................................ 117 5.10.1 Data Historians ........................................................................................................................ 117 5.10.2 Remote Support Access .......................................................................................................... 117 5.10.3 Multicast Traffic........................................................................................................................ 117 5.10 ICS ãã¡ã€ã¢ãŠã©ãŒã«åºæã®åé¡ .................................................................................................... 118 5.10.1 ããŒã¿ãã¹ããªã¢ã³ .............................................................................................................. 118 5.10.2 é éãµããŒãã·ã¹ãã .......................................................................................................... 118 5.10.3 ãã«ããã£ã¹ããã©ãã£ãã¯................................................................................................ 118 5.11 Unidirectional Gateways ..................................................................................................................... 119 5.12 Single Points of Failure ....................................................................................................................... 119 5.13 Redundancy and Fault Tolerance ...................................................................................................... 119 5.11 åæ¹åæ§ã²ãŒããŠã§ã€ ...................................................................................................................... 120 xiii SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.12 åäžé害ç¹........................................................................................................................................ 120 5.13 åé·æ§ãšãã©ãŒã«ããã¬ã©ã³ã¹ ....................................................................................................... 120 5.14 Preventing Man-in-the-Middle Attacks ................................................................................................ 121 5.14 人ãä»åšããæ»æã®é²æ¢ .................................................................................................................. 122 5.15 Authentication and Authorization......................................................................................................... 125 5.15 èªèšŒãšæš©éä»äž ................................................................................................................................ 126 5.15.1 ICS Implementation Considerations ................................................................................................. 127 5.16 Monitoring, Logging, and Auditing ....................................................................................................... 127 5.17 Incident Detection, Response, and System Recovery ........................................................................ 127 5.15.1 ICS å®è£ äžã®èæ ®äºé ........................................................................................................... 128 5.16 ç£èŠããã®ã³ã°åã³ç£æ» .................................................................................................................. 128 5.17 ã€ã³ã·ãã³ãæ€ç¥ã察å¿åã³ã·ã¹ãã 埩æ§...................................................................................... 128 6. Applying Security Controls to ICS ........................................................................................... 129 6.1 Executing the Risk Management Framework Tasks for Industrial Control Systems ............................. 129 6. ICS ãžã®ã»ãã¥ãªãã£å¯Ÿçã®é©çš ...................................................................................... 130 6.1 ç£æ¥çšå¶åŸ¡ã·ã¹ãã çšãªã¹ã¯ç®¡çäœå¶ã®å®æœ .................................................................................... 130 6.1.1 Step 1: Categorize Information System ..................................................................................... 131 6.1.1 æé 1ïŒæ å ±ã·ã¹ãã ã®åé¡ .................................................................................................. 132 6.1.2 Step 2: Select Security Controls ................................................................................................ 135 6.1.2 æé 2ïŒã»ãã¥ãªãã£å¯Ÿçã®éžæ ........................................................................................... 136 6.1.3 Step 3: Implement Security Controls ......................................................................................... 137 6.1.4 Step 4: Assess Security Controls............................................................................................... 137 6.1.5 Step 5: Authorize Information System ....................................................................................... 137 6.1.3 æé 3ïŒã»ãã¥ãªãã£å¯Ÿçã®å®è£ ........................................................................................... 138 6.1.4 æé 4ïŒã»ãã¥ãªãã£å¯Ÿçã®è©äŸ¡ ........................................................................................... 138 6.1.5 æé 5ïŒæ å ±ã·ã¹ãã ã®èš±å¯ .................................................................................................. 138 6.1.6 Step 6: Monitor Security Controls .............................................................................................. 139 6.2 Guidance on the Application of Security Controls to ICS ...................................................................... 139 6.1.6 æé 6ïŒã»ãã¥ãªãã£å¯Ÿçã®ç£èŠ ........................................................................................... 140 6.2 ICS ãžã®ã»ãã¥ãªãã£å¯Ÿçã®é©çšã«ä¿ãã¬ã€ãã³ã¹ .......................................................................... 140 6.2.1 Access Control........................................................................................................................... 143 6.2.1 ã¢ã¯ã»ã¹å¶åŸ¡........................................................................................................................... 144 6.2.2 Awareness and Training ............................................................................................................ 153 6.2.3 Audit and Accountability ............................................................................................................ 153 6.2.2 æèåã³èšç·Ž........................................................................................................................... 154 6.2.3 ç£æ»åã³èª¬æ責任 ................................................................................................................... 154 6.2.4 Security Assessment and Authorization .................................................................................... 157 6.2.5 Configuration Management ....................................................................................................... 157 6.2.4 ã»ãã¥ãªãã£è©äŸ¡åã³æš©éä»äž .............................................................................................. 158 6.2.5 æ§æ管ç .................................................................................................................................. 158 6.2.6 Contingency Planning ................................................................................................................ 159 6.2.6 äžæž¬äºæ èšç»........................................................................................................................... 160 6.2.7 Identification and Authentication ................................................................................................ 165 6.2.7 èå¥åã³èªèšŒ........................................................................................................................... 166 6.2.8 Incident Response ..................................................................................................................... 177 6.2.8 ã€ã³ã·ãã³ãå¯Ÿå¿ ................................................................................................................... 178 6.2.9 Maintenance .............................................................................................................................. 181 6.2.10 Media Protection ...................................................................................................................... 181 6.2.9 ä¿å® ......................................................................................................................................... 182 6.2.10 ã¡ãã€ã¢ä¿è·......................................................................................................................... 182 6.2.11 Physical and Environmental Protection ................................................................................... 183 6.2.11 ç©çç°å¢äžã®ä¿è·ïŒPEïŒ ..................................................................................................... 184 xiv SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.12 Planning ................................................................................................................................... 189 6.2.12 ãã©ã³ãã³ã°......................................................................................................................... 190 6.2.13 Personnel Security................................................................................................................... 191 6.2.13 人å¡ã®ã»ãã¥ãªã㣠.............................................................................................................. 192 6.2.14 Risk Assessment ..................................................................................................................... 193 6.2.15 System and Services Acquisition ............................................................................................. 193 6.2.14 ãªã¹ã¯è©äŸ¡ ............................................................................................................................ 194 6.2.15 ã·ã¹ãã åã³ãµãŒãã¹ã®ååŸ................................................................................................ 194 6.2.16 System and Communications Protection ................................................................................. 195 6.2.16 ã·ã¹ãã åã³éä¿¡ä¿è· .......................................................................................................... 196 6.2.16.1 Encryption ............................................................................................................................. 197 6.2.16.1 æå·å ................................................................................................................................ 198 6.2.17 System and Information Integrity ............................................................................................. 203 6.2.17 ã·ã¹ãã åã³æ å ±ã®ä¿å š ....................................................................................................... 204 6.2.18 Program Management ............................................................................................................. 209 6.2.19 Privacy Controls....................................................................................................................... 209 6.2.18 ããã°ã©ã 管ç ..................................................................................................................... 210 6.2.19 ãã©ã€ãã·ãŒç®¡ç ................................................................................................................. 210 List of Apendix Appendix AâAcronyms and Abbreviations ......................................................................................................... 213 ä»é² A é åèªåã³ç¥èª ..................................................................................................................................... 214 Appendix BâGlossary of Terms ......................................................................................................................... 219 ä»é² B çšèªé .................................................................................................................................................... 220 Appendix CâThreat Sources, Vulnerabilities, and Incidents .............................................................................. 255 ä»é² C è åšæºãè匱æ§åã³ã€ã³ã·ãã³ã........................................................................................................ 256 Appendix DâCurrent Activities in Industrial Control System Security ................................................................. 283 ä»é² D ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ã«ãããçŸåšã®æŽ»å ....................................................................... 284 Appendix EâICS Security Capabilities and Tools............................................................................................... 315 ä»é² E ICS ã»ãã¥ãªãã£æ©èœåã³ããŒã« ......................................................................................................... 316 Appendix FâReferences .................................................................................................................................... 323 Appendix GâICS Overlay ................................................................................................................................... 341 ä»é² G ICS ãªãŒããŒã¬ã€ ................................................................................................................................. 342 List of Figure Figure 2-1. ICS Operation ..................................................................................................................................... 19 å³ 2-1.ICS ã®åäœ .................................................................................................................................................. 20 Figure 2-2. SCADA System General Layout ......................................................................................................... 23 å³ 2-2.SCADA ã®å šè¬ã¬ã€ã¢ãŠã .......................................................................................................................... 24 Figure 2-3. Basic SCADA Communication Topologies .......................................................................................... 25 å³ 2-3. åºæ¬ç SCADA éä¿¡ããããžãŒ .............................................................................................................. 26 Figure 2-4. Large SCADA Communication Topology ............................................................................................ 27 å³ 2-4. 倧èŠæš¡ SCADA éä¿¡ããããžãŒ .............................................................................................................. 28 Figure 2-5. SCADA System Implementation Example (Distribution Monitoring and Control) ................................ 29 å³ 2-5. SCADA ã®å®è£ äŸïŒåæ£ç£èŠã»å¶åŸ¡ïŒ ..................................................................................................... 30 Figure 2-6. SCADA System Implementation Example (Rail Monitoring and Control) ............................................ 31 å³ 2-6. SCADA ã®å®è£ äŸïŒåè»ç£èŠã»å¶åŸ¡ïŒ ....................................................................................................... 32 Figure 2-7. DCS Implementation Example ............................................................................................................ 35 å³ 2-7.DCS ã®å®è£ äŸ ............................................................................................................................................. 36 Figure 2-8. PLC Control System Implementation Example ................................................................................... 37 å³ 2-8. PLC å¶åŸ¡ã·ã¹ãã ã®å®è£ äŸ ....................................................................................................................... 38 xv SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Figure 3-1. Risk Management Process Applied Across the Tiers .......................................................................... 51 å³ 3-1.å šæ®µéã«ãŸããããªã¹ã¯ç®¡çããã»ã¹ ....................................................................................................... 52 Figure 5-1. Firewall between Corporate Network and Control Network ................................................................. 93 å³ 5-1.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã« ................................................................... 94 Figure 5-2. Firewall and Router between Corporate Network and Control Network .............................................. 95 å³ 5-2.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã«ãšã«ãŒã¿ ..................................................... 96 Figure 5-3. Firewall with DMZ between Corporate Network and Control Network ................................................. 97 å³ 5-3.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã® DMZ ä»ããã¡ã€ã¢ãŠã©ãŒã« ................................................... 98 Figure 5-4. Paired Firewalls between Corporate Network and Control Network .................................................. 101 å³ 5-4.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¢ãŒããã¡ã€ã¢ãŠã©ãŒã« ................................................... 102 Figure 5-5. CSSP Recommended Defense-In-Depth Architecture ...................................................................... 105 å³ 5-5.CSSP ã®æšå¥šå€å±€é²åŸ¡ã¢ãŒããã¯ã㣠..................................................................................................... 106 Figure 6-1. Risk Management Framework Tasls ................................................................................................. 131 å³ 6-1.ãªã¹ã¯ç®¡çäœå¶æ¥å.................................................................................................................................. 132 Figure C-1. ICS-CERT Reported Incidents by Year ............................................................................................ 275 å³ C-1. ICS-CERT ã«å±åºã®ãã£ã幎床å¥ã€ã³ã·ãã³ãä»¶æ° .............................................................................. 276 Figure G-1 Detailed Overlay Control Specifications Illustrated ............................................................................ 365 å³ G-1 詳现ãªãŒããŒã¬ã€ç®¡çä»æ§ã®èª¬æ ........................................................................................................... 366 List of Tables Table 2-1. Summary of IT System and ICS Differences ........................................................................................ 43 è¡š 2-1.IT ã·ã¹ãã ãš ICS ã®çžéç¹ ........................................................................................................................ 44 Table 3-1. Categories of Non-Digital ICS Control Components ............................................................................. 59 è¡š 3-1. éããžã¿ã« ICS å¶åŸ¡ã³ã³ããŒãã³ãã®ã«ããŽãªãŒ .................................................................................... 60 Table 6-1. Possible Definitions for ICS Impact Levels Based on ISA99 .............................................................. 133 è¡š 6-1. ISA99 ã«åºã¥ã ICS 圱é¿ã¬ãã«ã®å®çŸ© .................................................................................................... 134 Table 6-2. Possible Definitions for ICS Impact Levels Based on Product Produced, Industry and Security Concerns ............................................................................................................................................................. 135 è¡š 6-2. çç£ç©ãç£æ¥åã³ã»ãã¥ãªãã£é¢å¿äºã«åºã¥ã ICS ãžã®åœ±é¿ã¬ãã«ã®å®çŸ© .......................................... 136 Table C-1. Threats to ICS .................................................................................................................................... 255 è¡š C-1. ICS ã®è åš ............................................................................................................................................... 256 Table C-2. Policy and Procedure Vulnerabilities and Predisposing Conditions ................................................... 261 è¡š C-2. ããªã·ãŒåã³æé ã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ..................................................................................... 262 Table C-3. Architecture and Design Vulnerabilities and Predisposing Conditions ............................................... 265 Table C-4. Configuration and Maintenance Vulnerabilities and Predisposing Conditions ................................... 265 è¡š C-3.ã¢ãŒããã¯ãã£åã³èšèšäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ........................................................................ 266 è¡š C-4.æ§æåã³ä¿å®äžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ .......................................................................................... 266 Table C-5. Physical Vulnerabilities and Predisposing Conditions ........................................................................ 269 è¡š C-5.ç©ççè匱æ§åã³åŒ±ç¹ãšãªãç¶æ ............................................................................................................ 270 Table C-6. Software Development Vulnerabilities and Predisposing Conditions ................................................. 271 Table C-7. Communication and Network Configuration Vulnerabilities and Predisposing Conditions ................. 271 è¡š C-6.ãœãããŠãšã¢éçºäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ................................................................................... 272 è¡š C-7.éä¿¡åã³ãããã¯ãŒã¯æ§æäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ .................................................................... 272 Table C-8. Example Adversarial Incidents ........................................................................................................... 273 è¡š C-8. æ»æã€ã³ã·ãã³ãã®äŸ ............................................................................................................................ 274 Table G-1 Security Control Baselines .................................................................................................................. 345 è¡š G-1 ã»ãã¥ãªãã£ç®¡çããŒã¹ã©ã€ã³ ............................................................................................................ 346 xvi SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Executive Summary This document provides guidance for establishing secure industrial control systems (ICS). These ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) are often found in the industrial control sectors. ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCS are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLCs are generally used for discrete control for specific applications and generally provide regulatory control. These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90 percent of the nation's critical infrastructures are privately owned and operated. Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control and materials handling (e.g., Postal Service mail handling.) This document provides an overview of these ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Many ICS components were in physically secured areas and the components were not connected to IT networks or systems. Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cybersecurity vulnerabilities and incidents. As ICS are adopting IT solutions to promote corporate business systems connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems. The increasing use of wireless networking places ICS implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. Although some characteristics are similar, ICS also have characteristics that differ from traditional information processing systems. Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world. Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact to a nationâs economy, and compromise of proprietary information. ICS have unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems. ICS cybersecurity programs should always be part of broader ICS safety and reliability programs at both industrial sites and enterprise cybersecurity programs, because cybersecurity is essential to the safe and reliable operation of modern industrial processes. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, and natural disasters as well as malicious or accidental actions by insiders. ICS security objectives typically follow the priority of availability and integrity, followed by confidentiality. 1 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãšã°ãŒã¯ãã£ããµããªãŒ æ¬ææžã¯ãã»ãã¥ã¢ãªç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒãæ§ç¯ããããã®ã¬ã€ãã³ã¹ãšãªããSCADAã DCSãPLC ãã®ä»ã®å¶åŸ¡ã·ã¹ãã èšå®ãå«ãã ããã ICS ã¯ãç£æ¥çšå¶åŸ¡æ¥çã«ããèŠããããICS ã¯äžè¬çã«é»æ°ãäžäžæ°Žãç³æ²¹ã»ã¬ã¹ã茞éãååŠãå»è¬åããã«ãã»è£œçŽãé£åã»é£²æåã³çµç«è£œ é ïŒèªåè»ãèªç©ºå®å®ãèä¹ æ¶è²»è²¡çïŒæ¥çã§å©çšãããŠãããSCADA ã¯ãéäžããŒã¿ååŸç£èŠå¶ 埡ã«ãããåæ£åãããè³ç£ãå¶åŸ¡ããããã«ãé垞䜿çšãããDCS ã¯ãããŒã«ã«ãšãªã¢å ã«ããå·¥ å Žçã®çç£ã·ã¹ãã ããç£èŠã»èŠå¶å¶åŸ¡ã«ããå¶åŸ¡ããããã«ãé垞䜿çšãããPLC ã¯ãç¹æ®çšé㧠ã®é¢æ£å¶åŸ¡ã«é垞䜿çšããèŠå¶å¶åŸ¡ãéåžžè¡ãããã®ãããªå¶åŸ¡ã·ã¹ãã ã¯ãé«åºŠã«é£æºã»çžäºäŸå ããã·ã¹ãã ãšãªããç±³åœã®éèŠã€ã³ãã©ã®éå¶ã«ç·èŠãªåœ¹å²ãæãããŠãããåœã®éèŠã€ã³ãã©ã® ããã 90%ã¯ãç§äŒæ¥ãä¿æãéå¶ããŠããç¹ã«æ³šæãã¹ãã§ãããé£éŠæ¿åºæ©é¢ãåè¿°ã® ICS ã®å€ ããéå¶ããŠãããããã®ã»ãã«ãèªç©ºäº€é管å¶ãç©æµåŠçïŒéµäŸ¿ç©ã®åæ±çïŒãªã©ããããæ¬ææž ã§ã¯ãã®ãã㪠ICS ã®æŠèŠåã³äžè¬çãªã·ã¹ãã ããããžãŒã«ã€ããŠç€ºããã·ã¹ãã ã«ãšã£ãŠã®äžè¬ çãªè åšãšè匱æ§ãç¹å®ããé¢é£ãªã¹ã¯ãäœæžããããã®æšå¥šã»ãã¥ãªãã£å¯Ÿçãæ瀺ããã åæã® ICS ã¯ãç¹æ®ãªããŒããŠãšã¢ãšãœãããŠãšã¢ã䜿çšããŠå°çšå¶åŸ¡ãããã³ã«ãå®è¡ããé絶ã ããã·ã¹ãã ã ã£ããããåŸæ¥ã®æ å ±æè¡ïŒITïŒã·ã¹ãã ãšã¯é¡äŒŒç¹ãã»ãšãã©ãªãã£ããICS ã³ã³ ããŒãã³ãã®å€ãã¯ç©ççã«å®å šãªãšãªã¢å ã«çœ®ãããIT ãããã¯ãŒã¯ãã·ã¹ãã ã«æ¥ç¶ãããŠã㪠ãã£ããæšä»ãåºãå©çšå¯èœãªäœã³ã¹ãã®ã€ã³ã¿ãŒããããããã³ã«ïŒIPïŒããã€ã¹ãå°çšãœãªã¥ãŒ ã·ã§ã³ã«åã£ãŠä»£ããã€ã€ããããšããããµã€ããŒã»ãã¥ãªãã£ã®è匱æ§ãã€ã³ã·ãã³ããçããè ç¶æ§ãé«ãŸã£ãŠãããICS 㯠IT ãœãªã¥ãŒã·ã§ã³ãæ¡çšããŠãäŒæ¥ããžãã¹ã·ã¹ãã ãžã®æ¥ç¶æ§ããªã¢ ãŒãã¢ã¯ã»ã¹èœåãé«ãããŸããæ¥çæšæºã³ã³ãã¥ãŒã¿ããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ïŒOSïŒåã³ãã ãã¯ãŒã¯ãããã³ã«ã䜿çšããŠèšèšã»å®è£ ãããããã«ãªã£ãŠããããã®ãã ICS ã¯æ¬¡ç¬¬ã« IT ã·ã¹ ãã ãšé¡äŒŒæ§ãæã€ããã«ãªã£ãŠããããã®ãããªçµ±ååã¯æ°ã㪠IT èœåããµããŒããããããã 以åã®ã·ã¹ãã ã«æ¯ã¹ããšãå€çããã®é絶æ§ãæ Œæ®µã«å£ããããã»ãã¥ãªãã£ã®å¿ èŠæ§ãå¢ãã㯠ã€ã€ã¬ã¹ãããã¯ãŒã¯ã®å©çšåºŠãé«ãŸãã«ã€ããŠãç©ççã«è¿ãå Žæã«ããããè£ ååãžã®çŽæ¥ç㪠ç©ççã¢ã¯ã»ã¹ã¯ã§ããªãå€æµã«ãã ICS å®è£ ãªã¹ã¯ãå¢å€§ãããã»ãã¥ãªãã£ãœãªã¥ãŒã·ã§ã³ã¯ã äžè¬ç㪠IT ã·ã¹ãã ã«ãããã»ãã¥ãªãã£åé¡ãæ±ãããã«ã§ããŠããã®ã§ãICS ç°å¢ã«æã¡èŸŒãå Ž åã«ã¯ç¹å¥ãªæ³šæãæ¬ ãããªããå Žåã«ãã£ãŠã¯ããã® ICS ç°å¢ã«ç¹åããæ°ããã»ãã¥ãªãã£ãœãª ã¥ãŒã·ã§ã³ãå¿ èŠãšãªãã ããã€ãã®ç¹åŸŽã¯äŒŒãŠããŠããICS ã«ã¯åŸæ¥ã®æ å ±åŠçã·ã¹ãã ãšã¯ç°ãªãç¹åŸŽããããããããé ãã®å€ãã¯ãICS ã§å®è¡ãããè«çãå®äžçã«çŽæ¥çãªåœ±é¿ãåãŒããšããäºå®ããçãããã®ã§ã ããããããç¹æ§ã®äžã«ã¯ã人ã®å¥åº·ãå®å šã«å¯Ÿããæ·±å»ãªãªã¹ã¯ãé倧ãªç°å¢ç Žå£ã®ã»ããçç£é äœæžãåœå®¶çµæžãžã®æªåœ±é¿ãç§å¯æ å ±ã®æŒæŽ©ãšãã£ãé倧ãªè²¡ååé¡ãå«ãŸããŠãããICS ã®æ§èœå ã³ä¿¡é Œæ§èŠä»¶ã¯ç¬ç¹ã§ãæ®éã® IT é¢ä¿è ã«ã¯å¥ç°ã«èŠãã OS ãã¢ããªã±ãŒã·ã§ã³ã䜿çšããããšã å€ããæŽã«å®å šæ§ãšå¹çæ§ã®ç®æšã¯ãå¶åŸ¡ã·ã¹ãã ã®èšèšã»éçšäžãã»ãã¥ãªãã£ãšç«¶åããå Žåã ããã ãµã€ããŒã»ãã¥ãªãã£ã¯ãçŸä»£ã®ç£æ¥å·¥çšãå®å šãã€é«ãä¿¡é Œæ§ããã£ãŠéçšããäžã§äžå¯æ¬ ã§ãã ããšãããICS ãµã€ããŒã»ãã¥ãªãã£ããã°ã©ã ã¯ãç£æ¥çŸå Žã«ãããŠãäŒæ¥ãµã€ããŒã»ãã¥ãªã㣠ããã°ã©ã ã«ãããŠããåžžã«ããåºç¯ãª ICS ã®å®å šæ§ã»ä¿¡é Œæ§ããã°ã©ã ã®äžéšãšãªãã¹ãã§ããã å¶åŸ¡ã·ã¹ãã ã«å¯Ÿããè åšã®æºã¯å€å²ã«ããããæµæãæã€æ¿åºããããªã¹ãã°ã«ãŒããäžæºãæ±ã ãåŸæ¥å¡ãæªæãæã€äŸµå ¥è ãè€éæ§ãäºæ ãèªç¶çœå®³ãå éšé¢ä¿è ã®æå³çåã¯å¶çºçè¡çºçãã ããICS ã»ãã¥ãªãã£ã®ç®çã¯ãäžè¬çã«å¯çšæ§ãšå®å šæ§ãåªå äºé ãšããæ©å¯æ§ãããã«ç¶ãã 2 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Possible incidents an ICS may face include the following: ïŒ Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation. ïŒ Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life. ïŒ Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects. ïŒ ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects. ïŒ Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment. ïŒ Interference with the operation of safety systems, which could endanger human life. Major security objectives for an ICS implementation should include the following: ïŒ Restricting logical access to the ICS network and network activity. This may include using unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. ïŒ Restricting physical access to the ICS network and devices. Unauthorized physical access to components could cause serious disruption of the ICSâs functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards. ïŒ Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services and assuring that they remain disabled; restricting ICS user privileges to only those that are required for each personâs role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware. ïŒ Restricting unauthorized modification of data. This includes data that is in transit (at least across the network boundaries) and at rest. ïŒ Detecting security events and incidents. Detecting security events, which have not yet escalated into incidents, can help defenders break the attack chain before attackers attain their objectives. This includes the capability to detect failed ICS components, unavailable services, and exhausted resources that are important to provide proper and safe functioning of the ICS. ïŒ Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event. The ICS should also allow for graceful degradation such as moving from "normal operation" with full automation to "emergency operation" with operators more involved and less automation to "manual operation" with no automation. 3 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ãçŽé¢ãåŸãã€ã³ã·ãã³ãã«ã¯æ¬¡ã®ãããªãã®ãããã ïŒ ICS ãããã¯ãŒã¯çµç±æ å ±ã®é®æåã¯é 延ãICS ã®éçšäžæã«è³ããããªãã ïŒ åœä»€ãã³ãã³ãåã¯ã¢ã©ãŒã éŸå€ã®ç¡æå€æŽãè£ ååã®é害ãæ éè¥ããã¯é®æãç°å¢ãžã® 圱é¿åã¯äººåœãžã®å±éºãçããããªãã ïŒ ç¡æå€æŽã®é èœåã¯æäœå¡ã«èª€æäœãè¡ãããããšãç®çãšãããã·ã¹ãã ãªãã¬ãŒã¿ãžã® 誀æ å ±ééãæ§ã ãªæªåœ±é¿ãçããããªãã ïŒ ICS ãœãããŠãšã¢è¥ããã¯èšå®ã®å€æŽå㯠ICS ãœãããŠãšã¢ã®ãã«ãŠãšã¢ææãæ§ã ãªæªåœ± é¿ãçããããªãã ïŒ è£ ååä¿è·è£ 眮ãšã®å¹²æžãé«é¡ã§æè£ å°é£ãªè£ ååãå±éºç¶æ ã«çœ®ããããªãã ïŒ å®å šè£ 眮ã®éçšã«å¯Ÿããå¹²æžã人åœãå±éºã«ããããããªãã ICS å®è£ ã®äž»ãªã»ãã¥ãªãã£äžã®éæç®æšã«ã¯ä»¥äžãå«ããã¹ãã ã ïŒ ICS ãããã¯ãŒã¯ãžã®è«ççãªã¢ã¯ã»ã¹ãšãããã¯ãŒã¯äžã®æŽ»åã®å¶éãããã«ã¯äŒæ¥ãã ãã¯ãŒã¯ãš ICS ãããã¯ãŒã¯éã®çŽæ¥çãªãããã¯ãŒã¯ãã©ãã£ãã¯ãé²æ¢ããäŒæ¥ãã ãã¯ãŒã¯åã³ ICS ãããã¯ãŒã¯ãŠãŒã¶åãã«ãç¬ç«ããèªèšŒã¡ã«ããºã ãšèªèšŒæ å ±ãæ〠äžæ¹åæ§ã²ãŒããŠã§ã€ãéæŠè£ å°åž¯ïŒDMZïŒã®ãã¡ã€ã¢ãŠã©ãŒã«ä»ããããã¯ãŒã¯ã¢ãŒã ãã¯ãã£ã®å©çšãå«ãŸããããŸã ICS ã¯ãæãã»ãã¥ã¢ã§ä¿¡é Œæ§ã®é«ãã¬ã€ã€ãŒã§æéèŠ éä¿¡ãè¡ãããã«ãã¬ã€ã€ãŒãããã¯ãŒã¯ããããžãŒãå©çšãã¹ãã§ããã ïŒ ICS ãããã¯ãŒã¯åã³ããã€ã¹ãžã®ç©ççã¢ã¯ã»ã¹å¶éãã³ã³ããŒãã³ããžã®äžæ£ãªç©ç㢠ã¯ã»ã¹ã¯ãICS ã®æ©èœã«é倧ãªäžæããããããããªããæœé ãã«ãŒããªãŒããŒãèŠåå¡ç ã®ç©çã¢ã¯ã»ã¹å¶åŸ¡ã䜵çšãã¹ãã§ããã ïŒ åã ã® ICS ã³ã³ããŒãã³ãã®æªçšé²æ¢ãããã«ã¯æ¬¡ã®å 容ãå«ãŸãããã»ãã¥ãªãã£ããã ããã£ãŒã«ãæ¡ä»¶äžã§è©ŠéšåŸãã§ããã ãè¿ éã«å±éããã䜿çšããŠããªãããŒãåã³ãµãŒ ãã¹ãå šãŠäœ¿çšäžèœã«ãã䜿çšäžèœç¶æ ãä¿ãããããã«ãããICS ãŠãŒã¶æš©éã®ä»äžãã 圹å²äžå¿ èŠãšãã人å¡ã«éå®ãããç£æ»èšŒè·¡ã®è¿œè·¡åã³ç£èŠãæè¡çã«å®è¡å¯èœãªå Žåã㢠ã³ããŠã€ã«ã¹ãœãããŠãšã¢ããã¡ã€ã«æŽåæ§ç¢ºèªãœãããŠãšã¢çã®ã»ãã¥ãªãã£ç®¡çãå©çš ãããã«ãŠãšã¢ãäºé²ã»ææ¢ã»æ€åºã»ç·©åããã ïŒ ããŒã¿ã®ç¡æå€æŽå¶éãããã«ã¯éä¿¡äžã®ããŒã¿ïŒå°ãªããšããããã¯ãŒã¯å¢çãè¶ããã ã®ïŒåã³éæ¢ããŒã¿ãå«ãŸããã ïŒ ã»ãã¥ãªãã£äžã®ã€ãã³ãåã³ã€ã³ã·ãã³ãã®æ€åºããŸã ã€ã³ã·ãã³ãã«ã¯è³ããªãã»ã㥠ãªãã£ã€ãã³ããæ€åºã§ããã°ãé²åŸ¡åŽã¯ãæ»æåŽã®ç®çéæåã«æ»æé£éãæã¡åãããš ãã§ãããããã«ã¯ ICS ãé©æ£ãã€å®å šãªæ©èœãçºæ®ããäžã§éèŠãªãICS ã³ã³ããŒãã³ã ã®é害ã䜿çšäžèœã®ãµãŒãã¹åã³æ¯æžãããªãœãŒã¹ãæ€åºããèœåãå«ãŸããã ïŒ æªæ¡ä»¶äžã§ã®æ©èœä¿æãããã«ã¯åéèŠã³ã³ããŒãã³ãã«åé·æ§ãæããã ICS èšèšãé¢ä¿ ããŠããããŸããããã³ã³ããŒãã³ãã«é害ãåºãå Žåã§ããICS ãã®ä»ã®ãããã¯ãŒã¯ã« äžèŠã®ãã©ãã£ãã¯ãçãããããé£éã€ãã³ããªã©å¥ã®åé¡ã掟çãããŠã¯ãªããªãã㟠ã ICS ã¯ãæ©èœãäœäžããå Žåã§ãã£ãŠããå šèªåã®ãæ£åžžé転ãããæäœå¡ãå ãã£ã åèªåã®ãç·æ¥é転ããžã次ãã§å®å šãªãæåé転ããžãšæ©èœãåŸã ã«äœäžããã°ã¬ãŒã¹ã ã«ãã°ã©ããŒã·ã§ã³ã«ãªã£ãŠããã¹ãã§ããã 4 SPECIAL PUBLICATION 800-82 REVISION 2 ïŒ GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Restoring the system after an incident. Incidents are inevitable and an incident response plan is essential. A major characteristic of a good security program is how quickly the system can be recovered after an incident has occurred. To properly address security in an ICS, it is essential for a cross-functional cybersecurity team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cybersecurity team should consist of a member of the organizationâs IT staff, control engineer, control system operator, network and system security expert, a member of the management staff, and a member of the physical security department at a minimum. For continuity and completeness, the cybersecurity team should consult with the control system vendor and/or system integrator as well. The cybersecurity team should coordinate closely with site management (e.g., facility superintendent) and the companyâs Chief Information Officer (CIO) or Chief Security Officer (CSO), who in turn, accepts complete responsibility and accountability for the cybersecurity of the ICS, and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents. An effective cybersecurity program for an ICS should apply a strategy known as âdefense-in-depth,â layering security mechanisms such that the impact of a failure in any one mechanism is minimized. Organizations should not rely on âsecurity by obscurity.â In a typical ICS this means a defense-in-depth strategy that includes: ïŒ Developing security policies, procedures, training and educational material that applies specifically to the ICS. ïŒ Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases. ïŒ Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning. ïŒ Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. ïŒ Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways). ïŒ Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks). ïŒ Ensuring that critical components are redundant and are on redundant networks. ïŒ Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events. ïŒ Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation. ïŒ Restricting physical access to the ICS network and devices. ïŒ Restricting ICS user privileges to only those that are required to perform each personâs job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege). ïŒ Using separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts). 5 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ã€ã³ã·ãã³ãåŸã®ã·ã¹ãã 埩æ§ãã€ã³ã·ãã³ãã¯é¿ããããªãã®ã§ãã€ã³ã·ãã³ã察åŠèšç» ãäžå¯æ¬ ãšãªããåªããã»ãã¥ãªãã£ããã°ã©ã ã®äž»èŠãªç¹åŸŽã¯ãã€ã³ã·ãã³ãçºçåŸãã· ã¹ãã ãã©ãã ãè¿ éã«åŸ©æ§ã§ããããšããç¹ã«ããã ICS ã«ãããŠã»ãã¥ãªãã£ãé©æ£ã«ç¢ºä¿ããã«ã¯ãæ©èœæšªæåãµã€ããŒã»ãã¥ãªãã£ããŒã ãå€ æ§ãªåéã®ç¥èã»çµéšãå ±æãåããICS ã®ãªã¹ã¯ãè©äŸ¡ã»ç·©åããããšãäžå¯æ¬ ãšãªãããµã€ ããŒã»ãã¥ãªãã£ããŒã ã®æ§æã¯ãæäœã§ãçµç¹ã® IT èŠå¡ãå¶åŸ¡ãšã³ãžãã¢ãå¶åŸ¡ã·ã¹ãã 㪠ãã¬ãŒã¿ããããã¯ãŒã¯åã³ã·ã¹ãã ã»ãã¥ãªãã£å°éå¡ãçµå¶ã«é¢ããèŠå¡åã³ç©ççã»ã㥠ãªãã£éšéèŠå¡ãšãã¹ãã§ãããç¶ç¶æ§ãšå®å šæ§ã確ä¿ããããããµã€ããŒã»ãã¥ãªãã£ããŒã ã¯ãå¶åŸ¡ã·ã¹ãã ã®ãã³ããŒãã·ã¹ãã ã€ã³ãã°ã¬ãŒã¿ãšãåè°ãã¹ãã§ããããŸãçŸå Žç®¡çè ïŒæœèšè²¬ä»»è çïŒã®ã»ããICS ã®ãµã€ããŒã»ãã¥ãªãã£ãå®å šäžã®ã€ã³ã·ãã³ããä¿¡é Œæ§äžã®ã€ ã³ã·ãã³ãåã¯ãµã€ããŒã€ã³ã·ãã³ãã«ããçŽæ¥ã»éæ¥ã«çããè£ ååã®æ害ã«å šè²¬ä»»ãè² ãäŒ æ¥ã®æé«æ å ±è²¬ä»»è ïŒCIOïŒåã¯æé«ã»ãã¥ãªãã£è²¬ä»»è ïŒCSOïŒãšãå¯æ¥ã«é£æºãåãã¹ã㧠ãããICS ã®å¹æçãªãµã€ããŒã»ãã¥ãªãã£ããã°ã©ã ã¯ãå€å±€é²åŸ¡ïŒdefense-in-depthïŒããšã ãŠç¥ãããæŠç¥ãã€ãŸããããã¡ã«ããºã ã®é害ã®åœ±é¿ãæå°éã«é£ãæ¢ãããããã¬ã€ã€ãªã³ ã°ã»ãã¥ãªãã£ã¡ã«ããºã ãé©çšãã¹ãã§ãããçµç¹ã¯ãææ§ãªã»ãã¥ãªãã£ãã«äŸåãã¹ã㧠ãªãã ãã®ããšã¯ãäžè¬ç㪠ICS ã§ã¯ä»¥äžã®å 容ãå«ãã å€å±€é²åŸ¡æŠç¥ãæå³ããã ïŒ ICS ã«ç¹åããŠé©çšãããã»ãã¥ãªãã£ããªã·ãŒãæé åã³æè²èšç·Žè³æã®äœæ ïŒ åœåå®å šä¿éã¢ããã€ã¶ãªãŒã·ã¹ãã è åšã¬ãã«ã«åºã¥ã ICS ã»ãã¥ãªãã£ããªã·ãŒåã³æ é ã®æ€èšãè åšã¬ãã«ã®äžæã«è¿œéããŠæ®µéçã«é«ãŸãã»ãã¥ãªãã£æ å¢ã®ä¿æ ïŒ ã¢ãŒããã¯ãã£èšèšãã調éãèšçœ®ãä¿å®ãå»æ£ãŸã§ãICS ã®å šã©ã€ããµã€ã¯ã«ãéããã» ãã¥ãªãã£ã®èæ ® ïŒ æãã»ãã¥ã¢ã§ä¿¡é Œæ§ã®é«ãã¬ã€ã€ãŒã§æéèŠéä¿¡ãè¡ãããã«ãã¬ã€ã€ãŒICS ãããã¯ãŒ ã¯ããããžãŒã®å®è£ ïŒ äŒæ¥ãããã¯ãŒã¯ãš ICS ãããã¯ãŒã¯éã®è«ççåå²ïŒãããã¯ãŒã¯éãäžæ¹åæ§ã²ãŒã㊠ã§ã€éã®ã¹ããŒããã«ã€ã³ã¹ãã¯ã·ã§ã³ãã¡ã€ã¢ãŠã©ãŒã«ãªã©ïŒ ïŒ DMZ ãããã¯ãŒã¯ã¢ãŒããã¯ãã£ã®æ¡çšïŒäŒæ¥ãããã¯ãŒã¯ãš ICS ãããã¯ãŒã¯éã®çŽæ¥ ãã©ãã£ãã¯ãé²æ¢ïŒ ïŒ éèŠã³ã³ããŒãã³ãã®åé·åãšåé·æ§ãããã¯ãŒã¯äžã§ã®äœ¿çš ïŒ å£æ» çãªé£éã€ãã³ããé²ãã°ã¬ãŒã¹ãã«ãã°ã©ããŒã·ã§ã³ïŒãã©ãŒã«ããã¬ã©ã³ãïŒãå ããéèŠã·ã¹ãã ã®èšèš ïŒ ICS ã®éçšã«åœ±é¿ããªãããšãæ€èšŒããäžã§ãICS ããã€ã¹äžã®äžäœ¿çšããŒãåã³ãµãŒãã¹ ã䜿çšäžèœã«ããããš ïŒ ICS ãããã¯ãŒã¯åã³ããã€ã¹ãžã®ç©ççã¢ã¯ã»ã¹å¶éã ïŒ å人ã®æ¥åãè¡ãããã«å¿ èŠãª ICS ãŠãŒã¶æš©éã«éå®ãããæš©éã®ä»äžïŒåœ¹å²ã«åºã¥ãã¢ã¯ ã»ã¹å¶åŸ¡ãšæå°æš©éååã«åºã¥ã圹å²æ§æïŒ ïŒ ICS ãããã¯ãŒã¯åã³äŒæ¥ãããã¯ãŒã¯ãŠãŒã¶åãã®ç¬ç«ããèªèšŒã¡ã«ããºã ãšèªèšŒæ å ±ã® äœ¿çšïŒICS ãããã¯ãŒã¯ã¢ã«ãŠã³ãã«äŒæ¥ãããã¯ãŒã¯ãŠãŒã¶ã®ã¢ã«ãŠã³ãã䜿çšããªãïŒ 6 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Using modern technology, such as smart cards for Personal Identity Verification (PIV). ïŒ Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS. ïŒ Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate. ïŒ Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS. ïŒ Tracking and monitoring audit trails on critical areas of the ICS. ïŒ Employing reliable and secure network protocols and services where feasible. The National Institute of Standards and Technology (NIST), in cooperation with the public and private sector ICS community, has developed specific guidance on the application of the security controls in NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations [22], to ICS. While many controls in Appendix F of NIST SP 800-53 are applicable to ICS as written, many controls require ICS-specific interpretation and/or augmentation by adding one or more of the following to the control: ï§ ï§ ï§ ICS Supplemental Guidance provides organizations with additional information on the application of the security controls and control enhancements in Appendix F of NIST SP 800-53 to ICS and the environments in which these specialized systems operate. The Supplemental Guidance also provides information as to why a particular security control or control enhancement may not be applicable in some ICS environments and may be a candidate for tailoring (i.e., the application of scoping guidance and/or compensating controls). ICS Supplemental Guidance does not replace the original Supplemental Guidance in Appendix F of NIST SP 800-53. ICS Enhancements (one or more) that provide enhancement augmentations to the original control that may be required for some ICS. ICS Enhancement Supplemental Guidance that provides guidance on how the control enhancement applies, or does not apply, in ICS environments. The most successful method for securing an ICS is to gather industry recommended practices and engage in a proactive, collaborative effort between management, the controls engineer and operator, the IT organization, and a trusted automation advisor. This team should draw upon the wealth of information available from ongoing federal government, industry groups, vendor and standards organizational activities listed in Appendix Dâ. 7 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ èº«å蚌æïŒPIVïŒçšã¹ããŒãã«ãŒããªã©ææ°æè¡ã®äœ¿çš ïŒ æè¡çã«å®è¡å¯èœãªå ŽåãICS ã«å ¥ããICS ããåºããããã³ ICS å ã«ãããã«ãŠãšã¢ã®å° å ¥ã»æé²ã»äŒæãäºé²ã»ææ¢ã»æ€åºã»ç·©åããããã®äŸµå ¥æ€ç¥ãœãããŠãšã¢ãã¢ã³ããŠã€ã« ã¹ãœãããŠãšã¢ããã¡ã€ã«æŽåæ§ç¢ºèªãœãããŠãšã¢çã«ããã»ãã¥ãªãã£ç®¡ç ïŒ é©åœã§ããã°ãICS ããŒã¿ã¹ãã¬ãŒãžåã³éä¿¡ãžã®æå·ååã¯æå·åŠçããã·ã¥çã»ãã¥ãª ãã£æè¡ã®é©çš ïŒ ICS ãžã®ã€ã³ã¹ããŒã«åã«å¯èœã§ããã°ããã£ãŒã«ãæ¡ä»¶äžã§è©Šéšè£ 眮ã«ããæ€èšŒããã»ã ã¥ãªãã£ãããã®è¿ éãªå±é ïŒ ICS éèŠé åã§ã®ç£æ»èšŒè·¡ã®è¿œè·¡åã³ç£èŠ ïŒ å®è¡å¯èœãªãä¿¡é Œæ§ã®é«ãã»ãã¥ã¢ãªãããã¯ãŒã¯ãããã³ã«åã³ãµãŒãã¹ã®æ¡çš ç±³åœæšæºæè¡å±ïŒNISTïŒã¯å®æ° ICS å ±åäœã®ååãåŸãŠãNISTSPïŒSPïŒ800-53 第 4 çãé£éŠæ å ±ã·ã¹ãã ã»çµç¹ã®ã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒç®¡çã[22]ã«èšèŒããã ICS ãžã®ã»ãã¥ãªã㣠管çã®é©çšã«é¢ããŠãå ·äœçãªã¬ã€ãã³ã¹ãäœæããã NIST SP 800-53 ã®ä»é² F ã«èšèŒãããå¶åŸ¡ã®å€ãã¯ãèšè¿°ã©ãã ICS ã«é©çšå¯èœã§ã¯ãããã倧 æµã¯ ICS ç¹æã®è§£éãå¿ èŠã§ã以äžã«ç€ºããã®ãå°ãªããšã 1 ã€è¿œå ããå¿ èŠãããã ï§ ï§ ï§ ICS è£è¶³ã¬ã€ãã³ã¹ãNIST SP 800-53 ã®ä»é² F ã«èšèŒãããã»ãã¥ãªãã£ç®¡çå㳠管çæ¡åŒµããICS åã³ãããå°çšã·ã¹ãã ã®å®è¡ç°å¢ã«é©çšããããã®è£è¶³æ å ±ã 瀺ãããŸããICS ç°å¢ã«ãã£ãŠã¯ç¹å®ã®ã»ãã¥ãªãã£ç®¡çã管çæ¡åŒµãé©çšã§ããã 調æŽãå¿ èŠãšãªãçç±ã«ã€ããŠã瀺ãïŒã¹ã³ãŒãã³ã°ã¬ã€ãã³ã¹åã¯è£å®å¶åŸ¡ã®é© çšïŒãICS è£è¶³ã¬ã€ãã³ã¹ã¯ãNIST SP 800-53 ã®ä»é² F ã«ãããªãªãžãã«ã®è£è¶³ã¬ ã€ãã³ã¹ã«ä»£ãããã®ã§ã¯ãªãã ICS æ¡åŒµïŒ1 ã€åã¯è€æ°ïŒãICS ã«ãã£ãŠã¯å¿ èŠãšãªãå ã ã®å¶åŸ¡ã«æ¡åŒµãå ããã ICS æ¡åŒµè£è¶³ã¬ã€ãã³ã¹ãICS ç°å¢ã«ãããŠç®¡çæ¡åŒµé©çšã®å¯åŠã«ã€ã㊠瀺ãã ICS ã®ã»ãã¥ãªãã£ç¢ºä¿ã«æãææã®äžããæ¹æ³ã¯ãæ¥çã®æšå¥šèŠç¯ãèç©ããå¹¹éšãå¶åŸ¡ãšã³ ãžãã¢åã³æäœå¡ãIT çµç¹äžŠã³ã«ä¿¡çšã®ããããªãŒãã¡ãŒã·ã§ã³ã¢ããã€ã¶ãŒéã§ãç©æ¥µçã«å 調ããŠåãçµãããšã§ããããã®ããŒã ã¯ãé£éŠæ¿åºãæ¥çã°ã«ãŒãããã³ããŒåã³ä»é² D ã«æ² èŒãããŠããèŠæ Œå£äœããã®è±å¯ãªæ å ±ãå©çšãã¹ãã§ããã 8 SPECIAL PUBLICATION 800-82 REVISION 2 1. GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Introduction 1.1 Purpose and Scope The purpose of this document is to provide guidance for securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other systems performing control functions. The document provides a notional overview of ICS, reviews typical system topologies and architectures, identifies known threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Additionally, it presents an ICS-tailored security control overlay, based on NIST SP 800-53 Rev. 4 [22], to provide a customization of controls as they apply to the unique characteristics of the ICS domain. The body of the document provides context for the overlay, but the overlay is intended to stand alone. ICS are found in many industries such as electric, water and wastewater, oil and natural gas, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods). Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS. The document should not be used purely as a checklist to secure a specific system. Readers are encouraged to perform a risk-based assessment on their systems and to tailor the recommended guidelines and solutions to meet their specific security, business and operational requirements. The range of applicability of the basic concepts for securing control systems presented in this document continues to expand. 1.2 Audience This document covers details specific to ICS. Readers of this document should be acquainted with general computer security concepts, and communication protocols such as those used in networking. The document is technical in nature; however, it provides the necessary background to understand the topics that are discussed. 9 SP800-82 第 2 ç 1. 1.1 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã¯ããã« ç®çåã³é©çšç¯å² æ¬ææžã®ç®çã¯ãç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã®ã» ãã¥ãªãã£ã確ä¿ããããã®ã¬ã€ãã³ã¹ã瀺ãã ãšã«ãããICS ã«ã¯ SCADAãDCSããã®ä»ã®å¶åŸ¡ ã·ã¹ãã ãå«ãŸãããæ¬ææžã§ã¯ãã®ãã㪠ICS ã®æŠå¿µã«ã€ããŠæŠèŠã瀺ããäžè¬çãªã·ã¹ãã ã ãããžãŒãšã¢ãŒããã¯ãã£ã«ã€ããŠèå¯ããã·ã¹ ãã ã«å¯Ÿããæ¢ç¥ã®è åšãšè匱æ§ãç¹å®ããé¢é£ ãªã¹ã¯ãäœæžããããã®æšå¥šã»ãã¥ãªãã£å¯Ÿçã æ瀺ããããŸããNIST SP 800-53 æ¹èš 4 [ 2 2 ] ã« åŸããICS åãã«èª¿æŽãããã»ãã¥ãªã㣠管 ç 㪠㌠ã ㌠㬠〠ã æ 瀺 ã ã 管çã ICS é å ã®ç¬ç¹ãªç¹åŸŽã«é©çšããéã®ã«ã¹ã¿ãã€ãºã«ã€ã ãŠç€ºãã ææžã¯ãªãŒããŒã¬ã€ã®å 容ãæ瀺ãããããªãŒã ãŒã¬ã€ã¯ããèªäœãç¬ç«ãããã®ã§ããã ICS ã¯é»æ°ãäžäžæ°Žãç³æ²¹ã»ã¬ã¹ãååŠãå»è¬åã ãã«ãã»è£œçŽãé£åã»é£²æåã³çµç«è£œé ïŒèªåè»ã èªç©ºå®å®ãèä¹ æ¶è²»è²¡çïŒæ¥çã§å©çšãããŠããã ãªã¹ã¯ã¬ãã«ããã®åœ±é¿ãäžæ§ã§ãªãçš®ã ã® ICS ããããããæ¬ææžã§ã¯ ICS ã»ãã¥ãªãã£ã®æ¹æ³ ãšæè¡ã®ãªã¹ãã瀺ããæ¬ææžã¯ãç¹å®ã®ã·ã¹ã ã ã»ãã¥ãªãã£ã確ä¿ããããã®åãªããã§ã㯠ãªã¹ããšããŠäœ¿çšãã¹ãã§ãªãã èªè ã¯ã䜿çšããŠããã·ã¹ãã ã«é¢ããŠããªã¹ã¯ ã«ç«èããè©äŸ¡ãè¡ããæšå¥šãããŠããã¬ã€ãã© ã€ã³åã³ãœãªã¥ãŒã·ã§ã³ãåºæã®ã»ãã¥ãªãã£ã æ¥åããã³éçšäžã®èŠä»¶ã«åãããã«èª¿æŽãã¹ã ã§ãããæ¬ææžã«ç€ºãããå¶åŸ¡ã·ã¹ãã ã®ã»ã㥠ãªãã£ç¢ºä¿ã«é¢ããåºæ¬æŠå¿µã®é©çšç¯å²ã¯ãä»åŸ ãåŒãç¶ãæ¡å€§ããã 1.2 察象è æ¬ææžã«ã¯ ICS ã«ç¹æã®è©³çŽ°ãªäºé ãç¶²çŸ ãã㊠ãããèªè ã¯ãäžè¬çãªã³ã³ãã¥ãŒã¿ã»ãã¥ãªã ã£æŠå¿µããã³ãããã¯ãŒã¯ã§äœ¿çšãããéä¿¡ãã ãã³ã«ã«éããŠããã¹ãã§ãããæ¬ææžã®å 容ã¯ã ãã®æ§è³ªäžæè¡çã§ã¯ããããèšè¿°ãããŠããè« é¡ãç解ããããã«å¿ èŠãªèæ¯ããæ瀺ããã 10 倧統é åœä»€ 13636ãéèŠã€ã³ãã©ã¹ã ã©ã¯ãã£ã®ãµã€ããŒã»ãã¥ãªãã£æ¹ åããšã®é¢ä¿ ç±³åœã®åœå®¶åã³çµæžå®å šä¿éã¯ãé«ã ä¿¡é Œæ§ããã£ãŠéèŠã€ã³ãã©ãæ©èœã ãããšã«ããã£ãŠããã倧統é åœä»€ 13636ãéèŠã€ã³ãã©ã¹ãã©ã¯ãã£ã® ãµã€ããŒã»ãã¥ãªãã£æ¹åã[82]㯠NIST ã«å¯ŸããŠãé¢ä¿è ãšååããéèŠ ã€ã³ãã©ãžã®ãµã€ããŒãªã¹ã¯ãæžãã ããã®èªçºçæ çµã¿ïŒãã¬ãŒã ã¯ãŒ ã¯ïŒãæ§ç¯ããããåœããŠããããµã€ ããŒã»ãã¥ãªãã£ãã¬ãŒã ã¯ãŒã¯ ïŒCSFïŒ[83]ã¯èŠæ Œãã¬ã€ãã©ã€ã³åã³ æè¯èŠç¯ãããªããéèŠã€ã³ãã©ã®ä¿ è·ãä¿é²ããããã®ãã¬ãŒã ã¯ãŒã¯ ã¯ãåªå çã§æè»æ§ããããå埩å¯èœ ã§ããã©ãŒãã³ã¹æ¬äœã®ãè²»çšå¹æã® é«ãåçµã«ãããéèŠã€ã³ãã©ã®ææ è åã³éçšè ãäŒæ¥ç§å¯ãå人æ å ±å ã³äººæš©ãä¿è·ãã€ã€ããµã€ããŒã»ã㥠ãªãã£é¢é£ãªã¹ã¯ã管çã§ããããã« æ¯æŽãããæåã® CSF 㯠2014 幎 2 æ ã«çºè¡šãããå€æ§ãªéšéãçš®ã ã®éçš ç°å¢ã«é©çšã§ããã ãã®æè»æ§ãåã ããåœå®¶ã¬ãã«ã®ãã¬ãŒã ã¯ãŒã¯ãšãª ã£ãããã® CSF ã¯ãé¢ä¿è ããã®æ å ± ãåºã«äœæãããå€çš®å€æ§ãªéšéã«ã ããæ¢åæ¥åãããã®ãã¬ãŒã ã¯ãŒã¯ å ã§å©çšã§ããããã«ããã ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã®ãµã€ããŒã»ã㥠ãªãã£èŠæ Œãã¬ã€ãã©ã€ã³åã³èŠç¯ã 掻çšããŠãçµç¹ã®ãªã¹ã¯ç®¡çããã°ã© ã ãšã®é¢ä¿ã§ CSF ã®æ©èœãæ€èšããã ãšãã§ããã SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The intended audience is varied and includes the following: ïŒ Control engineers, integrators, and architects who design or implement secure ICS. ïŒ System administrators, engineers, and other information technology (IT) professionals who administer, patch, or secure ICS. ïŒ Security consultants who perform security assessments and penetration testing of ICS. ïŒ Managers who are responsible for ICS. ïŒ Senior management who are trying to understand implications and consequences as they justify and apply an ICS cybersecurity program to help mitigate impacts to business functionality. ïŒ Researchers and analysts who are trying to understand the unique security needs of ICS. ïŒ Vendors that are developing products that will be deployed as part of an ICS. 1.3 Document Structure The remainder of this guide is divided into the following major sections: ïŒ Section 2 provides an overview of ICS including a comparison between ICS and IT systems. ïŒ Section 3 provides a discussion of ICS risk management and assessment. ïŒ Section 4 provides an overview of the development and deployment of an ICS security program to mitigate the risk of the vulnerabilities identified in Appendix C. ïŒ Section 5 provides recommendations for integrating security into network architectures typically found in ICS, with an emphasis on network segregation practices. ïŒ Section 6 provides a summary of the management, operational, and technical controls identified in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and provides initial guidance on how these security controls apply to ICS. The guide also contains several appendices with supporting material, as follows: ïŒ Appendix Aâ provides a list of acronyms and abbreviations used in this document. ïŒ Appendix Bâ provides a glossary of terms used in this document. ïŒ Appendix Câ provides a list of ICS threats, vulnerabilities and incidents. ïŒ Appendix Dâ provides a list of ICS security activities. ïŒ Appendix Eâ provides a list of ICS security capabilities and tools ïŒ Appendix Fâ provides a list of references used in the development of this document. ïŒ Appendix Gâ provides an ICS overlay, listing security controls, enhancements, and supplemental guidance that apply specifically to ICS. 11 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ææã®å¯Ÿè±¡ã¯å€å²ã«ããããã以äžãå«ãã ïŒ ã»ãã¥ã¢ãª ICS ã®èšèšåã¯å®è£ ã«é¢ããå¶åŸ¡ãšã³ãžãã¢ãã€ã³ãã°ã¬ãŒã¿åã³èšèšè ïŒ ICS ã®ç®¡çãããããŸãã¯ã»ãã¥ãªãã£ã«æºããã·ã¹ãã 管çè ããšã³ãžãã¢ãã®ä» IT å°é å¡ ïŒ ICS ã®ã»ãã¥ãªãã£è©äŸ¡åã³ãããã¬ãŒã·ã§ã³ã»ãã¹ããè¡ãã»ãã¥ãªãã£ã³ã³ãµã«ã¿ã³ã ïŒ ICS æ åœå¹¹éš ïŒ äºæ¥æ©èœãžã®åœ±é¿ãç·©åãã ICS ãµã€ããŒã»ãã¥ãªãã£ããã°ã©ã ã®æ¿èªã»é©çšãè¡ãéã«ã ãã®æå³ãšçµæã®ç解ã«åªããäžçŽç®¡çè· ïŒ ICS ç¬ç¹ã®ã»ãã¥ãªãã£ããŒãºã®ç解ã«åªããç 究è åã³ã¢ããªã¹ã ïŒ ICS ã®äžéšãšããŠå±éããã補åã®éçºã«åœãããã³ã㌠1.3 ææžã®æ§æ æ¬ã¬ã€ãã®ãã以éã®éšåã¯ã以äžã®ã»ã¯ã·ã§ã³ã«å€§å¥ãããã ïŒ ã»ã¯ã·ã§ã³ 2ïŒICS ã·ã¹ãã ãš IT ã·ã¹ãã ã®æ¯èŒçãICS ã®æŠèŠã瀺ãã ïŒ ã»ã¯ã·ã§ã³ 3ïŒICS ã®ãªã¹ã¯ç®¡çãšãªã¹ã¯è©äŸ¡ã«ã€ããŠèª¬æããã ïŒ ã»ã¯ã·ã§ã³ 4ïŒä»é² C ã§æããã«ãããŠããè匱æ§ãªã¹ã¯ãç·©åãããICS ã»ãã¥ãªãã£ã ãã°ã©ã ã®éçºã»å±éã«ã€ããŠæŠèŠã瀺ãã ïŒ ã»ã¯ã·ã§ã³ 5ïŒICS ã®äžè¬çãªãããã¯ãŒã¯ã¢ãŒããã¯ãã£ã«ã»ãã¥ãªãã£ãçµã¿èŸŒãäžã§ ã®æšå¥šäºé ã瀺ããç¹ã«ãããã¯ãŒã¯éé¢èŠç¯ã«ã€ããŠç¹çããã ïŒ ã»ã¯ã·ã§ã³ 6ïŒNISTSP800-53ãé£éŠæ å ±ã·ã¹ãã ã»çµç¹ã®ã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒç®¡ çãã«å®ãã管çã»éçšã»æè¡å¶åŸ¡ããšããŸãšãããã®ãããªã»ãã¥ãªãã£ç®¡çã ICS ã« é©çšããæ¹æ³ã«ã€ããŠåæã®ã¬ã€ãã³ã¹ã瀺ãã ãŸãæ¬ã¬ã€ãã«ã¯ãè£è¶³è³æãæäŸãã以äžã®ä»é²ãå«ãŸããã ïŒ ä»é² Aâæ¬æžã§äœ¿çšããé åèªåã³ç¥èªã®ãªã¹ã ïŒ ä»é² Bâæ¬æžã§äœ¿çšããçšèªé ïŒ ä»é² CâICS ã®è åšãè匱æ§åã³ã€ã³ã·ãã³ããªã¹ã ïŒ ä»é² DâICS ã»ãã¥ãªãã£æŽ»åãªã¹ã ïŒ ä»é² EâICS ã»ãã¥ãªãã£èœåã»ããŒã«ãªã¹ã ïŒ ä»é² Fâæ¬æžã®äœææã«äœ¿çšããåèæç®ãªã¹ã ïŒ ä»é² GâICS ã«ç¹åããŠé©çšãããã»ãã¥ãªãã£ç®¡çãæ¡åŒµåã³è£è¶³ã¬ã€ãã³ã¹ãªã¹ããæ² èŒãã ICS ãªãŒããŒã¬ã€ 12 SPECIAL PUBLICATION 800-82 REVISION 2 2. GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Overview of Industrial Control Systems Industrial control system (ICS) is a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). The part of the system primarily concerned with producing the output is referred to as the process. The control part of the system includes the specification of the desired output or performance. Control can be fully automated or may include a human in the loop. Systems can be configured to operate open-loop, closed-loop, and manual mode. In open-loop control systems the output is controlled by established settings. In closed-loop control systems, the output has an effect on the input in such a way as to maintain the desired objective. In manual mode the system is controlled completely by humans. The part of the system primarily concerned with maintaining conformance with specifications is referred to as the controller (or control). A typical ICS may contain numerous control loops, Human Machine Interfaces (HMIs), and remote diagnostics and maintenance tools built using an array of network protocols. ICS control industrial processes are typically used in electrical, water and wastewater, oil and natural gas, chemical, transportation, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods) industries. ICS are critical to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 85 percent of the nation's critical infrastructures are privately owned and operated 1. Federal agencies also operate many of the industrial processes mentioned above as well as air traffic control. This section provides an overview of SCADA, DCS, and PLC systems, including typical topologies and components. Several diagrams are presented to depict the network topology, connections, components, and protocols typically found on each system to facilitate the understanding of these systems. These examples only attempt to identify notional topology concepts. Actual implementations of ICS may be hybrids that blur the line between DCS and SCADA systems. Note that the diagrams in this section do not focus on securing ICS. Security architecture and security controls are discussed in Section 5 and Section 6 of this document respectively. 2.1 Evolution of Industrial Control Systems Many of todayâs ICS evolved from the insertion of IT capabilities into existing physical systems, often replacing or supplementing physical control mechanisms. For example, embedded digital controls replaced analog mechanical controls in rotating machines and engines. Improvements in cost-and performance have encouraged this evolution, resulting in many of todayâs âsmartâ technologies such as the smart electric grid, smart transportation, smart buildings, and smart manufacturing. While this increases the connectivity and criticality of these systems, it also creates a greater need for their adaptability, resilience, safety, and security. Engineering of ICS continues to evolve to provide new capabilities while maintaining the typical long lifecycles of these systems. The introduction of IT capabilities into physical systems presents emergent behavior that has security implications. Engineering models and analysis are evolving to address these emergent properties including safety, security, privacy, and environmental impact interdependencies. 1 http://www.dhs.gov/critical-infrastructure-sector-partnerships (last updated April 2014) 13 SP800-82 第 2 ç 2. ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã®æŠèŠ ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒãšã¯ãæ°çš®ã®å¶åŸ¡ã·ã¹ãã ãå æ¬ããæ±çšçãªçšèªã§ãããã«ã¯å çš®ç£æ¥éšéãéèŠã€ã³ãã©ã§äœ¿çšãããŠãã SCADAãDCSãPLCããã®ä»ã®å¶åŸ¡ã·ã¹ãã ã®èš å®ãå«ãŸãããICS ã¯ç£æ¥äžã®ç®çïŒç©åããšãã«ã®ãŒã®çç£ã»èŒžéçïŒãéæããããã«äœµçš ãããå¶åŸ¡çšã³ã³ããŒãã³ãïŒé»æ°ã»æ©æ¢°ã»æ²¹å§ã»ç©ºæ°çïŒãçµã¿åããã£ãŠæ§æãããŠããã ç¹ã«åºåãç£ã¿åºãã·ã¹ãã ã®äžéšãããã»ã¹ãšåŒã¶ãã·ã¹ãã ã®å¶åŸ¡éšåã«ã¯ãææã®åºåå ã¯ããã©ãŒãã³ã¹ã®ä»æ§ãå«ãŸãããå¶åŸ¡ã¯å®å šèªååãå¯èœã§ãã«ãŒãäžã«äººéãå«ãŸããå Ž åããããã·ã¹ãã ã¯ãªãŒãã³ã«ãŒããã¯ããŒãºãã«ãŒãåã³æåã¢ãŒãã®ãããã«ãèšå®å¯èœ ã§ããããªãŒãã³ã«ãŒãå¶åŸ¡ã·ã¹ãã ã§ã¯ãåºåã¯èšå®ããå 容ã«åŸã£ãŠå¶åŸ¡ããããã¯ããŒãº ãã«ãŒãå¶åŸ¡ã·ã¹ãã ã§ã¯ãææã®ç®çãç¶æããããã«ãåºåãå ¥åã«åœ±é¿ãåãŒããæå㢠ãŒãã§ã¯ã人éãå šé¢çã«ã·ã¹ãã ãå¶åŸ¡ãããç¹ã«ä»æ§ãç¶æããããšããã·ã¹ãã ã®äžéšã ã³ã³ãããŒã©ïŒåã¯å¶åŸ¡ïŒãšåŒã¶ãäžè¬ç㪠ICS ã«ã¯ãå€æ§ãªãããã¯ãŒã¯ãããã³ã«ã䜿çšã ãŠæ§ç¯ãããçš®ã ã®å¶åŸ¡ã«ãŒãããã³ãã·ã³ã€ã³ã¿ãã§ãŒã¹ïŒHMIïŒåã³ãªã¢ãŒã蚺æä¿å®ã㌠ã«ãå«ãŸãããICS ã®å¶åŸ¡çšç£æ¥ããã»ã¹ã¯ãäžè¬ã«é»æ°ãäžäžæ°Žãç³æ²¹ã倩ç¶ã¬ã¹ãååŠã茞 éãå»è¬åããã«ãã»è£œçŽãé£åã»é£²æåã³çµç«è£œé ïŒèªåè»ãèªç©ºå®å®ãèä¹ æ¶è²»è²¡çïŒæ¥ç ã§å©çšãããŠããã ICS ã¯ãé«åºŠã«é£æºã»çžäºäŸåããã·ã¹ãã ãšãªãå Žåãå€ããç±³åœã®éèŠã€ã³ãã©ã®éå¶ã«ç· èŠãªåœ¹å²ãæãããŠãããåœã®éèŠã€ã³ãã©ã®ããã 85%ã¯ãç§äŒæ¥ãä¿æãéå¶ããŠããç¹ã« 泚æãã¹ãã§ããã 2é£éŠæ¿åºæ©é¢ã¯ãäžèšã®ç£æ¥çšããã»ã¹ã®ã»ãèªç©ºäº€é管å¶ã§ãå€ãã®ç£ æ¥çšããã»ã¹ãéçšããŠããããã®ã»ã¯ã·ã§ã³ã§ã¯ãäžè¬çãªããããžãŒãã³ã³ããŒãã³ããå« ããSCADAãDCS åã³ PLC ã·ã¹ãã ã«ã€ããŠæŠèŠã瀺ãããããã·ã¹ãã ã«å¯Ÿããç解ã容æ ã«ãããããåã·ã¹ãã ã®äžè¬çãªãããã¯ãŒã¯ããããžãŒãæ¥ç¶ãã³ã³ããŒãã³ãåã³ããã ã³ã«ãå³ç€ºããããã®ãããªäŸã¯ãåã«æœè±¡çãªããããžãŒæŠå¿µãæããã«ããããã®ãã®ã§ã ããICS ã®å®éã®å®è£ ã¯ãã€ããªããã§ãDCS ãš SCADA ã®å¢çãææ§ã§ãããæ¬ã»ã¯ã·ã§ã³ã® å³ã¯ãICS ã®ã»ãã¥ãªãã£ã«ç¹åãããã®ã§ã¯ãªããã»ãã¥ãªãã£ã¢ãŒããã¯ãã£åã³ã»ãã¥ãª ãã£ç®¡çã«ã€ããŠã¯ãã»ã¯ã·ã§ã³ 5 ãšã»ã¯ã·ã§ã³ 6 ã§åãäžããã 2.1 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã®é²å ä»æ¥ã® ICS ã®å€ãã¯ãIT èœåãæ¢åã®ç©çã·ã¹ãã ã«æ¿å ¥ãããšããããé²åããŠãããç©çå¶ åŸ¡ã¡ã«ããºã ã«ä»£ãããã®ãè£å®ãããã®ãå€ããäŸãã°ãçµèŸŒããžã¿ã«å¶åŸ¡ã¯ãå転åŒæ©æ¢°ã ãšã³ãžã³ã®ã¢ããã°åŒæ©æ¢°å¶åŸ¡ã«åã£ãŠä»£ãã£ããã³ã¹ãããã©ãŒãã³ã¹ã®æ¹åããã®é²åãä¿ ããã¹ããŒãé é»ç¶²ãã¹ããŒã茞éãã¹ããŒã建èšãã¹ããŒã補é çãä»æ¥ã®ãã¹ããŒããã㯠ãããžãŒãããããããããã«ããããããã·ã¹ãã ã®æ¥ç¶æ§ãéèŠæ§ãå¢ããã ãã§ãªããã ã®é©å¿æ§ãå埩åãå®å šæ§åã³ã»ãã¥ãªãã£ã«å¯Ÿããå€å€§ãªéèŠããåµåºããã ICS ã®ãšã³ãžãã¢ãªã³ã°ã¯åŒãç¶ãé²åããŠãããæ°ããªèœåãä»äžããäžæ¹ããããã·ã¹ãã ã®æŠããŠé·ãã©ã€ããµã€ã¯ã«ãç¶æããŠãããIT èœåãç©çã·ã¹ãã ã«å°å ¥ããããšã¯ãã»ã㥠ãªãã£äžã®æå³ãæã€æ°ããªè¡åãšãªã£ãŠããããšã³ãžãã¢ãªã³ã°ã¢ãã«åã³åæã¯é²åã®éäž ã«ãããå®å šæ§ãã»ãã¥ãªãã£ããã©ã€ãã·ãŒãç°å¢åœ±é¿ãšãã£ãçžäºäŸåæ§ã®ããæ°ããªå±æ§ ãåãäžããããã«ãªã£ãŠããã 2 http://www.dhs.gov/critical-infrastructure-sector-partnerships (æçµæŽæ° 2014 幎 4 æ) 14 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 2.2 ICS Industrial Sectors and Their Interdependencies Control systems are used in many different industrial sectors and critical infrastructures, including manufacturing, distribution, and transportation. 2.2.1 Manufacturing Industries Manufacturing presents a large and diverse industrial sector with many different processes, which can be categorized into process-based and discrete-based manufacturing. The process-based manufacturing industries typically utilize two main processes [1]: ïŒ Continuous Manufacturing Processes. These processes run continuously, often with transitions to make different grades of a product. Typical continuous manufacturing processes include fuel or steam flow in a power plant, petroleum in a refinery, and distillation in a chemical plant. ïŒ Batch Manufacturing Processes. These processes have distinct processing steps, conducted on a quantity of material. There is a distinct start and end step to a batch process with the possibility of brief steady state operations during intermediate steps. Typical batch manufacturing processes include food manufacturing. The discrete-based manufacturing industries typically conduct a series of steps on a single device to create the end product. Electronic and mechanical parts assembly and parts machining are typical examples of this type of industry. Both process-based and discrete-based industries utilize the same types of control systems, sensors, and networks. Some facilities are a hybrid of discrete and process-based manufacturing. 2.2.2 Distribution Industries ICS are used to control geographically dispersed assets, often scattered over thousands of square kilometers, including distribution systems such as water distribution and wastewater collection systems, agricultural irrigation systems, oil and natural gas pipelines, electrical power grids, and railway transportation systems. 2.2.3 Differences between Manufacturing and Distribution ICS While control systems used in manufacturing and distribution industries are very similar in operation, they are different in some aspects. Manufacturing industries are usually located within a confined factory or plant-centric area, when compared to geographically dispersed distribution industries. Communications in manufacturing industries are usually performed using local area network (LAN) technologies that are typically more reliable and high speed as compared to the long-distance communication wide-area networks (WAN) and wireless/RF (radio frequency) technologies used by distribution industries. The ICS used in distribution industries are designed to handle long-distance communication challenges such as delays and data loss posed by the various communication media used. The security controls may differ among network types. 2.2.4 ICS and Critical Infrastructure Interdependencies The U.S. critical infrastructure is often referred to as a âsystem of systemsâ because of the interdependencies that exist between its various industrial sectors as well as interconnections between business partners [8] [9]. Critical infrastructures are highly interconnected and mutually dependent in 15 SP800-82 第 2 ç 2.2 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã®ç£æ¥éšéãšãã®çžäºäŸåæ§ å¶åŸ¡ã·ã¹ãã ã¯è£œé ãç©æµã茞éçãçš®ã ã®ç£æ¥éšéã§äœ¿çšãããéèŠãªã€ã³ãã©ãšãªã£ãŠããã 2.2.1 補é æ¥ç äžå£ã«è£œé ãšãã£ãŠããå€çš®å€æ§ãªéšéã«æ§ã ãªããã»ã¹ããããããã»ã¹äž»äœã®è£œé ãšçµç«äž» äœã®è£œé ã«å€§å¥ãããã ããã»ã¹äž»äœã®è£œé æ¥çã¯ãäžè¬çã«æ¬¡ã® 2 ã€ã®äž»èŠããã»ã¹ãå©çšãã[1]ã ïŒ ç¶ç¶è£œé ããã»ã¹ãç¶ç¶çã«å®æœãããããã»ã¹ã§ãã°ã¬ãŒããç°ãªãåäžã®è£œåã«ç§»è¡ã ãããšãå€ããäžè¬çãªç¶ç¶è£œé ããã»ã¹ã«ã¯ãçºé»æã®çæãèžæ°ã®æµãã補油æã®ç³æ²¹ã ååŠãã©ã³ãã®èžç液ãå«ãŸããã ïŒ ããã補é ããã»ã¹ã倧éã®è³æã«å¯ŸããŠãæ確ã«åãããã¹ããããããªããããããã ã»ã¹ã«ã¯æ確ãªéå§ã¹ããããšçµäºã¹ããããããããã®äžéã«ãããŠã¯çãå®åžžç¶æ ã®æ¥ åãè¡ãããå Žåããããäžè¬çãªããã補é ããã»ã¹ã«ã¯é£å補é ãå«ãŸããã çµç«äž»äœã®è£œé æ¥çã¯ãäžè¬ã«åäžã®ããã€ã¹ã§äžé£ã®ã¹ããããå®è¡ããæçµè£œåãçã¿åºãã é»åéšåã»æ©æ¢°éšåã®çµç«ãéšåã®å·¥äœãªã©ã¯ãã®å žåã§ããã ããã»ã¹äž»äœã®æ¥çãçµç«äž»äœã®æ¥çããåçš®ã®å¶åŸ¡ã·ã¹ãã ãã»ã³ãµåã³ãããã¯ãŒã¯ãäœ¿çš ãããæœèšã«ãã£ãŠã¯ãäž¡æ¹ã®è£œé ãåæã«è¡ãæãããã 2.2.2 é éæ¥ç ICS ã¯å°ççã«åæ£ããè³ç£ã®ç®¡çã«äœ¿çšããããšãã«ã¯ç¯å²ãæ°åãã平米ã«ããªãããšãã ããäŸãã°äžäžæ°ŽéãçæŒãç³æ²¹ã»å€©ç¶ã¬ã¹ãã€ãã©ã€ã³ãéé»ç¶²ãééçã§ããã 2.2.3 補é ICS ãšé é ICS ã®çžé 補é æ¥çãšé éæ¥çã®å¶åŸ¡ã·ã¹ãã ã®æ¥åã¯ãšãŠããã䌌ãŠããããç°ãªãé¢ãããã€ãããã 補é æ¥çã¯ãéåžžééãããå·¥å Žããã©ã³ãäžå¿ã®é åå ã«ããã®ã«å¯Ÿããé éæ¥çã¯å°ççã« åæ£ããŠããã補é æ¥çã®é信㯠LAN ãå©çšããŠéåžžè¡ããããããã¯é éæ¥çãå©çšããé·è· é¢ã® WAN åã³ç¡ç· RF æè¡ã«æ¯ã¹ãŠãäžè¬ã«ä¿¡é Œæ§ãé床ã«ãåªãããé éæ¥çã® ICS ã¯ãå©çš ããçš®ã ã®éä¿¡ã¡ãã£ã¢ã«èµ·å ããé 延ãããŒã¿åªå€±ãšãã£ãé·è·é¢éä¿¡ã®è«žåé¡ã«å¯ŸåŠã§ãã ããã«èšèšããããã»ãã¥ãªãã£ç®¡çã¯ããããã¯ãŒã¯ã®çš®é¡ã«å¿ããŠç°ãªãã 2.2.4 ICS ãšéèŠã€ã³ãã©ã®çžäºäŸåæ§ ç±³åœã®éèŠã€ã³ãã©ã¯ããããè€æ°ã®ã·ã¹ãã ãããªãã·ã¹ãã ããšåŒã°ããããçç±ã¯å€çš®å€ æ§ãªæ¥çã»éšéãçžäºã«äŸåãåããããžãã¹ããŒãããŒå士ãçžäºã«é¢ããåã£ãŠãããã㧠ãã[8] [9]ãéèŠã€ã³ãã©ã¯ãç©ççã«ãå€æ°ã®æ å ±ã»éä¿¡æè¡é¢ã§ããé«åºŠã«çžäºé£æºãã è€éã«çžäºäŸåãåã£ãŠããã 16 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY complex ways, both physically and through a host of information and communications technologies. An incident in one infrastructure can directly and indirectly affect other infrastructures through cascading and escalating failures. Both the electrical power transmission and distribution grid industries use geographically distributed SCADA control technology to operate highly interconnected and dynamic systems consisting of thousands of public and private utilities and rural cooperatives for supplying electricity to end users. Some SCADA systems monitor and control electricity distribution by collecting data from and issuing commands to geographically remote field control stations from a centralized location. SCADA systems are also used to monitor and control water, oil and natural gas distribution, including pipelines, ships, trucks, and rail systems, as well as wastewater collection systems. SCADA systems and DCS are often networked together. This is the case for electric power control centers and electric power generation facilities. Although the electric power generation facility operation is controlled by a DCS, the DCS must communicate with the SCADA system to coordinate production output with transmission and distribution demands. Electric power is often thought to be one of the most prevalent sources of disruptions of interdependent critical infrastructures. As an example, a cascading failure can be initiated by a disruption of the microwave communications network used for an electric power transmission SCADA system. The lack of monitoring and control capabilities could cause a large generating unit to be taken offline, an event that would lead to loss of power at a transmission substation. This loss could cause a major imbalance, triggering a cascading failure across the power grid. This could result in large area blackouts that could potentially affect oil and natural gas production, refinery operations, water treatment systems, wastewater collection systems, and pipeline transport systems that rely on the grid for electric power. 2.3 ICS Operation and Components The basic operation of an ICS is shown in Figure 2-1 [2]. Some critical processes may also include safety systems. Key components include the following: A typical ICS contains numerous control loops, human interfaces, and remote diagnostics and maintenance tools built using an array of network protocols on layered network architectures. A control loop utilizes sensors, actuators, and controllers (e.g., PLCs) to manipulate some controlled process. A sensor is a device that produces a measurement of some physical property and then sends this information as controlled variables to the controller. The controller interprets the signals and generates corresponding manipulated variables, based on a control algorithm and target set points, which it transmits to the actuators. Actuators such as control valves, breakers, switches, and motors are used to directly manipulate the controlled process based on commands from the controller. Operators and engineers use human interfaces to monitor and configure set points, control algorithms, and to adjust and establish parameters in the controller. The human interface also displays process status information and historical information. Diagnostics and maintenance utilities are used to prevent, identify, and recover from abnormal operation or failures. Sometimes these control loops are nested and/or cascading âwhereby the set point for one loop is based on the process variable determined by another loop. Supervisory-level loops and lower-level loops operate continuously over the duration of a process with cycle times ranging on the order of milliseconds to minutes. 17 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ããã€ã³ãã©ã®ã€ã³ã·ãã³ãã¯ãé£éãé害ã®ãšã¹ã«ã¬ãŒã·ã§ã³ãéããŠãä»ã®ã€ã³ãã©ã«ãçŽ æ¥ã»éæ¥ã«åœ±é¿ãåãŒãã éé»ã»é é»æ¥çã§ã¯ãããããå°ççåæ£ SCADA å¶åŸ¡æè¡ã䜿çšããŠããšã³ããŠãŒã¶ã«é»æ°ãäŸ çµŠããããã«ãæ°åãã®å®æ°å ¬å ±äºæ¥è åã³å°æ¹ååçµåãããªããé«åºŠã«çžäºé£æºããåçã· ã¹ãã ãéçšããŠãããé éå¶åŸ¡ã¹ããŒã·ã§ã³ã«å¯ŸããŠäžãæããã³ãã³ããçºè¡ããŠããŒã¿ã åéããé é»ãç£èŠã»å¶åŸ¡ããŠãã SCADA ãããããŸããã€ãã©ã€ã³ãè¹è¶ããã©ãã¯ãééã äžæ°Žéçãæ°Žã»ç³æ²¹ã»å€©ç¶ã¬ã¹ã®é éãç£èŠã»å¶åŸ¡ãã SCADA ãããã SCADA ãš DCS ã¯ãããã¯ãŒã¯åãããŠããããšãå€ããé»åå¶åŸ¡ã»ã³ã¿ãŒãšçºé»æœèšããã®äžäŸ ã§ãããçºé»æœèšã¯ DCS ã§å¶åŸ¡ãããããDCS 㯠SCADA ãšéä¿¡ãè¡ããéé»ã»é é»éèŠã«å¿ã㊠çç£åºåã調æŽããªããã°ãªããªãã é»åã¯ãçžäºäŸåãåã£ãéèŠã€ã³ãã©ã®åŽ©å£ããããããæãæ®åãããœãŒã¹ã®äžã€ãšèãã ããŠãããäžäŸãšããŠãéé» SCADA çšã®ãã€ã¯ãæ³¢é信網ã厩å£ããã°ãé£éé害ã®åŒãéãšãª ãåŸããç£èŠã»å¶åŸ¡èœåã®æ¬ åŠã¯ã倧åçºé»è£ 眮ããªãã©ã€ã³ã«ããå€é»æã®é»ååªå€±ã«è³ãã ããªããããããåªå€±ã«ãã倧ããªäžåè¡¡ãçããé»åç¶²å šäœã®é£éé害ã®åŒãéãšãªãããã® çµæåºååé»ãçããé»å網ã«äŸåããç³æ²¹ã»å€©ç¶ã¬ã¹çç£ã補油ææ¥åãæ°ŽåŠçã·ã¹ãã ãäž æ°Žéåã³ãã€ãã©ã€ã³æ¬éã·ã¹ãã ã«ã圱é¿ãåºããã 2.3 ICS ã®æäœåã³ã³ã³ããŒãã³ã ICS ã®åºæ¬æäœãå³ 2-1 ã«ç€ºã[2]ãéèŠããã»ã¹ã«ãã£ãŠã¯ãå®å šã·ã¹ãã ãå«ãããã®ãã ããããŒã³ã³ããŒãã³ãã¯ä»¥äžã®ãšããã äžè¬ç㪠ICS ã«ã¯æ°å€ãã®å¶åŸ¡ã«ãŒãããã¥ãŒãã³ã€ã³ã¿ãã§ãŒã¹ã®ã»ããã¬ã€ã€ãŒãããã㯠ãŒã¯ã¢ãŒããã¯ãã£ãŒã®å€æ§ãªãããã¯ãŒã¯ãããã³ã«ãå©çšããŠäœæãããªã¢ãŒã蚺æã»ä¿å® ããŒã«ãå«ãŸãããå¶åŸ¡ã«ãŒãã¯ã»ã³ãµãã¢ã¯ãã¥ãšãŒã¿åã³ã³ã³ãããŒã©ïŒPLC çïŒã䜿çšã ãŠãå¶åŸ¡ããã»ã¹ã®ããã€ããæäœãããã»ã³ãµã¯ç¹å®ã®ç©çç¹æ§ãèšæž¬ãããã®æ å ±ãå¶åŸ¡å€ æ°ãšããŠã³ã³ãããŒã©ã«éä¿¡ããããã€ã¹ã§ãããã³ã³ãããŒã©ã¯ä¿¡å·ã解éããå¶åŸ¡ã¢ã«ãŽãª ãºã ãšç®æšèšå®ç¹ãåºã«å¯Ÿå¿ããæäœå€æ°ãçæããã¢ã¯ãã¥ãšãŒã¿ã«éä¿¡ãããã¢ã¯ãã¥ãšãŒ ã¿ã¯ãã«ãããã¬ãŒã«ãã¹ã€ãããã¢ãŒã¿çã®ããšã§ãã³ã³ãããŒã©ããã®ã³ãã³ãã«åŸã£ãŠå¶ 埡ããã»ã¹ãçŽæ¥æäœããã æäœå¡åã³ãšã³ãžãã¢ã¯ãã¥ãŒãã³ã€ã³ã¿ãã§ãŒã¹ãå©çšããèšå®ç¹ãå¶åŸ¡ã¢ã«ãŽãªãºã ãç£ èŠã»èšå®ããã³ã³ãããŒã©ã®ãã©ã¡ãŒã¿ã調æŽã»èšå®ããã ãŸããã¥ãŒãã³ã€ã³ã¿ãã§ãŒã¹ã¯ããã»ã¹ã®ã¹ããŒã¿ã¹æ å ±åã³å±¥æŽæ å ±ã衚瀺ããã蚺æã»ä¿ å®ãŠãŒãã£ãªãã£ã¯ãç°åžžæäœãé害ã®é²æ¢ãç¹å®åã³å埩ã«å©çšãããã ãã®ãããªå¶åŸ¡ã«ãŒãã¯ãã¹ããã«ã¹ã±ãŒãã«ãªã£ãŠããããšãããããã®å Žåãããã«ãŒãã® èšå®ç¹ã¯å¥ã®ã«ãŒãã«ãã決ãŸãããã»ã¹å€æ°ã«äŸåãããç£èŠã¬ãã«ã®ã«ãŒããšäœã¬ãã«ã«ãŒ ã㯠1 ã€ã®ããã»ã¹äžç¶ç¶çã«æ©èœãããµã€ã¯ã«æéã¯ããªç§ããååäœãŸã§ãšãªãã 18 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-1. ICS Operation To support subsequent discussions, this section defines key ICS components that are used in control and networking. Some of these components can be described generically for use in SCADA systems, DCS and PLCs, while others are unique to one. The Glossary of Terms in Appendix Bâ contains a more detailed listing of control and networking components. Additionally, Figure 2-5 and Figure 2-6 show SCADA implementation examples; Figure 2-7 shows a DCS implementation example and Figure 2-8 shows a PLC implementation example that incorporates these components. 2.3.1 ICS System Design Considerations While Section 2.3 introduced the basic components of an ICS, the design of an ICS, including whether a SCADA, DCS, or PLC-based topologies are used depends on many factors. This section identifies key factors that drive design decisions regarding the control, communication, reliability, and redundancy properties of the ICS. Because these factors heavily influence the design of the ICS, they will also help determine the security needs of the system. ïŒ Control Timing Requirements. ICS processes have a wide range of time-related requirements, including very high speed, consistency, regularity, and synchronization. Humans may not be able to reliably and consistently meet these requirements; automated controllers may be necessary. Some systems may require the computation to be performed as close to the sensor and actuators as possible to reduce communication latency and perform necessary control actions on time. 19 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãã¥ãŒãã³ã»ãã·ã³ ã€ã³ã¿ãã§ãŒã¹ïŒHMIïŒ ãªã¢ãŒã蚺æã»ä¿å® èšå®ç¹ãå¶åŸ¡ã¢ã«ãŽãªãºã ã ãã©ã¡ãŒã¿å¶çŽã ããã»ã¹ããŒã¿ ã³ã³ãããŒã© å¶åŸ¡å€æ° æäœå€æ° ã»ã³ãµ ã¢ã¯ãã¥ãšãŒã¿ ããã»ã¹å ¥å å¶åŸ¡ãããããã»ã¹ ããã»ã¹åºå 劚害 å³ 2-1.ICS ã®åäœ ä»¥åŸã®èª¬æã®äŸ¿å®äžããã®ã»ã¯ã·ã§ã³ã§ã¯å¶åŸ¡åã³ãããã¯ãŒã¯ã§äœ¿çšãã ICS ã®ããŒã³ã³ã㌠ãã³ãã«ã€ããŠæããã«ãããSCADAãDCS åã³ PLC ã§æ±çšçã«çšãããã®ãããã°ãã©ãã 1 ã€ã«ç¹åããŠãããã®ããããä»é² B ã®çšèªéã«ã¯ãå¶åŸ¡ã³ã³ããŒãã³ãåã³ãããã¯ãŒã¯ã³ã³ ããŒãã³ãã®è©³çŽ°ãªãªã¹ããããããŸãå³ 2-5 ãšå³ 2-6 ã«ã¯ SCADAãå³ 2-7 ã«ã¯ DCSãå³ 2-8 㫠㯠PLC ã®å®è£ äŸããããã瀺ããããããã³ã³ããŒãã³ããçµã¿èŸŒãŸããŠããã 2.3.1 ICS ã®ã·ã¹ãã èšèšäžã®èæ ®äºé ã»ã¯ã·ã§ã³ 2.3 ã«ã¯ ICS ã®åºæ¬ã³ã³ããŒãã³ããICS ã®èšèšã玹ä»ãããŠãããSCADAãDCSã PLC ã®ãããã«åºã¥ãããããžãŒã䜿çšãã¹ããã¯ãå€ãã®èŠå ã«äŸåããç¹ã説æãããŠããã ãã®ã»ã¯ã·ã§ã³ã§ã¯ãICS ã®å¶åŸ¡ãéä¿¡ãä¿¡é Œæ§åã³åé·ç¹æ§ã«é¢ããèšèšäžã®éèŠèŠå ãæã ãã«ãããããããèŠå 㯠ICS ã®èšèšã«å€§ãã圱é¿ãããããã·ã¹ãã ã®ã»ãã¥ãªãã£éèŠãå€ å®ããäžã§ã圹ç«ã€ã ïŒ å¶åŸ¡ã®ã¿ã€ãã³ã°èŠä»¶ãICS ã®ããã»ã¹ã«ã¯ãé«éæ§ãäžè²«æ§ãèŠåæ§ãåææ§çãåºç¯ãª æéé¢é£ã®èŠä»¶ãããã人éã¯ããããèŠä»¶ã«å¯ŸããŠãé«ãä¿¡é Œæ§ãšäžè²«æ§ããã£ãŠå¿ãã ããšã¯ã§ããªããããèªåã³ã³ãããŒã©ãå¿ èŠãšãªããã·ã¹ãã ã«ãã£ãŠã¯ãéä¿¡ã®åŸ ã¡æ éãççž®ããå¿ èŠãªå¶åŸ¡åäœãæéã©ããã«è¡ããããã»ã³ãµãšã¢ã¯ãã¥ãšãŒã¿ãã§ããã ãè¿ã¥ããŠèšç®ãè¡ãå¿ èŠãçããã 20 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Geographic Distribution. Systems have varying degrees of distribution, ranging from a small system (e.g., local PLC-controlled process) to large, distributed systems (e.g., oil pipelines, electric power grid). Greater distribution typically implies a need for wide area (e.g., leased lines, circuit switching, and packet switching) and mobile communication. ïŒ Hierarchy. Supervisory control is used to provide a central location that can aggregate data from multiple locations to support control decisions based on the current state of the system. Often a hierarchical/centralized control is used to provide human operators with a comprehensive view of the entire system. ïŒ Control Complexity. Often control functions can be performed by simple controllers and preset algorithms. However, more complex systems (e.g., air traffic control) require human operators to ensure that all control actions are appropriate to meet the larger objectives of the system. ïŒ Availability. The systemâs availability (i.e., reliability) requirements are also an important factor in design. Systems with strong availability/up-time requirements may require more redundancy or alternate implementations across all communication and control. ïŒ Impact of Failures. The failure of a control function could incur substantially different impacts across domains. Systems with greater impacts often require the ability to continue operations through redundant controls, or the ability to operate in a degraded state. The design needs to address these requirements. ïŒ Safety. The systemâs safety requirements area also an important factor in design. Systems must be able to detect unsafe conditions and trigger actions to reduce unsafe conditions to safe ones. In most safety-critical operations, human oversight and control of a potentially dangerous process is an essential part of the safety system. 2.3.2 SCADA Systems SCADA systems are used to control dispersed assets where centralized data acquisition is as important as control [3] [4]. These systems are used in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines, electrical utility transmission and distribution systems, and rail and other public transportation systems. SCADA systems integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information, transfer it to a central computer facility, and display the information to the operator graphically or textually, thereby allowing the operator to monitor or control an entire system from a central location in near real time. Based on the sophistication and setup of the individual system, control of any individual system, operation, or task can be automatic, or it can be performed by operator commands. Typical hardware includes a control server placed at a control center, communications equipment (e.g., radio, telephone line, cable, or satellite), and one or more geographically distributed field sites consisting of Remote Terminal Units (RTUs) and/or PLCs, which controls actuators and/or monitors sensors. The control server stores and processes the information from RTU inputs and outputs, while the RTU or PLC controls the local process. The communications hardware allows the transfer of information and data back and forth between the control server and the RTUs or PLCs. The software is programmed to tell the system what and when to monitor, what parameter ranges are acceptable, and what response to initiate when parameters change outside acceptable values. An Intelligent Electronic Device (IED), such as a protective relay, may communicate directly to the control server, or a local RTU may poll the IEDs to collect the data and pass it to the control server. IEDs provide a direct interface to control and monitor equipment and sensors. IEDs may be directly polled and controlled by the control server and in most 21 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ å°ççãªåæ£ãã·ã¹ãã ã®åæ£ã®çšåºŠã¯ãå°èŠæš¡ãªã·ã¹ãã ïŒããŒã«ã« PLC å¶åŸ¡ããã»ã¹ çïŒãã倧èŠæš¡ãªåæ£ã·ã¹ãã ïŒç³æ²¹ãã€ãã©ã€ã³ãé»å網çïŒãŸã§å€å²ã«ããããåæ£ã® çšåºŠã倧ãããªãã°ãéåžžåºåã«ãªãïŒåç·ãªãŒã¹ãåè·¯åæ¿ããã±ããåæ¿çïŒã移åé ä¿¡ãå¿ èŠãšãªãã ïŒ éå±€ãç£èŠå¶åŸ¡ãå©çšããŠãè€æ°æåšå°ã®ããŒã¿ãäžãæããåéããã·ã¹ãã ã®çŸç¶ã«åº ã¥ããŠå¶åŸ¡ã®æ±ºå®ã«åœ¹ç«ãŠãããšãã§ãããéå±€ã»éäžç®¡çãå©çšããŠãã·ã¹ãã å šäœãå æ¬çã«èŠãªãã人éãæäœãè¡ãããšãå€ãã ïŒ å¶åŸ¡ã®è€éæ§ãå¶åŸ¡ã¯åçŽãªã³ã³ãããŒã©ãšããªã»ããã¢ã«ãŽãªãºã ã§è¡ãããããšãå€ãã ããããããè€éãªã·ã¹ãã ïŒèªç©ºäº€é管å¶çïŒã§ã¯ãå šãŠã®å¶åŸ¡è¡çºãé©æ£ã§ããã倧ã ãªã·ã¹ãã ç®æšã«åèŽããããããæäœå¡ãå¿ èŠãšãªãã ïŒ å¯çšæ§ãã·ã¹ãã ã®å¯çšæ§ïŒããªãã¡ä¿¡é Œæ§ïŒèŠä»¶ããèšèšã«ãããéèŠèŠå ãšãªããé«ã å¯çšæ§/ã¢ããã¿ã€ã èŠä»¶ãæã£ãã·ã¹ãã ã«ã¯ãéä¿¡åã³å¶åŸ¡å šè¬ãéããŠãã£ããã®åé· æ§ã代æ¿å®è£ ãå¿ èŠãšãªãã ïŒ é害ã®åœ±é¿ãå¶åŸ¡æ©èœã®é害ã¯ãããªãå€æ§ãªåœ±é¿ãå šé åã«ãããããããªãã圱é¿åºŠã® 倧ããã·ã¹ãã ã«ã¯ãåé·å¶åŸ¡ãéåç¶æ ã§ã®éçšèœåãéããŠãéçšãç¶ç¶ããèœåãæ± ããããããšãå€ããèšèšã§ã¯ããããèŠä»¶ãèæ ®ã«å ¥ããå¿ èŠãããã ïŒ å®å šæ§ãã·ã¹ãã ã®å®å šæ§èŠä»¶ãèšèšã®éèŠèŠçŽ ãšãªããäžå®å šç¶æ ãæ€ç¥ããŠãå®å šç¶æ ã«è¿ã¥ããããšãæ±ãããããæãå®å šæ§ãæ±ããããéçšã§ã¯ãæœåšçã«å±éºãªããã»ã¹ ã«å¯Ÿãã人éã®ç£èŠã»å¶åŸ¡ãå®å šæ§ã·ã¹ãã ã®äžå¯æ¬ éšåãšãªãã 2.3.2 SCADA SCADA ã¯ãéäžããŒã¿ååŸãå¶åŸ¡ãšåæ§ã«éèŠãªå Žåã«ãåæ£åãããè³ç£ãå¶åŸ¡ããããã«äœ¿ çšãã[3] [4]ãäžäžæ°Žéãç³æ²¹ã»å€©ç¶ã¬ã¹ãã€ãã©ã€ã³ãéé»ã»é é»ã·ã¹ãã ãééãã®ä»ã® å ¬å ±èŒžéãšãã£ãé éã·ã¹ãã ã«äœ¿çšãããŠãããSCADA ã¯ãããŒã¿ååŸã·ã¹ãã ãããŒã¿éä¿¡ ã·ã¹ãã ããã³ HMI ãœãããŠãšã¢ãšçµ±åããå€æ°ã®ããã»ã¹ã®ã€ã³ããããšã¢ãŠããããã®ãã ã®éäžçç£èŠã»å¶åŸ¡ã·ã¹ãã ãšãªããSCADA ã¯ãçŸå Žã®æ å ±ãåéããŠäžå€®ã³ã³ãã¥ãŒã¿æœèšãž 転éããæ å ±ãå³åœ¢ãããã¹ã圢åŒã§æäœå¡ã«è¡šç€ºããã·ã¹ãã å šäœãã»ãšãã©ãªã¢ã«ã¿ã€ã ã« äžãæããç£èŠã»å¶åŸ¡ã§ããããã«ãããåã ã®ã·ã¹ãã ãæŽç·ŽåããŠèšå®ããããšã«ããã åã ã®ã·ã¹ãã ãåäœåã¯ã¿ã¹ã¯ãèªååãããããªãã¬ãŒã¿ã®ã³ãã³ãã§å®è¡ãããããããš ãã§ããã äžè¬çãªããŒããŠãšã¢ãšããŠã¯ãã³ã³ãããŒã«ã»ã³ã¿ãŒã«èšçœ®ãããã³ã³ãããŒã«ãµãŒããéä¿¡ è£ çœ®ïŒç¡ç·ãé»è©±åç·ãã±ãŒãã«ããµãã©ã€ãçïŒã®ã»ããé é端æ«è£ 眮ïŒRTUïŒå㯠PLC ã§æ§ æãããïŒãæåã¯è€æ°ã®å°ççã«åæ£ãããçŸå Žãå«ãŸããã¢ã¯ãã¥ãšãŒã¿ãã»ã³ãµãç£èŠã ããã³ã³ãããŒã«ãµãŒãã¯ãRTU ã®å ¥åºåæ å ±ãä¿åã»åŠçããRTU å㯠PLC ã¯ããŒã«ã«ããã» ã¹ãå¶åŸ¡ãããéä¿¡ããŒããŠãšã¢ã¯ãã³ã³ãããŒã«ãµãŒããš RTU å㯠PLC éã®æ å ±è»¢éãšããŒã¿ ã®éåä¿¡ãå®çŸããããœãããŠãšã¢ã¯ããã°ã©ã å¯èœã§ãç£èŠå¯Ÿè±¡ãšææãåå ¥ãããããã©ã¡ ãŒã¿ã®ç¯å²ããã©ã¡ãŒã¿ãç¯å²ãéžè±ããå Žåã«åãã¹ã察åŠã決å®ãããä¿è·ãªã¬ãŒçã®ã€ã³ ããªãžã§ã³ãé»åããã€ã¹ïŒIEDïŒãçŽæ¥ã³ã³ãããŒã«ãµãŒããšéä¿¡ãè¡ãããããŒã«ã« RTU ã IED ã«ããŒãªã³ã°ããŠããŒã¿ãåéãããããã³ã³ãããŒã«ãµãŒãã«æž¡ããIED ã¯ãè£ åååã³ ã»ã³ãµã®å¶åŸ¡ã»ç£èŠã®çŽæ¥çãªã€ã³ã¿ãã§ãŒã¹ãšãªãããŸãã³ã³ãããŒã«ãµãŒãããçŽæ¥ããŒãª ã³ã°ãšå¶åŸ¡ãåããã»ãšãã©ã®å Žåãã³ã³ãããŒã«ã»ã³ã¿ãŒããçŽæ¥æ瀺ãåããã« IED ãæäœ ããããŒã«ã«ããã°ã©ãã³ã°ãæããã 22 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY cases have local programming that allows for the IED to act without direct instructions from the control center. SCADA systems are usually designed to be fault-tolerant systems with significant redundancy built into the system. Redundancy may not be a sufficient countermeasure in the face of malicious attack. Figure 2-2 shows the components and general configuration of a SCADA system. The control center houses a control server and the communications routers. Other control center components include the HMI, engineering workstations, and the data historian, which are all connected by a LAN. The control center collects and logs information gathered by the field sites, displays information to the HMI, and may generate actions based upon detected events. The control center is also responsible for centralized alarming, trend analyses, and reporting. The field site performs local control of actuators and monitors sensors (Note that sensors and actuators are only shown in Figure 2-5). Field sites are often equipped with a remote access capability to allow operators to perform remote diagnostics and repairs usually over a separate dial up modem or WAN connection. Standard and proprietary communication protocols running over serial and network communications are used to transport information between the control center and field sites using telemetry techniques such as telephone line, cable, fiber, and radio frequency such as broadcast, microwave and satellite. SCADA communication topologies vary among implementations. The various topologies used, including point-to-point, series, series-star, and multi-drop [5], are shown in Figure 2-3. Point-to-point is functionally the simplest type; however, it is expensive because of the individual channels needed for each connection. In a series configuration, the number of channels used is reduced; however, channel sharing has an impact on the efficiency and complexity of SCADA operations. Similarly, the series-star and multi-drop configurationsâ use of one channel per device results in decreased efficiency and increased system complexity. Figure 2-2. SCADA System General Layout 23 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã éåžžãSCADA ã¯ããã©ãŒã«ããã¬ã©ã³ãã·ã¹ãã ã§ãçžåœã®åé·æ§ãçµèŸŒãŸããŠãããåé·æ§ ã¯ãæªæããæ»æã«å¯ŸããŠã¯ååãªå¯Ÿçã«ãªãåŸãªãããšãããã å³ 2-2 㯠SCADA ã®ã³ã³ããŒãã³ããšå šäœæ§æã瀺ããã³ã³ãããŒã«ã»ã³ã¿ãŒã«ã¯ãã³ã³ãããŒã« ãµãŒããšéä¿¡ã«ãŒã¿ãèšçœ®ããããã³ã³ãããŒã«ã»ã³ã¿ãŒã®ãã®ä»ã®ã³ã³ããŒãã³ãã«ã¯ HMIã ãšã³ãžãã¢ãªã³ã°ã¯ãŒã¯ã¹ããŒã·ã§ã³åã³ããŒã¿ãã¹ããªã¢ã³ãå«ãŸããã¿ãª LAN ã§ç¹ãã£ãŠã ããã³ã³ãããŒã«ã»ã³ã¿ãŒã¯ãçŸå Žãµã€ããåéããæ å ±ãåéã»èšé²ããHMI ã«è¡šç€ºããæ€ç¥ ããã€ãã³ãã«å¿ããŠã¢ã¯ã·ã§ã³ãçæããããŸãéäžã¢ã©ãŒã ããã¬ã³ãåæåã³å ±åãæ åœ ãããçŸå Žãµã€ãã¯ã¢ã¯ãã¥ãšãŒã¿ã®ããŒã«ã«å¶åŸ¡ãè¡ããã»ã³ãµãç£èŠããïŒã»ã³ãµåã³ã¢ã¯ ãã¥ãšãŒã¿ã¯å³ 2-5 ã«ã®ã¿ç€ºãããïŒãçŸå Žãµã€ãã¯ãæäœå¡ããªã¢ãŒã蚺æãä¿®çãè¡ããã ãã«ãªã¢ãŒãã¢ã¯ã»ã¹èœåãåãããã®ãå€ããéåžžã¯ç¬ç«ãããã€ã¢ã«ã¢ããã¢ãã ã WAN æ¥ ç¶ãå©çšããŠãããã·ãªã¢ã«éä¿¡åã³ãããã¯ãŒã¯éä¿¡ã§äœ¿çšããæšæºãããã³ã«åã³å°çšãã ãã³ã«ã¯ãã³ã³ãããŒã«ã»ã³ã¿ãŒãšçŸå Žãµã€ãéã§ã®æ å ±éä¿¡ã«å©çšããããã®éä¿¡ã¯ãé»è©±å ç·ãã±ãŒãã«ããã¡ã€ããŒãç¡ç·åšæ³¢æ°ïŒãããŒããã£ã¹ãããã€ã¯ãæ³¢ããµãã©ã€ãçïŒãšã ã£ããã¬ã¡ããªæè¡ãå©çšããŠè¡ãã SCADA éä¿¡ããããžãŒã¯ãå®è£ ã«ãã£ãŠæ§ã ã«ç°ãªã£ãŠããã2 å°ç¹éãã·ãªãŒãºãã·ãªãŒãºã¹ ã¿ãŒããã«ããããã[5]çã®ãå©çšãããæ§ã ãªããããžãŒãå³ 2-3 ã«ç€ºãã 2 å°ç¹éã¯æ©èœçã«æãåçŽã§ããããæ¥ç¶ããšã«ããããã®ãã£ã³ãã«ãå¿ èŠã§ããããšãã ã³ã¹ãé«ã«ãªããã·ãªãŒãºæ§æã§ã¯ããã£ã³ãã«æ°ãå°ãªããŠãããããã£ã³ãã«ãå ±æããã ããSCADA ã®åäœã®å¹çãšè€éãã«åœ±é¿ããã åæ§ã«ã·ãªãŒãºã¹ã¿ãŒåã³ãã«ãããããæ§æã§ã¯ãããã€ã¹ããšã« 1 ãã£ã³ãã«ã䜿çšããã ããå¹çãäœäžããã·ã¹ãã ãè€éã«ãªãã ã³ã³ãããŒã« ã»ã³ã¿ãŒ HMI çŸå Žãµã€ã 1 ãšã³ãžãã¢ãªã³ã° ã¯ãŒã¯ã¹ããŒã·ã§ã³ åæ¿é»è©±ããªãŒã¹ åç·åã¯é»åç· å©çšéä¿¡ ã¢ãã PLC çŸå Žãµã€ã 2 ãã€ã¯ãæ³¢ç¡ç· åã¯ã»ã«ã©ãŒ WAN ã«ãŒã è¡æ ããŒã¿ ãã¹ããªã¢ã³ å¶åŸ¡ãµãŒã ïŒSCADA-MTUïŒ éä¿¡ã«ãŒã¿ IED çŸå Žãµã€ã 3 WAN ã¢ãã å³ 2-2.SCADA ã®å šè¬ã¬ã€ã¢ãŠã 24 RTU SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The four basic topologies Figure 2-3 can be further augmented using dedicated devices to manage communication exchanges as well as message switching and buffering. Large SCADA systems containing hundreds of RTUs often employee a sub-control server to alleviate the burden on the primary server. This type of topology is shown in Figure 2-4. Figure 2-5 shows an example of a SCADA system implementation. This particular SCADA system consists of a primary control center and three field sites. A second backup control center provides redundancy in the event of a primary control center malfunction. Point-to-point connections are used for all control center to field site communications, with two connections using radio telemetry. The third field site is local to the control center and uses the WAN for communications. A regional control center resides above the primary control center for a higher level of supervisory control. The corporate network has access to all control centers through the WAN, and field sites can be accessed remotely for troubleshooting and maintenance operations. The primary control center polls field devices for data at defined intervals (e.g., 5 seconds, 60 seconds) and can send new set points to a field device as required. In addition to polling and issuing highlevel commands, the control server also watches for priority interrupts coming from field site alarm systems. Figure 2-3. Basic SCADA Communication Topologies 25 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å³ 2-3 ã® 4 ã€ã®åºæ¬ããããžãŒã¯ãå°çšããã€ã¹ã䜿çšããŠæŽã«å¢ãããé信亀æãã¡ãã»ãŒãž åæ¿ããããã¡ãªã³ã°ã管çããããšãã§ãããæ°çŸã® RTU ãæã€å€§èŠæš¡ SCADA ã¯ããµãã³ ã³ãããŒã«ãµãŒããæ¡çšãããã©ã€ããªãµãŒãã®è² è·ã軜æžããŠããããšãå€ãããã®çš®ã®ãã ããžãŒã¯å³ 2-4 ã«ç€ºãã å³ 2-5 㯠SCADA ã®å®è£ äŸã§ããããã®ç¹æ®ãª SCADA ã¯ããã©ã€ããªã³ã³ãããŒã«ã»ã³ã¿ãŒãš 3 〠ã®çŸå Žãµã€ãã§æ§æãããã2 çªç®ã®ããã¯ã¢ããã³ã³ãããŒã«ã»ã³ã¿ãŒã¯ããã©ã€ããªã³ã³ã ããŒã«ã»ã³ã¿ãŒãäžå ·åãèµ·ãããŠããå Žåã«åé·æ§ãçºæ®ããã2 å°ç¹éæ¥ç¶ã¯ãå šãŠã®ã³ã³ ãããŒã«ã»ã³ã¿ãŒãšçŸå Žãµã€ãéã®éä¿¡ã«äœ¿çšããç¡ç·ãã¬ã¡ããªã«ããæ¥ç¶ã 2 ã€ã«ãªã£ãŠã ãã3 çªç®ã®çŸå Žãµã€ãã¯ã³ã³ãããŒã«ã»ã³ã¿ãŒã«å¯ŸããŠããŒã«ã«ã§ãWAN æ¥ç¶ãå©çšãããå° åã³ã³ãããŒã«ã»ã³ã¿ãŒã¯ãã©ã€ããªã³ã³ãããŒã«ã»ã³ã¿ãŒã®äžäœã«ãããããé«äœã®ç£èŠå¶åŸ¡ ãè¡ããäŒæ¥ãããã¯ãŒã¯ã¯ WAN çµç±ã§ã³ã³ãããŒã«ã»ã³ã¿ãŒã«ã¢ã¯ã»ã¹ããçŸå Žãµã€ãã¯ã㪠ã¢ãŒãã¢ã¯ã»ã¹ã«ãããã©ãã«ã·ã¥ãŒãã£ã³ã°ãšä¿å®äœæ¥ãè¡ããããã«ãªã£ãŠããããã©ã€ã ãªã³ã³ãããŒã«ã»ã³ã¿ãŒã¯ãæå®ãããééïŒ5 ç§ã60 ç§çïŒã§çŸå Žã®ããã€ã¹ã«ããŒã¿ã®ã㌠ãªã³ã°ãè¡ããå¿ èŠã«å¿ããŠæ°ããªèšå®ç¹ãçŸå Žã®ããã€ã¹ã«éä¿¡ãããããŒãªã³ã°ãšãã€ã¬ã ã«ã³ãã³ãã®çºè¡ã«å ããŠãã³ã³ãããŒã«ãµãŒãã¯ãçŸå Žãµã€ãã®ã¢ã©ãŒã ã·ã¹ãã ããéãã ãåªå äžæã®ç£èŠãè¡ãã ã³ã³ãããŒã«ã»ã³ã¿ãŒ çŸå Žãµã€ã 2 å°ç¹é ã¢ãã ã¢ãã RTU/PLC ã·ãªãŒãº ã¢ãã ã¢ãã RTU/PLC ã¢ãã ã¢ãã RTU/PLC ã·ãªãŒãºã¹ã¿ãŒ SCADA ãµãŒã ïŒMTUïŒ ã¢ãã ã¢ãã ã¢ãã ã¢ãã RTU/PLC ã¢ãã ã¢ãã RTU/PLC RTU/PLC ãã«ããããã ã¢ãã ã¢ãã ã¢ãã RTU/PLC RTU/PLC RTU/PLC ã¢ãã å³ 2-3. åºæ¬ç SCADA éä¿¡ããããžãŒ 26 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-4. Large SCADA Communication Topology 27 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã³ã³ãããŒã«ã»ã³ã¿ãŒ äžé SCADA çŸå Žãµã€ã å€æ°ã®ãã£ãŒã«ãè£ çœ® ã¢ãã ã¢ãã ã¢ãã SCADA ãµãŒã ïŒãµã MTUïŒ ã¢ãã ã¢ãã ã¢ãã å€æ°ã®é éã¹ããŒã·ã§ã³ SCADA ãµãŒã ïŒMTUïŒ ã¢ãã ã¢ãã ã¢ãã ãµã SCADA ãµãŒã ïŒãµã MTUïŒ ã¢ãã ã¢ãã ã¢ãã å³ 2-4. 倧èŠæš¡ SCADA éä¿¡ããããžãŒ 28 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-5. SCADA System Implementation Example (Distribution Monitoring and Control) Figure 2-6 shows an example implementation for rail monitoring and control. This example includes a rail control center that houses the SCADA system and three sections of a rail system. The SCADA system polls the rail sections for information such as the status of the trains, signal systems, traction electrification systems, and ticket vending machines. This information is also fed to operator consoles at the HMI station within the rail control center. The SCADA system also monitors operator inputs at the rail control center and disperses high-level operator commands to the rail section components. In addition, the SCADA system monitors conditions at the individual rail sections and issues commands based on these conditions (e.g., stopping a train to prevent it from entering an area that has been determined to be flooded or occupied by another train based on condition monitoring). 29 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å°åã³ã³ãããŒã«ã»ã³ã¿ãŒ ããã¯ã¢ããã³ã³ãããŒã«ã»ã³ã¿ãŒ ãã©ã€ããªã³ã³ãããŒã«ã»ã³ã¿ãŒ ããŒã¿ãã¹ããªã¢ã³ HMI ã¹ããŒã·ã§ã³ ãšã³ãžãã¢ãªã³ã°ã¯ãŒ ã¯ã¹ããŒã·ã§ã³ å¶åŸ¡ãµãŒã ïŒSCADA-MTUïŒ äŒæ¥ãããã¯ãŒã¯ ã¢ãã HMI ã¹ããŒã·ã§ã³ ããªã³ã¿ å¶åŸ¡ãµãŒã ïŒSCADA-MTUïŒ ã·ãªã¢ã«ããŒã¹ ç¡ç·éä¿¡ WAN Card ã¢ãã ãã«ã ãªã¢ãŒãã¢ã¯ã»ã¹ ãã³ã ãã«ã ã¢ãã ã¬ãã« ã»ã³ãµ æµé å§å ã»ã³ãµ ã»ã³ãµ é é ã¹ããŒã·ã§ã³ ãã«ã ã¢ãã ãã³ã ã³ã³ãã¥ãŒã¿ ã¬ãã« ã»ã³ãµ æµé å§å ã»ã³ãµ ã»ã³ãµ é é ã¹ããŒã·ã§ã³ å³ 2-5. ãã³ã ã¬ãã« ã»ã³ãµ æµé å§å ã»ã³ãµ ã»ã³ãµ é é ã¹ããŒã·ã§ã³ SCADA ã®å®è£ äŸïŒåæ£ç£èŠã»å¶åŸ¡ïŒ å³ 2-6 ã¯ãééç£èŠã»å¶åŸ¡ã®å®è£ äŸã§ããããã®äŸã§ã¯ãSCADA ãšééã·ã¹ãã ã® 3 ã»ã¯ã·ã§ã³ ãæããééå¶åŸ¡ã»ã³ã¿ãŒãå«ãŸãããSCADA ã¯ééã®ã»ã¯ã·ã§ã³ã«å¯Ÿããåè»ã®ç¶æ ãä¿¡å·è£ 眮ãçœåŒåž¯é»è£ 眮ãä¹è»åžè²©å£²æ©çã®æ å ±ã®ããŒãªã³ã°ãè¡ãããã®æ å ±ã¯ãééå¶åŸ¡ã»ã³ã¿ãŒ å ã«ãã HMI ã¹ããŒã·ã§ã³ã®æäœå¡ã³ã³ãœãŒã«ã«ãäŸçµŠãããããŸã SCADA ã¯ãééå¶åŸ¡ã»ã³ã¿ ãŒã«ãããæäœå¡ã®å ¥åæ å ±ãç£èŠããäžäœã®æäœå¡ã³ãã³ããééã»ã¯ã·ã§ã³ã³ã³ããŒãã³ã ã«çºè¡ãããå ããŠãåã ã®ééã»ã¯ã·ã§ã³ã«ãããç¶æ ãç£èŠããããã«å¿ããŠã³ãã³ããçº è¡ããïŒç¶æ ç£èŠã«åºã¥ãã措氎ãšå€å®ãããå°åºãã»ãã®åè»ãããå°åºã«é²å ¥ããªãããã« åè»ãåæ¢ããããªã©ïŒã 30 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-6. SCADA System Implementation Example (Rail Monitoring and Control) 2.3.3 Distributed Control Systems DCS are used to control production systems within the same geographic location for industries such as oil refineries, water and wastewater treatment, electric power generation plants, chemical manufacturing plants, automotive production, and pharmaceutical processing facilities. These systems are usually process control or discrete part control systems. DCS are integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated sub-systems that are responsible for controlling the details of a localized process. A DCS uses a centralized supervisory control loop to mediate a group of localized controllers that share the overall tasks of carrying out an entire production process [6]. Product and process control are usually achieved by deploying feedback or feedforward control loops whereby key product and/or process conditions are automatically maintained around a desired set point. To accomplish the desired product and/or process tolerance around a specified set point, specific process controllers, or more capable PLCs, are employed in the field and are tuned to provide the desired tolerance as well as the rate of self-correction during process upsets. By modularizing the production system, a DCS reduces the impact of a single fault on the 31 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ééã³ã³ãããŒã«ã»ã³ã¿ãŒ ããŒã¿ãã¹ããªã¢ã³ HMI ã¹ããŒã·ã§ã³ äŒæ¥ã¯ãŒã¯ã¹ããŒã·ã§ã³ LAN ããªã³ã¿ å¶åŸ¡ãµãŒã ã«ãŒã¿ SCADA MTU ãªã³ã°åããããžãŒ ééã»ã¯ã·ã§ã³ 1 Hub ééã»ã¯ã·ã§ã³ 3 Hub ééã»ã¯ã·ã§ã³ 2 Hub ä¿¡å·çºä¿¡ ä¿¡å·çºä¿¡ ä¿¡å·çºä¿¡ 沿ç·å¶åŸ¡åè» çœåŒåž¯é»ãµã ã¹ããŒã·ã§ã³ çœåŒåž¯é» ç£èŠå¶åŸ¡ 沿ç·å¶åŸ¡åè» æ²¿ç·å¶åŸ¡åè» ééé»å ééé»å çœåŒåž¯é»ãµã ã¹ããŒã·ã§ã³ ééé»å åè» çœåŒåž¯é»ãµã ã¹ããŒã·ã§ã³ 絊é»ïŒå°å é»åäŒç€ŸïŒ 絊é»ïŒå°å çœåŒåž¯é» ç£èŠå¶åŸ¡ åè» åè» é»åäŒç€ŸïŒ çœåŒåž¯é» ç£èŠå¶åŸ¡ 絊é»ïŒå°å é»åäŒç€ŸïŒ å³ 2-6. SCADA ã®å®è£ äŸïŒåè»ç£èŠã»å¶åŸ¡ïŒ 2.3.3 åæ£å¶åŸ¡ã·ã¹ãã DCS ã¯å°ççã«åãå Žæã«ããçç£ã·ã¹ãã ã®å¶åŸ¡ã«äœ¿çšãããç³æ²¹ç²Ÿè£œãäžäžæ°ŽéåŠçãçºé» æãååŠãã©ã³ããèªåè»çç£ãå»è¬ååŠçæœèšçãå«ãŸããããã®ãããªã·ã¹ãã ã¯ãéåžžã ãã»ã¹å¶åŸ¡ã·ã¹ãã ãåå¥éšåå¶åŸ¡ã·ã¹ãã ã§ããã DCS ã¯ãå±åšããã»ã¹ã®çŽ°éšãå¶åŸ¡ããè€æ°ã®çµ±åãµãã·ã¹ãã ã«å¯Ÿãããç£èŠã¬ãã«ã§ã®å¶åŸ¡ ãå«ããå¶åŸ¡ã¢ãŒããã¯ãã£ãšããŠçµ±åããããDCS ã¯éäžç£èŠã»å¶åŸ¡ã«ãŒããå©çšããŠãçç£ ããã»ã¹å šäœã®å®è¡ã«é¢ããå šã¿ã¹ã¯ãå ±æããå±åšã³ã³ãããŒã©ã® 1 ã°ã«ãŒãã仲ä»ãã[6]ã 補åã»ããã»ã¹å¶åŸ¡ã¯ãéåžžãã£ãŒãããã¯/ãã£ãŒããã©ã¯ãŒãå¶åŸ¡ã«ãŒããå±éããŠè¡ãã éèŠãªè£œåãããã»ã¹ã®ç¶æ ã¯ãææã®èšå®ç¹ä»è¿ã«èªåçã«ä¿ããããææã®è£œåãããã»ã¹ ã®èš±å®¹èª€å·®ãæå®ãããèšå®ç¹ä»è¿ã«ä¿ã€ãããç¹æ®ããã»ã¹ã³ã³ãããŒã©åã¯ããé«æ§èœã® PLC ãçŸå Žã«æ¡çšããŠèª¿æŽããããã»ã¹äžèª¿æã«ææã®èš±å®¹èª€å·®å ã«åãŸãããã«ããããèªå·± è£æ£çãèšå®ãããããŠãããçç£ã·ã¹ãã ãã¢ãžã¥ãŒã«åããããšã§ãDCS ã¯ãåäžã®é害ã ã·ã¹ãã å šäœã«äžãã圱é¿ãæžããã 32 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY overall system. In many modern systems, the DCS is interfaced with the corporate network to give business operations a view of production. An example implementation showing the components and general configuration of a DCS is depicted in Figure 2-7. This DCS encompasses an entire facility from the bottom-level production processes up to the corporate or enterprise layer. In this example, a supervisory controller (control server) communicates to its subordinates via a control network. The supervisor sends set points to and requests data from the distributed field controllers. The distributed controllers control their process actuators based on control server commands and sensor feedback from process sensors. Figure 2-7 gives examples of low-level controllers found on a DCS system. The field control devices shown include a PLC, a process controller, a single loop controller, and a machine controller. The single loop controller interfaces sensors and actuators using point-to-point wiring, while the other three field devices incorporate fieldbus networks to interface with process sensors and actuators. Fieldbus networks eliminate the need for point-to-point wiring between a controller and individual field sensors and actuators. Additionally, a fieldbus allows greater functionality beyond control, including field device diagnostics, and can accomplish control algorithms within the fieldbus, thereby avoiding signal routing back to the PLC for every control operation. Standard industrial communication protocols designed by industry groups such as Modbus and Fieldbus [7] are often used on control networks and fieldbus networks. In addition to the supervisory-level and field-level control loops, intermediate levels of control may also exist. For example, in the case of a DCS controlling a discrete part manufacturing facility, there could be an intermediate level supervisor for each cell within the plant. This supervisor would encompass a manufacturing cell containing a machine controller that processes a part and a robot controller that handles raw stock and final products. There could be several of these cells that manage field-level controllers under the main DCS supervisory control loop. 33 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æè¿ã®ã·ã¹ãã ã«ã¯ãDCS ãšäŒæ¥ãããã¯ãŒã¯ã®ã€ã³ã¿ãã§ãŒã¹ã確ä¿ããŠãäºæ¥æ¥åã«çç£ç ãªèŠ³ç¹ãä»äžããŠãããã®ãå°ãªããªãã å³ 2-7 ã¯ãã³ã³ããŒãã³ããš DCS ã®äžè¬çãªæ§æã®äŸã瀺ãããã® DCS ã§ã¯ãçç£ããã»ã¹ã®åº 蟺ããäŒæ¥å±€ã«è³ãå šãŠã®æœèšãåããããŠããããã®äŸã§ã¯ãç£èŠã³ã³ãããŒã©ïŒå¶åŸ¡ãµãŒ ãïŒãå¶åŸ¡ãããã¯ãŒã¯ãä»ããŠãåŸå±å±€ãšéä¿¡ãè¡ãããã«ãªã£ãŠãããã¹ãŒããŒãã€ã¶ã¯ã åæ£ãã£ãŒã«ãã³ã³ãããŒã©ãžã®èšå®ç¹ãšããããã®èŠæ±ãéä¿¡ãããåæ£ã³ã³ãããŒã©ã¯ãå¶ åŸ¡ãµãŒãã®ã³ãã³ãåã³ããã»ã¹ã»ã³ãµããã®ã»ã³ãµãã£ãŒãããã¯ãåºã«ãããã»ã¹ã¢ã¯ã㥠ãšãŒã¿ãå¶åŸ¡ããã å³ 2-7 ã¯ãDCS ã·ã¹ãã ã«èŠãããäœã¬ãã«ã³ã³ãããŒã©ã®äŸã§ããããã£ãŒã«ãã³ã³ãããŒã© ããã€ã¹ã«ã¯ãPLCãããã»ã¹ã³ã³ãããŒã©ãåäžã«ãŒãã³ã³ãããŒã©åã³ãã·ã³ã³ã³ãããŒã© ãé 眮ãããŠãããåäžã«ãŒãã³ã³ãããŒã©ã¯ã2 å°ç¹éé ç·ã«ããã»ã³ãµãšã¢ã¯ãã¥ãšãŒã¿ã® ã€ã³ã¿ãã§ãŒã¹ãšãªãããã以å€ã® 3 çš®é¡ã®ããã€ã¹ã¯ããã£ãŒã«ããã¹ãããã¯ãŒã¯ã䜿çšã ãŠãããã»ã¹ã»ã³ãµãšã¢ã¯ãã¥ãšãŒã¿ã®ã€ã³ã¿ãã§ãŒã¹ã確ä¿ããŠããããã£ãŒã«ããã¹ããã ã¯ãŒã¯ã«ã¯ãã³ã³ãããŒã©ãšåã ã®ãã£ãŒã«ãã»ã³ãµãã¢ã¯ãã¥ãšãŒã¿éã® 2 å°ç¹éé ç·ãäžèŠ ã§ããããŸããã£ãŒã«ããã¹ã¯ããã£ãŒã«ãããã€ã¹ã®èšºæãªã©ãå¶åŸ¡ä»¥äžã®æ©èœãçºæ®ããã» ãããã£ãŒã«ããã¹å ã§å¶åŸ¡ã¢ã«ãŽãªãºã ãå®çŸããå¶åŸ¡æäœã®ãã³ã«ä¿¡å·ã PLC ã«è¿ãå¿ èŠã ãªããå¶åŸ¡ãããã¯ãŒã¯ããã£ãŒã«ããã¹ãããã¯ãŒã¯ã§ã¯ãModbus and Fieldbus [7]çã®æ¥ çã°ã«ãŒããèšèšããæšæºçãªéä¿¡ãããã³ã«ãå€çšãããã ç£èŠã¬ãã«åã³ãã£ãŒã«ãã¬ãã«ã§ã®å¶åŸ¡ã«ãŒãã®ã»ãã«ãäžéã¬ãã«ã®å¶åŸ¡ããããäŸãã°ã éšåçµç«è£œé æœèšãå¶åŸ¡ãã DCS ã®å Žåããã©ã³ãå ã®ã»ã«ããšã«äžéã¬ãã«ã®ã¹ãŒããŒãã€ã¶ ãé 眮ããããšãããããã®ã¹ãŒããŒãã€ã¶ã¯è£œé ã»ã«ãå å«ãã補é ã»ã«ã«ã¯ïŒéšåãåŠçã ãïŒãã·ã³ã³ã³ãããŒã©ãšïŒåæåšåº«ãšæçµè£œåãæ±ãïŒããããã³ã³ãããŒã©ãå«ãŸãããã ã®ãããªã»ã«ãããã€ããããã®ããããåã»ã«ã¯ã¡ã€ã³ DCS ç£èŠå¶åŸ¡ã«ãŒãã®äžã§ããã£ãŒã« ãã¬ãã«ã®ã³ã³ãããŒã©ã管çããã 34 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-7. DCS Implementation Example 2.3.4 Programmable Logic Controller Based Topologies PLCs are used in both SCADA and DCS systems as the control components of an overall hierarchical system to provide local management of processes through feedback control as described in the sections above. In the case of SCADA systems, they may provide the same functionality of RTUs. When used in DCS, PLCs are implemented as local controllers within a supervisory control scheme. In addition to PLC usage in SCADA and DCS, PLCs are also implemented as the primary controller in smaller control system configurations to provide operational control of discrete processes such as automobile assembly lines and power plant soot blower controls These topologies differ from SCADA and DCS in that they generally lack a central control server and HMI and, therefore, primarily provide closedloop control without direct human involvement. PLCs have a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode proportional-integral-derivative (PID) control, communication, arithmetic, and data and file processing. 35 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã åæ£ äŒæ¥ã®å€éšäžç ãã©ã³ã ã¢ããªã±ãŒã·ã§ã³ ãµãŒã ã¯ãŒã¯ã¹ããŒã·ã§ã³ æ¥åçšã¯ã©ã€ã¢ã³ã /ãµãŒã ç¡ç·ããã€ã¹ ããªã³ã¿ ã¢ãã ã€ã³ã¿ãŒããã /WAN çç£å®è¡ã·ã¹ãã ïŒMESïŒã管ç æ å ±ã·ã¹ãã ïŒMISïŒãäŒæ¥è³æºèš ç»ïŒERPïŒã·ã¹ãã ãž ç£èŠã¬ãã« åé·å¶åŸ¡ãµãŒã å¶åŸ¡ãµãŒã ããŒã¿ãã¹ããªã¢ã³ äŒæ¥ã¯ãŒã¯ã¹ããŒã·ã§ã³ ã¡ã€ã³ HMI ããŒã«ã«ã³ã³ãããŒã« ãããã¯ãŒã¯ HMI ããã°ã©ããã«è«ç ã³ã³ãããŒã©ïŒPLCïŒ ãã·ã³ ã³ã³ãããŒã© ã¢ãã å§åã»ã³ãµ ã¢ãã ã¿ã¯ãŒç¹ç¯ ã¢ãŒã·ã§ã³å¶åŸ¡ ã¢ãã ã¢ãŒã¿ ãããã¯ãŒã¯ DC ãµãŒã é§å ãµãŒãé§å ãµãŒãé§å å§å ã¬ã®ã¥ã¬ãŒã¿ ãœã¬ãã€ããã«ã ã»ã³ãµ ã¢ã¯ãã¥ãšãŒã¿ è¿æ¥ã»ã³ãµ å¯å€åšæ³¢æ°é§å ã¢ãŒã¿ æå ãµãŒãé§å ç£èŠã¬ãã« åã«ãŒã ã³ã³ãããŒã© ããã»ã¹ ã³ã³ãããŒã© ãªã¢ãŒãã¢ã¯ã»ã¹ ãœã¬ãã€ã ãã«ã ãã£ãŒã«ããã¹ ãµãŒããã«ã AC é§å ã¢ãŒã¿ è«çå¶åŸ¡ 枩床ã»ã³ãµ ã¢ãã ã¢ãã ã³ã³ãã¥ãŒã¿ å§åã¬ã®ã¥ã¬ãŒã¿ å§åã»ã³ãµ å³ 2-7.DCS ã®å®è£ äŸ 2.3.4 ããã°ã©ã å¯èœè«çã³ã³ãããŒã©ããŒã¹ã®ããããžãŒ PLC 㯠SCADA ãš DCS ã®äž¡ã·ã¹ãã ã«ãããŠãéå±€ã·ã¹ãã å šäœã®å¶åŸ¡ã³ã³ããŒãã³ããšããŠäœ¿çš ãããåè¿°ã®ãšããããã£ãŒãããã¯å¶åŸ¡ãéããŠããã»ã¹ã®ããŒã«ã«ç®¡çãè¡ããSCADA ã®å Ž åãRTU ãšåæ§ã®æ©èœãçºæ®ãããDCS ã§äœ¿çšãããå ŽåãPLC ã¯ç£èŠã»å¶åŸ¡ã«ãããããŒã«ã« ã³ã³ãããŒã©ãšããŠå®è£ ãããã SCADA ãš DCS ã§äœ¿çšãããã»ããPLC ã¯ããå°èŠæš¡ã®å¶åŸ¡ã·ã¹ãã æ§æã«ããããã©ã€ããªã³ã³ ãããŒã©ãšããŠãå©çšãããèªåè»çµç«ã©ã€ã³çã®çµç«ããã»ã¹ãçºé»æã®ç €ç ããã¢ãŒã®å¶åŸ¡ ãªã©ãæäœãå¶åŸ¡ãããSCADA ã DCS ãšã®ããããžãŒã®éãã¯ãäžè¬ã«äžå€®å¶åŸ¡ãµãŒããš HMI ã ãªãããšã§ããã®ãã人éã®çŽæ¥çãªä»åšãªãã«ãäž»ã«ã¯ããŒãºãã«ãŒãå¶åŸ¡ãè¡ã£ãŠããã PLC ã«ã¯ãŠãŒã¶ãããã°ã©ã å¯èœãªã¡ã¢ãªããããI/O å¶åŸ¡ãè«çãã¿ã€ãã³ã°ãã«ãŠã³ããæ¯ äŸã»ç©åã»åŸ®åïŒPIDïŒ3 ã¢ãŒãå¶åŸ¡ãéä¿¡ãæŒç®ãããŒã¿ããã¡ã€ã«ã®åŠççã®å ·äœçãªæ©èœ ãå®è£ ããããã®åœä»€ãæ ŒçŽããã 36 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-8 shows control of a manufacturing process being performed by a PLC over a fieldbus network. The PLC is accessible via a programming interface located on an engineering workstation, and data is stored in a data historian, all connected on a LAN. Figure 2-8. PLC Control System Implementation Example 37 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å³ 2-8 ã¯ããã£ãŒã«ããã¹ãããã¯ãŒã¯çµç±ã§ PLC ãå®æœãã補é ããã»ã¹å¶åŸ¡ã瀺ãã PLC ã«ã¯ãšã³ãžãã¢ãªã³ã°ã¯ãŒã¯ã¹ããŒã·ã§ã³äžã®ããã°ã©ãã³ã°ã€ã³ã¿ãã§ãŒã¹ãä»ããŠã¢ã¯ ã»ã¹ã§ããããŒã¿ã¯ãã¹ããªã¢ã³ã«ä¿ç®¡ãããå šãŠ LAN ã§æ¥ç¶ãããŠããã ããŒã¿ãã¹ããªã¢ã³ ãšã³ãžãã¢ãªã³ã° ã¯ãŒã¯ã¹ããŒã·ã§ã³ LAN PLC ã¢ãã ã¿ã¯ãŒç¹ç¯ å¯å€åšæ³¢æ°é§å è¿æ¥ã»ã³ãµ DC ãµãŒã é§å æå ãã£ãŒã«ããã¹ AC é§å å³ 2-8. PLC å¶åŸ¡ã·ã¹ãã ã®å®è£ äŸ 38 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 2.4 Comparing ICS and IT Systems Security ICS control the physical world and IT systems manage data. ICS have many characteristics that differ from traditional IT systems, including different risks and priorities. Some of these include significant risk to the health and safety of human lives, serious damage to the environment, and financial issues such as production losses, and negative impact to a nationâs economy. ICS have different performance and reliability requirements, and also use operating systems and applications that may be considered unconventional in a typical IT network environment. Security protections must be implemented in a way that maintains system integrity during normal operations as well as during times of cyber attack [17]. Initially, ICS had little resemblance to IT systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Widely available, low-cost Ethernet and Internet Protocol (IP) devices are now replacing the older proprietary technologies, which increases the possibility of cybersecurity vulnerabilities and incidents. As ICS are adopting IT solutions to promote corporate connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. The environments in which ICS and IT systems operate are constantly changing. The environments of operation include, but are not limited to: the threat space; vulnerabilities; missions/business functions; mission/business processes; enterprise and information security architectures; information technologies; personnel; facilities; supply chain relationships; organizational governance/culture; procurement/acquisition processes; organizational policies/procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs). The following lists some special considerations when considering security for ICS: ïŒ Timeliness and Performance Requirements. ICS are generally time-critical, with the criterion for acceptable levels of delay and jitter dictated by the individual installation. Some systems require reliable, deterministic responses. High throughput is typically not essential to ICS. In contrast, IT systems typically require high throughput, and they can typically withstand some level of delay and jitter. For some ICS, automated response time or system response to human interaction is very critical. Some ICS are built on real-time operating systems (RTOS), where real-time refers to timeliness requirements. The units of real-time are very application dependent and must be explicitly stated. ïŒ Availability Requirements. Many ICS processes are continuous in nature. Unexpected outages of systems that control industrial processes are not acceptable. Outages often must be planned and scheduled days or weeks in advance. Exhaustive pre-deployment testing is essential to ensure high availability (i.e., reliability) for the ICS. Control systems often cannot be easily stopped and started without affecting production. In some cases, the products being produced or equipment being used is more important than the information being relayed. Therefore, the use of typical IT strategies such as rebooting a component, are usually not acceptable solutions due to the adverse impact on the requirements for high availability, reliability and maintainability of the ICS. Some ICS employ redundant components, often running in parallel, to provide continuity when primary components are unavailable. 39 SP800-82 第 2 ç 2.4 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã·ã¹ãã ãš IT ã·ã¹ãã ã®ã»ãã¥ãªãã£æ¯èŒ ICS ã¯ç©ççäžçãå¶åŸ¡ããIT ã·ã¹ãã ã¯ããŒã¿ã管çãããICS ã¯åŸæ¥ã® IT ã·ã¹ãã ãšã¯ç° ãªãç¹åŸŽãå€ãããªã¹ã¯ãåªå 床ãç°ãªããäžã«ã¯äººã®å¥åº·ãå®å šã«å€§ããªãªã¹ã¯ãšãªããç°å¢ ãæãªããçç£åªå€±çã®è²¡æ¿åé¡ãšãªããåœå®¶çµæžã«æªåœ±é¿ãåãŒããã®ããããICS ã®æ§èœå ã³ä¿¡é Œæ§èŠä»¶ã¯ç°ãªã£ãŠãããæ®éã® IT ãããã¯ãŒã¯ç°å¢ã§ã¯å¥ç°ã«èŠãã OS ãã¢ããªã±ãŒã· ã§ã³ã䜿çšãããã»ãã¥ãªãã£ã®ä¿è·ã¯ãæ£åžžéçšæã«ããµã€ããŒæ»æã®éã«ãã·ã¹ãã ä¿å šã ç¶æã§ããããã«å®è£ ããªããã°ãªããªãã[17] åœå ICS ã¯ãç¹æ®ãªããŒããŠãšã¢ãšãœãããŠãšã¢ã䜿çšããŠå°çšå¶åŸ¡ãããã³ã«ãå®è¡ããé絶 ãããã·ã¹ãã ã ã£ããããIT ã·ã¹ãã ãšã¯é¡äŒŒç¹ãã»ãšãã©ãªãã£ããæšä»ãåºãå©çšå¯èœ ãªäœã³ã¹ãã®ã€ãŒãµããããã€ã³ã¿ãŒããããããã³ã«ïŒIPïŒããã€ã¹ãæ§åŒã®å°çšæè¡ã«å㣠ãŠä»£ããã€ã€ããããšããããµã€ããŒã»ãã¥ãªãã£ã®è匱æ§ãã€ã³ã·ãã³ããçããèç¶æ§ãé« ãŸã£ãŠãããICS 㯠IT ãœãªã¥ãŒã·ã§ã³ãæ¡çšããŠãäŒæ¥ã®æ¥ç¶æ§ããªã¢ãŒãã¢ã¯ã»ã¹èœåãä¿ é²ããŠããããŸããæ¥çæšæºã³ã³ãã¥ãŒã¿ããªãã¬ãŒãã£ã³ã°ã·ã¹ãã ïŒOSïŒåã³ãããã¯ãŒã¯ ãããã³ã«ã䜿çšããããã«èšèšã»å®è£ ãããããã«ãªã£ãŠããããã®ãã ICS ã¯æ¬¡ç¬¬ã« IT ã· ã¹ãã ãšé¡äŒŒæ§ãæã€ããã«ãªã£ãŠããããã®ãããªçµ±ååã¯æ°ã㪠IT èœåããµããŒããããã ãã以åã®ã·ã¹ãã ã«æ¯ã¹ããšãå€çããã®é絶æ§ãæ Œæ®µã«å£ããããã»ãã¥ãªãã£ã®å¿ èŠæ§ã å¢ãã ã»ãã¥ãªãã£ãœãªã¥ãŒã·ã§ã³ã¯ãäžè¬ç㪠IT ã·ã¹ãã ã«ãããã»ãã¥ãªãã£åé¡ãæ±ãããã« ã§ããŠããããããããåããœãªã¥ãŒã·ã§ã³ã ICS ç°å¢ã«æã¡èŸŒãå Žåã«ã¯ç¹å¥ãªæ³šæãæ¬ ãã ãªããå Žåã«ãã£ãŠã¯ããã® ICS ç°å¢ã«ç¹åããæ°ããã»ãã¥ãªãã£ãœãªã¥ãŒã·ã§ã³ãå¿ èŠãšãª ãã ICS ã·ã¹ãã ãš IT ã·ã¹ãã ã®åäœç°å¢ã¯çµ¶ããå€åããŠãããäŸãã°ãè åšç©ºéãè匱æ§ãä»» åã»ããžãã¹æ©èœãä»»åã»ããžãã¹ããã»ã¹ãäŒæ¥ã»æ å ±ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ãæ å ±æ è¡ã人äºãæœèšããµãã©ã€ãã§ãŒã³ã®é¢ä¿ãçµç¹ã®ã¬ããã³ã¹/ã«ã«ãã£ãŒã調éã»ååŸããã» ã¹ãçµç¹ã®æ¹éã»æé ãçµç¹ã®åæäºé ãå¶çŽããªã¹ã¯èš±å®¹åºŠãåªå 床/ãã¬ãŒããªãçãããã ICS ã®ã»ãã¥ãªãã£ãæ€èšããéã®ç¹å¥ãªèæ ®äºé ã以äžã«åæããã ïŒ é©ææ§èŠä»¶ãšæ§èœèŠä»¶ãICS ã¯ç·æ¥ãèŠãããã®ãå€ããé 延ããžãã¿ãŒã®èš±å®¹åºŠåºæºã åã ã®è£ 眮ã«å¿ããŠå®ããããŠãããä¿¡é Œæ§ã®é«ã決å®è«çå¿çãæ±ããã·ã¹ãã ãããã é«ãã¹ã«ãŒãããã¯äžè¬ã« ICS ã«ã¯å¿ é ã§ãªããå察㫠IT ã·ã¹ãã ã§ã¯éåžžãé«ãã¹ã«ãŒã ãããæ±ããããããçšåºŠã®é 延ããžãã¿ãŒã¯èš±å®¹ãããããã皮㮠ICS ã§ã¯ã人ã®çžäºäœ çšã«å¯Ÿããèªåå¿çæéãã·ã¹ãã å¿çã¯éåžžã«éèŠãšãªãããªã¢ã«ã¿ã€ã ãªãã¬ãŒãã£ã³ ã°ã·ã¹ãã ïŒRTOSïŒäžã«æ§ç¯ããã ICS ããããããã§ãããªã¢ã«ã¿ã€ã ãé©ææ§èŠä»¶ãš ãªãããªã¢ã«ã¿ã€ã ã®åäœã¯ã¢ããªã±ãŒã·ã§ã³ã«äŸåããæ瀺çã«ç€ºãå¿ èŠãããã ïŒ å¯çšæ§èŠä»¶ãICS ããã»ã¹ã®å€ãã¯ããã®æ§è³ªäžç¶ç¶çã§ãããç£æ¥ããã»ã¹ãå¶åŸ¡ããŠã ãã·ã¹ãã ã®äºå®å€ã®åæ¢ã¯åãå ¥ãããããã®ã§ã¯ãªããåæ¢ã®å€ãã¯ãæ°æ¥åã¯æ°é±é åã«ãããããèšç»ã»äºå®ããããã®ã§ãªããã°ãªããªããICS ã®é«ãå¯çšæ§ïŒããªãã¡ä¿¡ é Œæ§ïŒã確ä¿ããã«ã¯ã培åºçãªå±éåè©Šéšã®å®æœãäžå¯æ¬ ãšãªããçç£ã«åœ±é¿ãåãŒãã ãšãªããå¶åŸ¡ã·ã¹ãã ã®åæ¢ã»éå§ã容æã«å®è¡ã§ããããšã¯å°ãªããçç£äžã®è£œåãäœ¿çš äžã®è£ ååã®æ¹ããäŒéããæ å ±ãããéèŠãšããã±ãŒã¹ãããããããã£ãŠãã³ã³ããŒã ã³ãã®ãªããŒããšãã£ãäžè¬ç㪠IT æŠç¥ã®å©çšã¯ãICS ã®é«ãå¯çšæ§ã»ä¿¡é Œæ§ã»ä¿å®æ§èŠä»¶ ã«æªåœ±é¿ãåãŒããããéåžžåãå ¥ãããã解決çãšã¯ãªããªããICS ã§ã¯åé·ã³ã³ããŒã ã³ããæ¡çšããŠåæéçšããããšãå€ãããã©ã€ããªã³ã³ããŒãã³ããå©çšã§ããªãå Žåã® ç¶ç¶æ§ã確ä¿ããŠããã 40 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Risk Management Requirements. In a typical IT system, data confidentiality and integrity are typically the primary concerns. For an ICS, human safety and fault tolerance to prevent loss of life or endangerment of public health or confidence, regulatory compliance, loss of equipment, loss of intellectual property, or lost or damaged products are the primary concerns. The personnel responsible for operating, securing, and maintaining ICS must understand the important link between safety and security. Any security measure that impairs safety is unacceptable. ïŒ Physical Effects. ICS field devices (e.g., PLC, operator station, DCS controller) are directly responsible for controlling physical processes. ICS can have very complex interactions with physical processes and consequences in the ICS domain that can manifest in physical events. Understanding these potential physical effects often requires communication between experts in control systems and in the particular physical domain. ïŒ System Operation. ICS operating systems (OS) and control networks are often quite different from IT counterparts, requiring different skill sets, experience, and levels of expertise. Control networks are typically managed by control engineers, not IT personnel. Assumptions that differences are not significant can have disastrous consequences on system operations. ïŒ Resource Constraints. ICS and their real time OSs are often resource-constrained systems that do not include typical contemporary IT security capabilities. Legacy systems are often lacking resources common on modern IT systems. Many systems may not have desired features including encryption capabilities, error logging, and password protection. Indiscriminate use of IT security practices in ICS may cause availability and timing disruptions. There may not be computing resources available on ICS components to retrofit these systems with current security capabilities. Adding resources or features may not be possible. ïŒ Communications. Communication protocols and media used by ICS environments for field device control and intra-processor communication are typically different from most IT environments, and may be proprietary. ïŒ Change Management. Change management is paramount to maintaining the integrity of both IT and control systems. Unpatched software represents one of the greatest vulnerabilities to a system. Software updates on IT systems, including security patches, are typically applied in a timely fashion based on appropriate security policy and procedures. In addition, these procedures are often automated using server-based tools. Software updates on ICS cannot always be implemented on a timely basis. These updates need to be thoroughly tested by both the vendor of the industrial control application and the end user of the application before being implemented. Additionally, the ICS owner must plan and schedule ICS outages days/weeks in advance. The ICS may also require revalidation as part of the update process. Another issue is that many ICS utilize older versions of operating systems that are no longer supported by the vendor. Consequently, available patches may not be applicable. Change management is also applicable to hardware and firmware. The change management process, when applied to ICS, requires careful assessment by ICS experts (e.g., control engineers) working in conjunction with security and IT personnel. ïŒ Managed Support. Typical IT systems allow for diversified support styles, perhaps supporting disparate but interconnected technology architectures. For ICS, service support is sometimes via a single vendor, which may not have a diversified and interoperable support solution from another vendor. In some instances, third-party security solutions are not allowed due to ICS vendor license and service agreements, and loss of service support can occur if third party applications are installed without vendor acknowledgement or approval. 41 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ãªã¹ã¯ç®¡çèŠä»¶ãäžè¬ç㪠IT ã·ã¹ãã ã§ã¯ãéåžžããŒã¿ã®æ©å¯æ§ãšä¿å šãäž»èŠé¢å¿äºãšãªãã ICS ã§ã¯ã人åœã®åªå€±ãå ¬è¡è¡çã»åœæ°ã®ä¿¡é Œã®å±æ©ãéµæ³ãè£ ååã®æ倱ãç¥ç財ç£ã®æ 倱ã補åã®æ害ãé²æ¢ããããã®äººçå®å šæ§ãšãã©ãŒã«ããã¬ã©ã³ã¹ãäž»èŠé¢å¿äºã§ããã ICS ã®éçšã»ã»ãã¥ãªãã£ã»ä¿å®æ åœè ã¯ãå®å šæ§ãšã»ãã¥ãªãã£ã®éèŠãªé¢ä¿ãç解ã㪠ããã°ãªããªãããããªãã»ãã¥ãªãã£å¯Ÿçããå®å šæ§ãé»å®³ããã®ã§ããã°åãå ¥ããã ãªãã ïŒ ç©çç圱é¿ãICS ã®ãã£ãŒã«ãããã€ã¹ïŒPLCããªãã¬ãŒã¿ã¹ããŒã·ã§ã³ãDCS ã³ã³ãã㌠ã©çïŒã¯ãç©ççããã»ã¹ãçŽæ¥å¶åŸ¡ããŠãããICS ãšç©ççããã»ã¹ãšã®çžäºäœçšã¯æ¥µã ãŠè€éã§ãICS é åã«ãããçµæã¯ç©ççã€ãã³ããšããŠæããã«ãªãããã®ãããªç©çç 圱é¿ãç解ããã«ã¯ãå¶åŸ¡ã·ã¹ãã ã®å°éå¡ãšç¹å®ã®ç©ççé åã®å°éå¡å士ã®ã³ãã¥ãã± ãŒã·ã§ã³ãå¿ èŠãšãªãå Žåãå€ãã ïŒ ã·ã¹ãã éçšãICS ã® OS ãšå¶åŸ¡ãããã¯ãŒã¯ã¯ãIT ã®å Žåãšå šãç°ãªãããšãå€ããæ±ã ãããã¹ãã«ãçµéšãå°éç¥èã¬ãã«ãç°ãªããå¶åŸ¡ãããã¯ãŒã¯ã¯ãéåžžãIT è·å¡ã§ã¯ãª ãå¶åŸ¡ãšã³ãžãã¢ã管çããŠããã倧ããªéãã¯ãªããšããèªèã§ãããšãã·ã¹ãã éçšã« æ²æšãªçµæãæããããªãã ïŒ ãªãœãŒã¹ã®å¶çŽãICS ãšãã®ãªã¢ã«ã¿ã€ã OS ã¯ãªãœãŒã¹å¶çŽã®ããã·ã¹ãã ã§ããããšãå€ ããããã«ã¯æè¿ã®äžè¬çãªã»ãã¥ãªãã£æ©èœã¯å«ãŸããªããã¬ã¬ã·ãŒã·ã¹ãã ã«ã¯ãæè¿ ã® IT ã·ã¹ãã ãšå ±éã®ãªãœãŒã¹ããªããæå·åæ©èœããšã©ãŒãã°ããã¹ã¯ãŒãä¿è·ãšãã£ã æãŸããæ©èœãä»ããŠããªãã·ã¹ãã ãå€ããICS ã«ããã IT ã»ãã¥ãªãã£ã®èŠç¯ãèŠå¢ãª ã䜿çšãããšãå¯çšæ§ãã¿ã€ãã³ã°ã«åé¡ãèµ·ããããªãããã®ãããªã·ã¹ãã ã«çŸè¡ã®ã» ãã¥ãªãã£æ©èœãä»äžããICS ã³ã³ããŒãã³ãã«å©çšã§ããã³ã³ãã¥ãŒãã£ã³ã°ãªãœãŒã¹ã¯ ãªãã§ãããããªãœãŒã¹ãæ©èœã®è¿œå ã¯ã§ããªãã ïŒ éä¿¡ããã£ãŒã«ãããã€ã¹ã®å¶åŸ¡ãããã»ããµå éä¿¡çšã« ICS ç°å¢ã§äœ¿çšãããéä¿¡ããã ã³ã«åã³ã¡ãã£ã¢ã¯ã倧æµã® IT ç°å¢ãšã¯ç°ãªãå°çšã®ãã®ãå€ãã ïŒ ç®¡çå€æŽã管çå€æŽã¯ IT ã·ã¹ãã ãšå¶åŸ¡ã·ã¹ãã ã®ä¿å šã«èèŠã§ãããããããåœãŠãŠã㪠ããœãããŠãšã¢ã¯ãã·ã¹ãã ã«ãšã£ãŠæãè匱ãªç¹ã® 1 ã€ãšãªããIT ã·ã¹ãã ã«ãããã»ã ã¥ãªãã£ãããçã®ãœãããŠãšã¢æŽæ°ã¯ãé©æ£ãªã»ãã¥ãªãã£ããªã·ãŒãšæé ã«åŸã£ãŠãã¿ ã€ã ãªãŒã«è¡ãããããŸãããããæé ã¯ããµãŒãããŒã¹ã®ããŒã«ã䜿çšããŠèªååãã㊠ããå Žåãå€ããICS ã§ã®ãœãããŠãšã¢æŽæ°ã¯ãå¿ ãããã¿ã€ã ãªãŒã«è¡ãããããã§ã¯ãª ããæŽæ°ã®å®è¡åã«ãç£æ¥çšå¶åŸ¡ã¢ããªã±ãŒã·ã§ã³ãã³ããŒãšã¢ããªã±ãŒã·ã§ã³ã®ãšã³ã㊠ãŒã¶åæ¹ã«ãã培åºçãªè©Šéšãå¿ èŠãšãªãããŸã ICS ææè ã¯æ°æ¥ããæ°é±éåã«ãããã ããåæ¢ã®èšç»ã»äºå®ãç«ãŠãªããã°ãªããªãããŸãæŽæ°ããã»ã¹ã®äžç°ãšããŠãåæ€èšŒã å¿ èŠãšãªããå¥ã®åé¡ãšããŠããã³ããŒããµããŒããæã¡åã£ã OS ã®æ§ããŒãžã§ã³ãäœ¿çš ãã ICS ãå€ãããšãæããããããã®çµæãå ¥æå¯èœãªããããé©çšã§ããªãããšã«ãªãã 管çå€æŽã¯ãããŒããŠãšã¢ããã¡ãŒã ãŠãšã¢ã«ãåœãŠã¯ãŸããå€æŽç®¡çã®ããã»ã¹ã ICS ã« é©çšããå Žåã¯ãICS å°éå¡ïŒå¶åŸ¡ãšã³ãžãã¢çïŒãã»ãã¥ãªãã£è·å¡ã IT è·å¡ãšé£æºããŠã æ éã«è©äŸ¡ãè¡ãå¿ èŠãããã ïŒ ç®¡çãµããŒããäžè¬ç㪠IT ã·ã¹ãã ã§ã¯çš®ã ã®ãµããŒãã¹ã¿ã€ã«ãèªããããç°ãªã£ãŠã¯ã ãŠãçžäºé£æ¥ããæè¡ã¢ãŒããã¯ãã£ããµããŒãããŠãããICS ã§ã¯ããµãŒãã¹ãµããŒãã ãã³ããŒ1 瀟ãæ åœããã»ãã®ãã³ããŒããã®å€æ§ã§çžäºéçšæ§ã®ãããµããŒããœãªã¥ãŒã· ã§ã³ãåŸãããªãããšãããããŸã ICS ãã³ããŒã®ã©ã€ã»ã³ã¹ã»ãµãŒãã¹å¥çŽã«ããããµãŒ ãããŒãã£ã®ã»ãã¥ãªãã£ãœãªã¥ãŒã·ã§ã³ãèªããããªãå Žåãããããã³ããŒã®èš±å¯ãåŸ ãã«ãµãŒãããŒãã£ã®ã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ãããšããµãŒãã¹ãµããŒãã解çŽã« ãªãããšãããåŸãã 42 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Component Lifetime. Typical IT components have a lifetime on the order of 3 to 5 years, with brevity due to the quick evolution of technology. For ICS where technology has been developed in many cases for very specific use and implementation, the lifetime of the deployed technology is often in the order of 10 to 15 years and sometimes longer. ïŒ Component Location. Most IT components and some ICS are located in business and commercial facilities physically accessible by local transportation. Remote locations may be utilized for backup facilities. Distributed ICS components may be isolated, remote, and require extensive transportation effort to reach. Component location also needs to consider necessary physical and environmental security measures. Table 2-1 summarizes some of the typical differences between IT systems and ICS. Table 2-1. Summary of IT System and ICS Differences Category Performance Requirements Availability (Reliability) Requirements Risk Management Requirements System Operation Resource Constraints Information Technology System Non-real-time Response must be consistent High throughput is demanded High delay and jitter may be acceptable Less critical emergency interaction Tightly restricted access control can be implemented to the degree necessary for security Responses such as rebooting are acceptable Availability deficiencies can often be tolerated, depending on the systemâs operational requirements Manage data Data confidentiality and integrity is paramount Fault tolerance is less important â momentary downtime is not a major risk Major risk impact is delay of business operations Systems are designed for use with typical operating systems Upgrades are straightforward with the availability of automated deployment tools Systems are specified with enough resources to support the addition of third-party applications such as security solutions 43 Industrial Control System Real-time Response is time-critical Modest throughput is acceptable High delay and/or jitter is not acceptable Response to human and other emergency interaction is critical Access to ICS should be strictly controlled, but should not hamper or interfere with human-machine interaction Responses such as rebooting may not be acceptable because of process availability requirements Availability requirements may necessitate redundant systems Outages must be planned and scheduled days/weeks in advance High availability requires exhaustive pre-deployment testing Control physical world Human safety is paramount, followed by protection of the process Fault tolerance is essential, even momentary downtime may not be acceptable Major risk impacts are regulatory non-compliance, environmental impacts, loss of life, equipment, or production Differing and possibly proprietary operating systems, often without security capabilities built in Software changes must be carefully made, usually by software vendors, because of the specialized control algorithms and perhaps modified hardware and software involved Systems are designed to support the intended industrial process and may not have enough memory and computing resources to support the addition of security capabilities SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ã³ã³ããŒãã³ãã®å¯¿åœãäžè¬ã« IT ã³ã³ããŒãã³ãã®å¯¿åœã¯ 3ïœ5 幎ã§ãæè¡é²æ©ã®éããã çåœã§ãããå€ãã®å Žåã極ããŠç¹æ®ãªäœ¿çšãšå®è£ ãç®æããŠæè¡éçºããã ICS ã§ã¯ã寿 åœã¯ 10ïœ15 幎ã§ãå Žåã«ãã£ãŠã¯ãã以äžã«ãªãã ïŒ ã³ã³ããŒãã³ãã®æåšå Žæãã»ãšãã©ã® IT ã³ã³ããŒãã³ãåã³ãã皮㮠ICS ã³ã³ããŒãã³ã ã¯ãå°å ã®äº€éæ©é¢ãå©çšããŠç©ççã«ç«å ¥å¯èœãªäºæ¥ã»åçšæœèšã«çœ®ãããŠãããé éå° ã¯ããã¯ã¢ããæœèšãšããŠäœ¿çšããããåæ£ ICS ã³ã³ããŒãã³ãã¯é絶ãããé¢ããŠããã ãã亀éã«ããªãã®åŽåãå¿ èŠãšãªãããŸãã³ã³ããŒãã³ãã®æåšå Žæã¯ãç©ççã»ç°å¢ç ã»ãã¥ãªãã£å¯Ÿçãèæ ®ããå¿ èŠãããã è¡š 2-1 ã¯ãIT ã·ã¹ãã ãš ICS ãšã®äžè¬çãªçžéãåããŸãšãããã®ã§ããã è¡š 2-1.IT ã·ã¹ãã ãš ICS ã®çžéç¹ ã«ããŽãª æ å ±ïŒITïŒã·ã¹ãã ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒ æ§èœèŠä»¶ ãªã¢ã«ã¿ã€ã äžèŠ ãªã¢ã«ã¿ã€ã å¿çã¯äžè²«ããŠããããš ãã€ã¹ã«ãŒãããå¿ é å¿çã¯ç·æ¥ãèŠãã 倧ããªé 延ãšãžãã¿ãŒã¯èš±å®¹ éèŠãªç·æ¥çžäºäœçšãå°ãªãã㚠倧ããªé 延ããžãã¿ãŒã¯äžå¯ ã»ãã¥ãªãã£ã«å¿ èŠãªçšåºŠã«å³æ Œ ãªã¢ã¯ã»ã¹å¶éãå®è£ ã§ããããš ICS ãžã®ã¢ã¯ã»ã¹ã¯å³éã«å¶éããããããã³ ãã·ã³ã€ã³ã¿ãã§ãŒã¹ãé»å®³ã»å¹²æžããªã ãªããŒãçã®å¿çã¯å¯ ããã»ã¹ã®å¯çšæ§èŠä»¶ã«ãããªããŒãçã®å¿ç ã¯äžå¯ å¯çšæ§ïŒä¿¡é Œ æ§ïŒçšä»¶ äžçšåºŠã®ã¹ã«ãŒãããã§å¯ å¯çšæ§ã®æ¬ ç¹ã¯ã·ã¹ãã ã®éçšèŠ 件ã«å¿ããŠèš±å®¹ãããããšãå€ã 人ãã®ä»ã®ç·æ¥çžäºäœçšãžã®å¿çãéèŠ å¯çšæ§èŠä»¶ããåé·ã·ã¹ãã ãå¿ èŠãšãªãå Žå ãã åæ¢ã¯æ°æ¥åã¯æ°é±éåã«ãããããèšç»ã»äº å® é«å¯çšæ§èŠä»¶ã«ãã培åºçãªå±éåè©Šéšãå¿ èŠ ãªã¹ã¯ç®¡çèŠä»¶ ããŒã¿ã管ç ç©çäžçã®å¶åŸ¡ ããŒã¿ã®æ©å¯æ§ãšä¿å šãèèŠ äººã®å®å šãèèŠãããã»ã¹ã®ä¿è·ã¯ãã®æ¬¡ ãã©ãŒã«ããã¬ã©ã³ã¹ã¯ãã»ã©é èŠã§ãªãïŒç¬æã®ããŠã³ã¿ã€ã 㯠é倧ãªã¹ã¯ã§ãªãïŒ ãã©ãŒã«ããã¬ã©ã³ã¹ãäžå¯æ¬ ãç¬æã®ããŠã³ ã¿ã€ã ãäžå¯ é倧ãªãªã¹ã¯åœ±é¿ã¯æ¥åã®é 延 ã·ã¹ãã éçš ã·ã¹ãã ã¯äžè¬ç OS äžã§äœ¿çš ã¢ããã°ã¬ãŒãã¯èªåå±éããŒã« ãå©çšããã®ã§å®¹æ ãªãœãŒã¹ã®å¶çŽ ã·ã¹ãã ã¯ã»ãã¥ãªãã£ãœãªã¥ãŒ ã·ã§ã³çã®è¿œå ãµãŒãããŒãã£ã¢ ããªã±ãŒã·ã§ã³ã«å¯Ÿå¿ããåå㪠ãªãœãŒã¹ãé©çš 44 é倧ãªãªã¹ã¯åœ±é¿ã¯æ³ä»€äžå±¥è¡ãç°å¢ãžã®åœ± é¿ã人åœã»è£ ååã»çç£åªå€± ãŸã¡ãŸã¡ã§å°çšã® OS ã䜿çšããå Žåãããã»ã ã¥ãªãã£æ©èœã¯ãªãããšãå€ã å°çšå¶åŸ¡ã¢ã«ãŽãªãºã ãšä¿®æ£æžã¿ããŒããŠãšã¢/ ãœãããŠãšã¢ãé¢ä¿ããããããœãããŠãšã¢å€ æŽã¯æ éãèŠããéåžžãã³ããŒãæ åœ ã·ã¹ãã ã¯ææã®ç£æ¥ããã»ã¹ã«å¯Ÿå¿ãããã ã«ã§ããŠãããè¿œå ã»ãã¥ãªãã£æ©èœã«å¯Ÿå¿ã ãååãªã¡ã¢ãªãæŒç®ãªãœãŒã¹ã¯ãªã SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Category Communications Information Technology System Standard communications protocols Primarily wired networks with some localized wireless capabilities Typical IT networking practices Change Management Software changes are applied in a timely fashion in the presence of good security policy and procedures. The procedures are often automated. Managed Support Component Lifetime Components Location Allow for diversified support styles Lifetime on the order of 3 to 5 years Components are usually local and easy to access Industrial Control System Many proprietary and standard communication protocols Several types of communications media used including dedicated wire and wireless (radio and satellite) Networks are complex and sometimes require the expertise of control engineers Software changes must be thoroughly tested and deployed incrementally throughout a system to ensure that the integrity of the control system is maintained. ICS outages often must be planned and scheduled days/weeks in advance. ICS may use OSs that are no longer supported Service support is usually via a single vendor Lifetime on the order of 10 to 15 years Components can be isolated, remote, and require extensive physical effort to gain access to them In summary, the operational and risk differences between ICS and IT systems create the need for increased sophistication in applying cybersecurity and operational strategies. A cross-functional team of control engineers, control system operators and IT security professionals needs to work closely to understand the possible implications of the installation, operation, and maintenance of security solutions in conjunction with control system operation. IT professionals working with ICS need to understand the reliability impacts of information security technologies before deployment. Some of the OSs and applications running on ICS may not operate correctly with commercial-off-the-shelf (COTS) IT cybersecurity solutions because of specialized ICS environment architectures. 2.5 Other Types of Control Systems Although this guide provides guidance for securing ICS, other types of control systems share similar characteristics and many of the recommendations from this guide are applicable and could be used as a reference to protect such systems against cybersecurity threats. For example, although many building, transportation, medical, security and logistics systems use different protocols, ports and services, and are configured and operate in different modes than ICS, they share similar characteristics to traditional ICS [18]. Examples of some of these systems and protocols include: Other Types of Control Systems ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ Advanced Metering Infrastructure. Building Automation Systems. Building Management Control Systems. Closed-Circuit Television (CCTV) Surveillance Systems. CO2 Monitoring. Digital Signage Systems. Digital Video Management Systems. Electronic Security Systems. Emergency Management Systems. 45 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã«ããŽãª æ å ±ïŒITïŒã·ã¹ãã ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒ éä¿¡ æšæºéä¿¡ãããã³ã« ãã©ã€ããªæç·ãããã¯ãŒã¯ã§å± æçã«ç¡ç·æ©èœãã å€æ°ã®å°çšã»æšæºéä¿¡ãããã³ã« äžè¬ç IT ãããã¯ãŒã¯èŠç¯ ãããã¯ãŒã¯ã¯è€éã§ãå¶åŸ¡ãšã³ãžãã¢ã®å°é ç¥èãå¿ èŠãšããããšãã 管çå€æŽ ãœãããŠãšã¢å€æŽã¯è¯å¥œãªã»ã㥠ãªãã£ããªã·ãŒã»æé ã«åŸãã¿ã€ ã ãªãŒã«å®æœãæé ã¯èªååãã ãŠããããšãå€ãã ãœãããŠãšã¢å€æŽã¯ãã·ã¹ãã å šäœãéããŠåŸ¹ åºçã«è©Šéšã»å±éããå¶åŸ¡ã·ã¹ãã ãä¿å šãã ãããã«ãããICS åæ¢ã®å€ãã¯ãæ°æ¥åã¯æ°é± éåã«ãããããèšç»ã»äºå®ãå¿ èŠããµããŒã ãçµäºãã OS ã䜿çšããŠããå Žåãã 管çãµããŒã å€æ§ãªãµããŒãã¹ã¿ã€ã«ãã ãµãŒãã¹ãµããŒãã¯éåžž 1 æ¥è ã®ã¿ ã³ã³ããŒãã³ã ã®å¯¿åœ 3 幎ïœ5 幎 10 幎ïœ15 幎 ã³ã³ããŒãã³ã ã®æåšå Žæ éåžžããŒã«ã«æåšã§ãã¢ã¯ã»ã¹ã 容æ ã³ã³ããŒãã³ãã¯é絶ãããé éå°ã«ããã㢠ã¯ã»ã¹ã«ã¯ããªãã®ç©ççåŽåãå¿ èŠ å°çšæç·ã»ç¡ç·ïŒç¡ç·åã³ãµãã©ã€ãïŒãå«ã æ°çš®ã®éä¿¡ã¡ãã£ã¢ãå©çš èŠçŽãããšãICS ã·ã¹ãã ãš IT ã·ã¹ãã éã«ã¯ãéçšåã³ãªã¹ã¯ã®éããããããšãããæŽç·Ž ããããµã€ããŒã»ãã¥ãªãã£ãšéçšæŠç¥ãé©çšããå¿ èŠãçãããå¶åŸ¡ãšã³ãžãã¢ãå¶åŸ¡ã·ã¹ã ã æäœå¡åã³ IT ã»ãã¥ãªãã£å°éå¡ãããªãæ©èœæšªæããŒã ã¯ãç·å¯ã«é£æºããŠãã»ãã¥ãªã ã£ãœãªã¥ãŒã·ã§ã³ã®å°å ¥ãéçšåã³ä¿å®ãããããåŸãæå³ããå¶åŸ¡ã·ã¹ãã ã®éçšãšã®å Œãå ãã§ç解ããå¿ èŠããããICS ã§äœæ¥ãè¡ã IT å°éå¡ã¯å±éåã«ãæ å ±ã»ãã¥ãªãã£æè¡ã®ä¿¡ é Œæ§åœ±é¿ã«ã€ããŠç解ããŠããå¿ èŠããããICS äžã§å®è¡ãã OS ãã¢ããªã±ãŒã·ã§ã³ã®äžã«ã¯ã ç¹æ®ãª ICS ç°å¢ã¢ãŒããã¯ãã£ã«èµ·å ããŠãæ°çïŒCOTSïŒIT ãµã€ããŒã»ãã¥ãªãã£ãœãªã¥ãŒã· ã§ã³ã®æ£åžžãªåäœãã§ããªããã®ãããã 2.5 å¥çš®ã®å¶åŸ¡ã·ã¹ãã æ¬æžã§ã¯ ICS ã®ã»ãã¥ãªãã£ã確ä¿ããããã®ã¬ã€ãã³ã¹ã瀺ãããå¥çš®ã®å¶åŸ¡ã·ã¹ãã ã§ãå ± éã®ç¹åŸŽããããæ¬æžã®æšå¥šäºé ã®å€ãã¯é©çšå¯èœã§ããµã€ããŒã»ãã¥ãªãã£è åšãããããã ã·ã¹ãã ãä¿è·ããéã®åèæžãšããŠæŽ»çšå¯èœã§ãããäŸãã°ããã«ã茞éãå»çãã»ãã¥ãªã ã£ãããžã¹ãã£ãã¯çã®ã·ã¹ãã ã®å€ãã¯äœ¿çšãããããã³ã«ãããŒãåã³ãµãŒãã¹ãç°ãªãã ICS ãšã¯ç°ãªãã¢ãŒãã§èšå®ããéçšãããŠããããäŒçµ±ç㪠ICS ãšå ±éã®ç¹åŸŽãæã£ãŠãã [18]ãããããã·ã¹ãã ããããã³ã«ã®äŸã以äžã«ç€ºãã å¥çš®ã®å¶åŸ¡ã·ã¹ãã ïŒ ææ°èšéã€ã³ãã©ã¹ãã©ã¯ãã£ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ãã«ãªãŒãã¡ãŒã·ã§ã³ã·ã¹ãã ãã«ç®¡çå¶åŸ¡ã·ã¹ãã CCTV ãµãŒãã€ã©ã³ã¹ã·ã¹ãã CO2 ç£èŠ ããžã¿ã«æšèã·ã¹ãã ããžã¿ã«ãããªç®¡çã·ã¹ãã é»åã»ãã¥ãªãã£ã·ã¹ãã ç·æ¥ç®¡çã·ã¹ãã 46 SPECIAL PUBLICATION 800-82 REVISION 2 ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Energy Management Systems. Exterior Lighting Control Systems. Fire Alarm Systems. Fire Sprinkler Systems. Interior Lighting Control Systems. Intrusion Detection Systems. Physical Access Control Systems. Public Safety/Land Mobile Radios. Renewable Energy Geothermal Systems. Renewable Energy Photo Voltaic Systems. Shade Control Systems. Smoke and Purge Systems. Vertical Transport System (Elevators and Escalators). Laboratory Instrument Control Systems. Laboratory Information Management Systems (LIMS). Protocols/Ports and Services ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ Modbus: Master/Slave - Port 502. BACnet 3: Master/Slave - Port 47808. LonWorks/LonTalk 4: Peer to Peer - Port 1679. DNP3: Master/Slave â Port 19999 when using Transport Layer Security (TLS), Port 20000 when not using TLS. IEEE 802.x - Peer to Peer. ZigBee - Peer to Peer. Bluetooth â Master/Slave. The security controls provided in Appendix Gâ of this guide are general and flexible enough be used to evaluate other types of control systems, but subject matter experts should review the controls and tailor them as appropriate to address the uniqueness of other types of control systems. There is no âone size fits all,â and the risks may not be the same, even within a particular group. For example, a building has many different sub-systems such as building automation, fire alarm, physical access control, digital signage, CCTV, etc. Critical life safety systems such as the fire alarm and physical access control systems may drive the impact level to be a âHigh,â while the other systems will usually be âLow.â An organization might decide to evaluate each sub-system individually, or decide to use an aggregated approach. The control systems evaluation should be coupled to the Business Impact, Contingency Plan, and Incident Response Plan to ensure organizational critical functions and operations can be recovered and restored as defined by the organizations Recovery Time Objectives. 3 4 http://www.bacnet.org/ http://en.wikipedia.org/wiki/LonWorks 47 SP800-82 第 2 ç ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãšãã«ã®ãŒç®¡çã·ã¹ãã è¡ç¯å¶åŸ¡ã·ã¹ãã ç«çœå ±ç¥ã·ã¹ãã æ¶ç«çšã¹ããªã³ã¯ã©ãŒã·ã¹ãã å±å ç¯å¶åŸ¡ã·ã¹ãã äŸµå ¥æ€ç¥ã·ã¹ãã ç©ççç«å ¥ç®¡çã·ã¹ãã å ¬è¡å®å š/éžäžç§»åç¡ç· åçãšãã«ã®ãŒå°ç±ã·ã¹ãã åçãšãã«ã®ãŒå€ªéœå çºé»ã·ã¹ãã ã·ã§ãŒãå¶åŸ¡ã·ã¹ãã æç ã·ã¹ãã éçŽèŒžéã·ã¹ãã ïŒãšã¬ããŒã¿/ãšã¹ã«ã¬ãŒã¿ïŒ å®éšå®€èšåšå¶åŸ¡ã·ã¹ãã å®éšå®€æ å ±ç®¡çã·ã¹ãã ïŒLIMSïŒ ãããã³ã«/ããŒãåã³ãµãŒãã¹ Modbus:ãã¹ã¿ãŒ/ã¹ã¬ãŒã - ããŒã 502 BACnet5:ãã¹ã¿ãŒ/ã¹ã¬ãŒã - ããŒã 47808 LonWorks/LonTalk 6ãã¢ããŒã㢠- ããŒã 1679 DNP3:ãã©ã³ã¹ããŒãå±€ã»ãã¥ãªãã£ïŒTLSïŒäœ¿çšæãã¹ã¿ãŒ/ã¹ã¬ãŒã â ããŒã 19999 TLS äžäœ¿çšæããŒã 20000 ïŒ IEEE 802.x - ãã¢ããŒãã¢ ïŒ ZigBee - ãã¢ããŒãã¢. ïŒ Bluetooth â ãã¹ã¿ãŒ/ã¹ã¬ãŒã ïŒ ïŒ ïŒ ïŒ æ¬æžã®ä»é² G ã«èšèŒãããã»ãã¥ãªãã£ç®¡çã¯ãäžè¬çã§æè»æ§ããããããå¥çš®ã®å¶åŸ¡ã·ã¹ã ã ã®è©äŸ¡ã«ãå©çšã§ããããããããã®äž»é¡ã®å°é家ã¯ãã®å¶åŸ¡ã粟æ»ããèŠããã°èª¿æŽãå ã ãŠãå¥çš®ã·ã¹ãã ã®ç¬èªæ§ãæ€èšãã¹ãã§ãããç¹å®ã®ã°ã«ãŒãå ã§ãã£ãŠããå šãŠã«é©åãã ãããªãŒãµã€ãºãã®ãããªãã®ã¯ååšããããªã¹ã¯ãåãã§ã¯ãªããäŸãã°ããã«ã«ã¯ãã«ãªãŒ ãã¡ãŒã·ã§ã³ãç«çœå ±ç¥åšãç©ççç«å ¥ç®¡çãããžã¿ã«æšèãCCTV çã®å€çš®å€æ§ãªãµãã·ã¹ã ã ãååšãããç«çœå ±ç¥åšãç©ççç«å ¥ç®¡çã·ã¹ãã ã®ãããªéèŠãªçåœå®å šã·ã¹ãã ã¯ãåœ±é¿ ã¬ãã«ããé«ããšãã¹ãã§ããã®ä»ã®ã·ã¹ãã ã¯éåžžãäœããšãªãããçµç¹ã¯ããããã®ãµãã· ã¹ãã ã®åå¥è©äŸ¡ãè¡ããã決å®ãããããã¯éçŽçãªã¢ãããŒããåãããšã決å®ã§ãããã å¶åŸ¡ã·ã¹ãã ã®è©äŸ¡ã¯ãäºæ¥åœ±é¿äžæž¬äºæ èšç»ãã€ã³ã·ãã³ã察å¿èšç»ã®äžéšã«å«ããŠãçµç¹ã® éèŠæ©èœã確ä¿ããã°ãçµç¹ã®ç®æšåŸ©æ§æéã©ããã«æ¥åãå埩ã»åŸ©æ§ããããšãã§ããã 5 6 http://www.bacnet.org/ http://en.wikipedia.org/wiki/LonWorks 48 SPECIAL PUBLICATION 800-82 REVISION 2 3. GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS Risk Management and Assessment 3.1 Risk Management Organizations manage risk every day in meeting their business objectives. These risks may include financial risk, risk of equipment failure, and personnel safety risk, to name just a few. Organizations must develop processes to evaluate the risks associated with their business and to decide how to deal with those risks based on organizational priorities and both internal and external constraints. This management of risk is conducted as an interactive, ongoing process as part of normal operations. Organizations that use ICS have historically managed risk through good practices in safety and engineering. Safety assessments are well established in most sectors and are often incorporated into regulatory requirements. Information security risk management is an added dimension that can be complementary. The risk management process and framework outlined in this section can be applied to any risk assessment including both safety and information security. A risk management process should be employed throughout an organization, using a three-tiered approach to address risk at the (i) organization level; (ii) mission/business process level; and (iii) information system level (IT and ICS). The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organizationâs risk-related activities and effective intertier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization. This section focuses primarily on ICS considerations at the information system level, however, it is important to note that the risk management activities, information, and artifacts at each tier impact and inform the other tiers. Section 6 extends the concepts presented here to the control family level and provides ICS-specific recommendations to augment security control families. Throughout the following discussion of risk management, ICS considerations will be highlighted and the impact that these considerations have on the risk management process will be discussed. For more information on multi-tiered risk management and the risk management process, refer to NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information System View [20]. NIST Special Publication 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [21], provides guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization, 7 security control selection and implementation, security control assessment, information system authorization, 8 and security control monitoring. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, provides a step-by-step process for organizations on: (i) how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time [79]. 7 FIPS 199 provides security categorization guidance for non-national security systems [15]. CNSS Instruction 1253 provides similar guidance for national security systems. 8 Security authorization is the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. 49 SP800-82 第 2 ç 3. 3.1 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã®ãªã¹ã¯ç®¡çãšãªã¹ã¯è©äŸ¡ ãªã¹ã¯ç®¡ç çµç¹ã¯ããã®äºæ¥ç®çãéæãããããæ¥ã ãªã¹ã¯ã管çããŠããããããããªã¹ã¯ã«ã¯è²¡æ¿äž ã®ãªã¹ã¯ãè£ ååé害ã«ãããªã¹ã¯ã人ã®å®å šã«é¢ãããªã¹ã¯ãªã©ããããçµç¹ã¯ããã»ã¹ãç å®ããŠãäºæ¥ã«é¢ä¿ãããªã¹ã¯ãè©äŸ¡ããçµç¹ã®åªå äºé ãçµç¹å å€ã®å¶çŽäºé ãåºã«ããªã¹ã¯ ãžã®å¯ŸåŠæ³ã決å®ããªããã°ãªããªãããã®ãªã¹ã¯ç®¡çã¯ãæ£èŠæ¥åã®äžç°ãšããŠãçžäºäœçšç ãªçŸè¡ããã»ã¹ãšããŠå®æœããããICS ã䜿çšããçµç¹ã¯æŽå²çã«ãå®å šæ§ãšãšã³ãžãã¢ãªã³ã° ã«ãããåªè¯èŠç¯ãéããŠããªã¹ã¯ã管çããŠãããå®å šæ§è©äŸ¡ã¯ã»ãšãã©ã®éšéã§ç¢ºç«ãã㊠ãããèŠå¶äžã®èŠä»¶ã«çã蟌ãŸããŠããããšãå€ããæ å ±ã»ãã¥ãªãã£ã®ãªã¹ã¯ç®¡çã¯ãè£è¶³ç ãªä»å ç次å ã®ãã®ã§ããããã®ã»ã¯ã·ã§ã³ã§ç¥è¿°ãããªã¹ã¯ç®¡çã®ããã»ã¹ãšæ çµã¿ã¯ãå®å š æ§åã³æ å ±ã»ãã¥ãªãã£ãå«ããããããªã¹ã¯è©äŸ¡ã«å¿çšã§ããã ãªã¹ã¯ç®¡çã®ããã»ã¹ã¯ãçµç¹å šäœãéããŠã(1)çµç¹ã¬ãã«ã(2)ä»»å/äºæ¥ããã»ã¹ã¬ãã«ã(3) æ å ±ã·ã¹ãã ã¬ãã«ïŒIT åã³ ICSïŒããšãã 3 段æ§ãã®ã¢ãããŒãã§æ¡çšãã¹ãã§ããããªã¹ã¯ 管çããã»ã¹ã¯ãçµç¹ã®ä»»å/äºæ¥ã«å ±éã®é¢å¿ãæ±ãé¢ä¿è éã«ãããŠãçµç¹ã®ãªã¹ã¯é¢é£æŽ» ååã³å段ééã»å段éå ã®å¹æçãªéä¿¡ã絶ããæ¹åãããšããå šäœçãªç®çãæã£ãŠã3 〠ã®æ®µéã«ããã£ãŠã·ãŒã ã¬ã¹ã«è¡ãããã ãã®ã»ã¯ã·ã§ã³ã§ã¯äž»ã«ãæ å ±ã·ã¹ãã ã¬ãã«ã§ã® ICS ã®èæ ®äºé ã«æ³šç®ããããå段éã«ãã ããªã¹ã¯ç®¡ç掻åãæ å ±åã³æç£ããä»ã®æ®µéã«åœ±é¿ãšæ å ±ãããããããšã«æ³šæãã¹ãã§ããã ã»ã¯ã·ã§ã³ 6 ã§ã¯ãããã§çŽ¹ä»ããæŠå¿µãæŽã«å¶åŸ¡ç³»åã¬ãã«ã«æ¡åŒµããã»ãã¥ãªãã£å¯Ÿçç³»å ãå¢ããããã® ICS ç¹æã®æšå¥šäºé ãæ瀺ããããã以éã®ãªã¹ã¯ç®¡çã«é¢ããè«è°ãéããŠã ICS ã®èæ ®äºé ã«ã€ããŠç¹çããããããèæ ®äºé ããªã¹ã¯ç®¡çããã»ã¹ã«åãŒã圱é¿ã«ã€ã㊠èå¯ããã å€æ®µéãªã¹ã¯ç®¡çãšãªã¹ã¯ç®¡çããã»ã¹ã®è©³çŽ°ã«ã€ããŠã¯ãNISTSP800-39ãæ å ±ã»ãã¥ãªãã£ãª ã¹ã¯ã®ç®¡çïŒçµç¹ãä»»ååã³æ å ±ã·ã¹ãã æŠèª¬ã[20]ãåç §ã®ããšãNISTSP800-37 æ¹èš 1ãé£éŠ æ å ±ã·ã¹ãã ãžã®ãªã¹ã¯ç®¡çäœç³»é©çšã¬ã€ãïŒã»ãã¥ãªãã£ã©ã€ããµã€ã¯ã«ã¢ãããŒãã[21]ã¯ã ãªã¹ã¯ç®¡çäœç³»ãé£éŠæ å ±ã·ã¹ãã ã«é©çšããéã®ã¬ã€ãã©ã€ã³ãšãªããã®ã§ãã»ãã¥ãªãã£åº å 9ãã»ãã¥ãªãã£ç®¡çã®éžæã»å®è£ ãã»ãã¥ãªãã£ç®¡çã®è©äŸ¡ãæ å ±ã·ã¹ãã ã®èªå¯ 10åã³ã» ãã¥ãªãã£ç®¡çã®ç£èŠãšãã£ã諞掻åã®å®æœèŠé ãçã蟌ãŸããŠãããNISTSP800-30ããªã¹ã¯è© 䟡ã¬ã€ããã¯ã(1)ãªã¹ã¯è©äŸ¡ã®æºåèŠé ã(2) ãªã¹ã¯è©äŸ¡ã®å®æœèŠé ã(3)çµç¹èŠäººãžã®ãªã¹ã¯è© 䟡çµæã®äŒéèŠé ã(4) ãªã¹ã¯è©äŸ¡ã®çµæçç¶æèŠé ã«ã€ããŠãçµç¹ã®ããã»ã¹ã段éå¥ã«èª¬æ ããŠãã[79]ã 9 10 FIPS 199 ã¯ãåœä»¥å€ã®ã»ãã¥ãªãã£ã·ã¹ãã ã«é¢ããã»ãã¥ãªãã£åºåã®ã¬ã€ãã³ã¹ãšãªã[15]ãCNSS åœä»€ 1253 ã¯ãåœ ã®ã»ãã¥ãªãã£ã·ã¹ãã ã«é¢ããåçš®ã®ã¬ã€ãã³ã¹ã ã»ãã¥ãªãã£èªå¯ã¯ãçµç¹ã®é«å®ã«ããå ¬çãªç®¡ç決å®ã§ãæ å ±ã·ã¹ãã ã®éçšãèªå¯ããçµç¹ã®éå¶ã»è³ç£ãå人ãä»ã® çµç¹åã³åœå®¶ã«å¯Ÿãããªã¹ã¯ããåæãããã»ãã¥ãªãã£å¯Ÿçã®å®è£ ã«åºã¥ããŠãæ瀺çã«èš±å®¹ãããã®ã§ããã 50 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 3.2 Introduction to the Risk Management Process As shown in Figure 3-1, the risk management process has four components: framing, assessing, responding and monitoring. These activities are interdependent and often occur simultaneously within an organization. For example, the results of the monitoring component will feed into the framing component. As the environment in which organizations operate is always changing, risk management must be a continuous process where all components have on-going activities. It is important to remember that these components apply to the management of any risk whether information security, physical security, safety or financial. Figure 3-1. Risk Management Process Applied Across the Tiers The framing component in the risk management process consists of developing a framework for the risk management decisions to be made. The level of risk that an organization is willing to accept is its risk tolerance [21, p.6]. The framing component should include review of existing documentation, such as prior risk assessments. There may be related activities; such as community wide disaster management planning that also should be considered since they impact the requirements that a risk assessment must consider. 51 SP800-82 第 2 ç 3.2 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãªã¹ã¯ç®¡çããã»ã¹ã®çŽ¹ä» å³ 3-1 ã«ç€ºãããã«ããªã¹ã¯ç®¡çããã»ã¹ã«ã¯ãæ§æ³ãè©äŸ¡ã察å¿ãç£èŠã® 4 ã€ã®èŠçŽ ãããã ããã諞掻åã¯çžäºäŸåããŠãããåãçµç¹å ã§åæã«çããããšãå€ããäŸãã°ãç£èŠã®çµ æãæ§æ³ã«åæ ããããçµç¹ã眮ãããç°å¢ã¯çµ¶ããå€åããŠããããããªã¹ã¯ç®¡çã¯ç¶ç¶ç ãªããã»ã¹ã§ã4 ã€ã®èŠçŽ ãã©ããé²è¡äžã§ãªããã°ãªããªããåèŠçŽ ã¯ãæ å ±ã»ãã¥ãªãã£ã ç©ççã»ãã¥ãªãã£ãå®å šã財æ¿ã®å¥ãåããããããããªã¹ã¯ã®ç®¡çã«åœãŠã¯ãŸãããšãé èšããã®ã¯èèŠã§ããã è©äŸ¡ æ§æ³ ç£èŠ 段é 1 â çµç¹ 段é 2 â ä»»å/äºæ¥ããã»ã¹ 段é 3 â æ å ±ã·ã¹ãã å¯Ÿå¿ å³ 3-1.å šæ®µéã«ãŸããããªã¹ã¯ç®¡çããã»ã¹ ãªã¹ã¯ç®¡çããã»ã¹ã«ãããæ§æ³ã¯ãäžãã¹ããªã¹ã¯ç®¡çäžã®æ±ºå®ã«é¢ããäœç³»ãçå®ããã ãšã«ãããçµç¹ãåãå ¥ãããããªã¹ã¯ã¬ãã«ããªã¹ã¯ãã¬ã©ã³ã¹ã§ãã[21, p.6]ã ãã®æ§æ³ã«ã¯ã以åã®ãªã¹ã¯è©äŸ¡æžãªã©æ¢åææžã®ç²Ÿæ»ãå«ããã¹ãã§ãããé¢é£æŽ»åããã åŸãããäŸãã°ãå ±åäœå ã®çœå®³ç®¡çèšç»ãªã©ãããªã¹ã¯è©äŸ¡ã§æ€èšãèŠããè«žèŠä»¶ã«åœ±é¿ã ããããèæ ®ã«å«ããã¹ãã§ããã 52 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS-specific Recommendations and Guidance For operators of ICS, safety is the major consideration that directly affects decisions on how systems are engineered and operated. Safety can be defined as âfreedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.â 116 Part of the framing component for an ICS organization is determining how these requirements interact with information security. For example, if safety requirements conflict with good security practice, how will the organization decide between the two priorities? Most ICS operators would answer that safety is the main consideration â the framing component makes such assumptions explicit so that there is agreement throughout the process and the organization. Another major concern for ICS operators is the availability of services provided by the ICS. The ICS may be part of critical infrastructure (for example, water or power systems), where there is a significant need for continuous and reliable operations. As a result, ICS may have strict requirements for availability or for recovery. Such assumptions should be developed and stated in the framing component. Otherwise, the organization may make risk decisions that result in unintended consequences on those who depend on the services provided. The physical operating environment is another aspect of risk framing that organizations should consider when working with ICS. ICS often have specific environmental requirements (e.g., a manufacturing process may require precise temperature), or they may be tied to their physical environment for operations. Such requirements and constraints should be explicitly stated in the framing component so that the risks arising from these constraints can be identified and considered. Assessing risk requires that organizations identify their threats and vulnerabilities, the harm that such threats and vulnerabilities may cause the organization and the likelihood that adverse events arising from those threats and vulnerabilities may actually occur. ICS-specific Recommendations and Guidance The DHS National Cybersecurity & Communications Integration Center (NCCIC) 12 serves as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICSCERT) 13 collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. When assessing the potential impact to an organizationâs mission from a potential ICS incident, it is important to incorporate the effect on the physical process/system, impact on dependent systems/processes, and impact on the physical environment among other possibilities. In addition, the potential impact on safety should always be considered. 11 12 13 MIL-STD-882E, Standard Practice â System Safety, Department of Defense (DoD), May 11, 2012, https://acc.dau.mil/CommunityBrowser.aspx?id=683694 http://www.dhs.gov/about-national-cybersecurity-communications-integration-center https://ics-cert.us-cert.gov/ 53 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS æäœå¡ã«ãšã£ãŠå®å šã¯ãã·ã¹ãã ã®èšç»ã»å®è¡èŠé ã®æ±ºå®ã«çŽæ¥åœ±é¿ããé倧èæ ®äºé ã§ã ããå®å šã¯ãæ»äº¡ãè² å·ãè·æ¥ç ãè£ ååã»è³ç£ã®æ害ã»åªå€±ãç°å¢ç Žå£ãçããç¶æ ããå ã ãŠããããšããšå®çŸ©ã§ãã 14ãICS çµç¹ã®æ§æ³éšåã¯ããã®ãããªèŠä»¶ãšæ å ±ã»ãã¥ãªãã£ãšã® çžäºäœçšèŠé ãå€å®ããããšã«ãããäŸãã°ãå®å šèŠä»¶ãã»ãã¥ãªãã£ã®é©æ£èŠç¯ãšçžå®¹ããªã å Žåãçµç¹ã¯ 2 ã€ã®åªå 課é¡ã®éã§ã©ã®ãããªæ±ºå®ãè¡ãã®ãã倧æ¹ã® ICS æäœå¡ã¯ãå®å šãäž» èŠãªèæ ®äºé ã ãšçããããæ§æ³ã¯ããã®ãããªåæäºé ãæ確ã«ããŠãããã»ã¹ãšçµç¹å šäœã éããŠåæã圢æããã ICS æäœå¡ã«ãšã£ãŠããã 1 ã€ã®é倧é¢å¿äºé ã¯ãICS ãæäŸãããµãŒãã¹ã®å¯çšæ§ã§ãããICS ã¯éèŠã€ã³ãã©ã®äžéšã§ããããšãããïŒäŸãã°æ°Žéãé»æ°ã·ã¹ãã ïŒããã®å Žåãç¶ç¶çã§ä¿¡ é Œæ§ã®é«ãéçšã«å¯ŸããéèŠã¯æ¥µããŠå€§ããããã®çµæãICS ã¯å¯çšæ§ãšå埩ã«å¯ŸããèŠä»¶ãå³ æ Œã«ãªããããããåæäºé ãçå®ããæ§æ³ã«èšèŒãã¹ãã§ãããããããªããšãçµç¹ã¯ãªã¹ã¯ ã®ãã決å®ãäžãããããå ã§ãæäŸããããµãŒãã¹ã«äŸåããŠãã人ã ã«æãã¬çµæãããã ãããšã«ãªãã ç©ççåäœç°å¢ã¯ãICS ã䜿çšããå Žåã«çµç¹ãèæ ®ãã¹ãããã 1 ã€ã®é¢ã§ãããICS ã«ã¯ç¹ æ®ãªç°å¢èŠä»¶ãå€ãïŒè£œé ããã»ã¹ã§ã®æ£ç¢ºãªæž©åºŠèŠä»¶ãªã©ïŒãç©ççãªåäœç°å¢ã«ææãã㊠ããããšããããããããèŠä»¶ãå¶çŽäºé ãæ§æ³ã«æèšããå¶çŽäºé ããçãããªã¹ã¯ãç¹å® ããé æ ®ã§ããããã«ãã¹ãã§ããã ãªã¹ã¯ãè©äŸ¡ããéã«ã¯ãçµç¹ã®è åšãšè匱æ§ãããã«ãã£ãŠçµç¹ã被ãæ害ãããããè åšãš è匱æ§ã«ããããããããæ害äºè±¡ãå®éã«çããå ¬ç®ãæããã«ããããšãå¿ èŠãšãªãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ DHS åœå®¶ãµã€ããŒã»ãã¥ãªãã£éä¿¡çµ±åã»ã³ã¿ãŒ(NCCIC) 15ã¯éäžæåšå°ãšããŠæ©èœãããµã€ã ãŒã»ãã¥ãªãã£ãšéä¿¡ã®ä¿¡é Œæ§ã«é¢ããéçšèŠçŽ ã¯ããã§èª¿æŽãããçµ±ååãããŠãããç£æ¥çš å¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT) 16ã¯ãæµ·å€åã³æ°éã®ã³ã³ãã¥ãŒã¿ç·æ¥å¯Ÿå¿ã ãŒã (CERT)ãšé£æºããŠãå¶åŸ¡ã·ã¹ãã é¢é£ã®ã»ãã¥ãªãã£ã€ã³ã·ãã³ããšç·©å察çãå ±æã㊠ãããICS-CERT ã¯è¡æ¿åœå±ãæ å ±çµç¹ãšã®é£æºãé£éŠã»å·ã»å°æ¹ã»è«žéšæèªæ²»äœã®ã»ãå¶åŸ¡ã· ã¹ãã ææè ããã³ããŒãšã®ååãéããŠãããããéèŠã€ã³ãã©éšéã«é¢ãããªã¹ã¯åæžã«åª ããŠããã ICS ã€ã³ã·ãã³ããçããå Žåã«çµç¹ã®ä»»åã«åã¶åœ±é¿åºŠãè©äŸ¡ããéããšãããç©ççããã» ã¹/ã·ã¹ãã ãžã®åœ±é¿ãåŸå±ã·ã¹ãã /ããã»ã¹ãžã®åœ±é¿åã³ç©ççç°å¢ãžã®åœ±é¿ãå«ããããšã èèŠã§ãããå ããŠãå®å šæ§ã«äžãåŸã圱é¿ãåžžã«èæ ®ã«å ¥ããã¹ãã§ããã 14 15 16 MIL-STD-882E, Standard Practice â System Safety, åœé²ç·ç (DoD), May 11, 2012, https://acc.dau.mil/CommunityBrowser.aspx?id=683694 http://www.dhs.gov/about-national-cybersecurity-communications-integration-center https://ics-cert.us-cert.gov/ 54 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The responding component is based on the concept of a consistent organization-wide response to the identification of risk. Response to identification of risk (as opposed to the response to an incident) requires that organizations first identify possible courses of actions to address risk, evaluate those possibilities in light of the organizationâs risk tolerance and other considerations determined during the framing step, and choose the best alternative for the organization. The response component includes the implementation of the chosen course of action to address the identified risk: acceptance, avoidance, mitigation, sharing, transfer, or any combination of those options 17. ICS-specific Recommendations and Guidance For ICS, available risk responses may be constrained by system requirements, potential adverse impact on operations, or even regulatory compliance regimes. An example of risk sharing is when utilities enter into agreements to âloanâ line workers in an emergency, which reduces the duration of the effect of an incident to acceptable levels. Monitoring is the fourth component of the risk management activities. Organizations must monitor risk on an on-going basis including: the implementation of chosen risk management strategies; the changes in the environment that may affect the risk calculation; and, the effectiveness and efficiency of risk reduction activities. The activities in the monitoring component impact all the other components. 3.3 Special Considerations for Doing an ICS Risk Assessment The nature of ICS means that when an organization does a risk assessment, there may be additional considerations that do not exist when doing a risk assessment of a traditional IT system. Because the impact of a cyber incident in an ICS may include both physical and digital effects, risk assessments need to incorporate those potential effects. This section will provide a more in-depth examination of the following: ïŒ Impacts on safety and use of safety assessments. ïŒ Physical impact of a cyber incident on an ICS, including the larger physical environment; effect on the process controlled, and the physical effect on the ICS itself. ïŒ The consequences for risk assessments of non-digital control components within an ICS. 3.3.1 Safety within an ICS Information Security Risk Assessment The culture of safety and safety assessments is well established within the majority of the ICS user community. Information security risk assessments should be seen as complementary to such assessments though the assessments may use different approaches and cover different areas. Safety assessments are concerned primarily with the physical world. Information security risk assessments primarily look at the digital world. However, in an ICS environment, the physical and the digital are intertwined and significant overlap may occur. It is important that organizations consider all aspects of risk management for safety (e.g., risk framing, risk tolerances), as well as the safety assessment results, when carrying out risk assessments for information security. The personnel responsible for the information security risk assessment must be able 17 For additional information on accepting, avoiding, mitigating, sharing, or transferring risk, refer to NIST Special Publication 800-39 [20]. 55 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 察å¿ã¯ãçµç¹å šäœãéããŠéŠå°Ÿäžè²«ãã圢ã§ãªã¹ã¯ã®ç¹å®ã«åãçµããšããèãæ¹ã«åºã¥ããŠã ãããªã¹ã¯ã®ç¹å®ãžã®å¯Ÿå¿ã¯ïŒã€ã³ã·ãã³ããžã®å¯Ÿå¿ãšã¯ç°ãªãïŒããŸããªã¹ã¯ã«å¯ŸããŠçµç¹ã åãåŸãè¡åæ¹éãèŠæ¥µããæ§æ³ã¹ãããã§å€å®ãããçµç¹ã®ãªã¹ã¯ãã¬ã©ã³ã¹ãã®ä»ã®èæ ®äº é ã«ç §ãããŠãåãåŸãåè¡åæ¹éãè©äŸ¡ããæåçãéžæããããšãæ±ããããã察å¿ã«ã¯ã éžå®ããè¡åæ¹éãå®è¡ããŠãç¹å®æžã¿ã®ãªã¹ã¯ã«å¯ŸåŠããããšãå«ãŸããããã«ã¯å容ãåé¿ã ç·©åãå ±æã転å«åã¯ãããã®çµåãããã 18ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS ã§ã¯ãå©çšã§ãããªã¹ã¯å¯Ÿå¿ã¯ã·ã¹ãã èŠä»¶ãéçšã«æªåœ±é¿ãåºãå¯èœæ§åã¯èŠå¶ãžã®ã³ã³ ãã©ã€ã¢ã³ã¹åœ¢æ ã«ããå¶çŽãããå Žåãããããªã¹ã¯å ±æã®äžäŸãšããŠãç·æ¥æã«å ¬å ±äŒæ¥ã åŽåè ããåºåããããå¥çŽãç· çµããããã«ãã£ãŠã€ã³ã·ãã³ãã®åœ±é¿æéãå容ã¬ãã«ãŸã§ ççž®ãããã±ãŒã¹ãæããããã ç£èŠã¯ãªã¹ã¯ç®¡çã® 4 çªç®ã®èŠçŽ ãšãªããçµç¹ã¯ãªã¹ã¯ãç¶ç¶çã«ç£èŠããªããã°ãªããªããã ããã«ã¯éžå®ãããªã¹ã¯ç®¡çæŠç¥ã®å®è¡ããªã¹ã¯ç®å®ã«åœ±é¿ããç°å¢ã®å€ååã³ãªã¹ã¯åæžæŽ»å ã®å¹æã»å¹çãå«ãŸãããç£èŠã«ããã諞掻åã¯ä»ã®å šãŠã®èŠçŽ ã«åœ±é¿ããã 3.3 ICS ãªã¹ã¯è©äŸ¡ã®å®æœã«éããŠã®ç¹å¥ãªèæ ®äºé ICS ã®æ§è³ªäžãçµç¹ããªã¹ã¯è©äŸ¡ãè¡ãéã«ã¯ãåšæ¥ã® IT ã·ã¹ãã ã®ãªã¹ã¯è©äŸ¡å®æœæã«ã¯ååš ããªãè£è¶³çãªèæ ®äºé ãããåŸãããšã§ãããICS ã«ããããµã€ããŒã€ã³ã·ãã³ãã®åœ±é¿ã«ã¯ã ç©çç圱é¿ãšããžã¿ã«å¹æã®äž¡æ¹ãããããããªã¹ã¯è©äŸ¡ã«ã¯ãã®ãããªåœ±é¿ã®å¯èœæ§ãå«ãã å¿ èŠãããããã®ã»ã¯ã·ã§ã³ã§ã¯ã以äžã«ã€ããŠæŽã«æ·±ãèå¯ããã ïŒ å®å šæ§ãžã®åœ±é¿åã³å®å šæ§è©äŸ¡ã®äœ¿çš ïŒ ãµã€ããŒã€ã³ã·ãã³ãã ICS ã«äžãã圱é¿ãããã«ã¯ãã倧èŠæš¡ãªç©çç°å¢ã管çãããã ãã»ã¹ãžã®åœ±é¿åã³ ICS ãã®ãã®ãžã®ç©çç圱é¿ãå«ãŸããã ïŒ ICS å ã®éããžã¿ã«å¶åŸ¡ã³ã³ããŒãã³ããªã¹ã¯è©äŸ¡çµæ 3.3.1 ICS æ å ±ã»ãã¥ãªãã£ãªã¹ã¯è©äŸ¡ã«ãããå®å šæ§ 倧éšåã® ICS ãŠãŒã¶å ±å瀟äŒã§ã¯ãå®å šæ§ãå®å šæ§è©äŸ¡ã®æåãå®çããŠãããæ å ±ã»ãã¥ãªã ã£ãªã¹ã¯è©äŸ¡ã¯ãçš®ã ã®ã¢ãããŒããå©çšãæ§ã ãªåéã察象ãšããŠã¯ãããããããŸã§ãå®å š æ§è©äŸ¡ã®è£å®ãšèŠãªãã¹ãã§ãããå®å šæ§è©äŸ¡ã¯ãäž»ã«ç©ççãªäžçã察象ã«ããŠãããæ å ±ã» ãã¥ãªãã£ãªã¹ã¯è©äŸ¡ã§ã¯ãäž»ã«ããžã¿ã«äžçãé¢å¿ã®å¯Ÿè±¡ãšãªããããã ICS ç°å¢ã§ã¯ãç©ç äžçãããžã¿ã«äžçãäºãã«å ¥ãçµãã§ãããªãéãªãåã£ãŠããå Žåãããã æ å ±ã»ãã¥ãªãã£ã®ãªã¹ã¯è©äŸ¡ãè¡ãå Žåãçµç¹ã¯ãå®å šã«é¢ãããªã¹ã¯ç®¡çã®ããããé¢ïŒãª ã¹ã¯ã®æ§æ³ããªã¹ã¯ãã¬ã©ã³ã¹çïŒã®ã»ããå®å šæ§è©äŸ¡ã®çµæãèæ ®ã«å ¥ããããšãèèŠã§ããã æ å ±ã»ãã¥ãªãã£ãªã¹ã¯è©äŸ¡æ åœè ã¯ã 18 ãªã¹ã¯ã®å容ãåé¿ãç·©åãå ±æåã¯è»¢å«ã®è©³çŽ°ã¯ NIST ç¹å¥åºçç© 800-39 [20]ãåç §ã®ããšã 56 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY to identify and communicate identified risks that could have safety implications. Conversely, the personnel charged with safety assessments must be familiar with the potential physical impacts and their likelihood developed by the information security risk assessment process. 3.3.2 Potential Physical Impacts of an ICS Incident Evaluating the potential physical damage from a cyber incident should incorporate: i) how an incident could manipulate the operation of sensors and actuators to impact the physical environment; ii) what redundant controls exist in the ICS to prevent an impact; and iii) how a physical incident could emerge based on these conditions. A physical impact could negatively impact the surrounding world through multiple means, including the release of hazardous materials (e.g., pollution, crude oil), damaging kinetic forces (e.g., explosions), and exposure to energy sources (e.g., electricity, steam). The physical incident could negatively impact the ICS and supporting infrastructure, the various processes performed by the ICS, or the larger physical environment. An evaluation of the potential physical impacts should include all parts of an ICS, beginning with evaluating the potential impacts on the set of sensor and actuators. Each of these domains will be further explored below. Evaluating the impact of a cyber incident on the physical environment should focus on potential damage to human safety, the natural environment, and other critical infrastructures. Human safety impacts should be evaluated based on whether injury, disease, or death is possible from a malfunction of the ICS. This should incorporate any previously performed safety impact assessments performed by the organization regarding both employees and the general public. Environmental impacts also may need to be addressed. This analysis should incorporate any available environmental impact assessments performed by the organization to determine how an incident could impact natural resources and wildlife over the short or long term. In addition, it should be noted that ICS may not be located within a single, controlled location and can be distributed over a wide physical area and exposed to uncontrolled environments. Finally, the impact on the physical environment should explore the extent to which an incident could damage infrastructures external to the ICS (e.g., electric generation/delivery, transportation infrastructures, and water services). 3.3.3 Impact of Physical Disruption of an ICS Process In addition to the impact on the physical environment, the risk assessment should also evaluate potential effects to the physical process performed by the ICS under consideration, as well as other systems. An incident that impacts the ICS and disrupts the dependent process may cause cascading impacts into other related ICS processes and the general publicâs dependence on the resulting products and services. Impact to related ICS processes could include both systems and processes within the organization (e.g., a manufacturing process that depends on the process controlled by the system under consideration) or systems and processes external to the organization (e.g., a utility selling generated energy to a nearby plant). A cyber incident can also negatively impact the physical ICS under consideration. This type of impact primarily includes the physical infrastructure of the plant (e.g., tanks, valves, motors), along with both the digital and non-digital control mechanisms (e.g., cables, PLCs, pressure gauge). Damage to the ICS or physical plant may cause either short or long term outages depending on the degree of the incident. An example of a cyber incident impacting the ICS is the Stuxnet malware, which caused physical damage to the centrifuges as well as disrupting dependent processes. 57 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç¹å®ããããªã¹ã¯ã§å®å šäžã®æå³ããããã®ãæããã«ããŠãäŒéã§ããªããã°ãªããªããå察 ã«å®å šæ§è©äŸ¡æ åœè ã¯ãæ å ±ã»ãã¥ãªãã£ãªã¹ã¯è©äŸ¡ããã»ã¹ã«ããçºçããå¯èœæ§ã®ããç©ç ç圱é¿ãšãã®å ¬ç®ã«ã€ããŠç²ŸéããŠããªããã°ãªããªãã 3.3.2 ICS ã€ã³ã·ãã³ãã«ããç©çç圱é¿ã®å¯èœæ§ ãµã€ããŒã€ã³ã·ãã³ãã«ããçãåŸãç©ççæ害ã®è©äŸ¡ã«ã¯æ¬¡ã®ãã®ãå«ãŸããã(1)ã€ã³ã·ãã³ ããã»ã³ãµåã³ã¢ã¯ãã¥ãšãŒã¿ã®åäœãã©ã®ããã«æäœããŠç©ççç°å¢ã«åœ±é¿ãåãŒããã(2)圱 é¿ãé²ãããã®ã©ã®ãããªåé·å¶åŸ¡ã ICS ã«ãããã(3)ãã®ãããªæ¡ä»¶äžã§ç©ççã€ã³ã·ãã³ã ã¯ã©ã®ããã«çããããç©çç圱é¿ã¯åšå²ã®äžçã«æ§ã ãªæ段ã§æªåœ±é¿ãåãŒããããªãããã ãã«ã¯å±éºç©ã®æŸåºïŒæ±æãåæ²¹çïŒãéååã«ããæå·ïŒççºçïŒããšãã«ã®ãŒæºãžã®æé² ïŒé»æ°ãèžæ°çïŒãªã©ããããç©ççã€ã³ã·ãã³ãã¯ãICS åã³æ¯æŽã€ã³ãã©ãICS ãå®æœãã å€æ§ãªããã»ã¹åã¯ãã倧èŠæš¡ã®ç©çç°å¢ã«æªåœ±é¿ãäžããããªããå¯èœæ§ã®ããç©çç圱é¿ã® è©äŸ¡ã«ã¯ ICS ã®ããããéšåãå«ãããŸãã»ã³ãµã»ã¢ã¯ãã¥ãšãŒã¿ã»ãããžã®åœ±é¿ã®å¯èœæ§ãã éå§ãã¹ãã§ããããããé åã®åéšåã«ã€ããŠã¯è©³ããåŸè¿°ããã ç©çç°å¢ã«äžãããµã€ããŒã€ã³ã·ãã³ãã®åœ±é¿è©äŸ¡ã¯ã人çå®å šãèªç¶ç°å¢ãã®ä»éèŠã€ã³ã ã©ã«äžãåŸãæ害ãéèŠãã¹ãã§ããã人çå®å šãžã®åœ±é¿ã¯ãICS ã®é害ããè² å·ã»çŸç ã»æ» 亡ãçãããåŠããåºã«è©äŸ¡ãã¹ãã§ãããããã«ã¯ä»¥åçµç¹ãåŸæ¥å¡ãšäžè¬åœæ°ã«é¢ããŠå® æœããå®å šæ§åœ±é¿è©äŸ¡ãå«ããã¹ãã§ãããç°å¢åœ±é¿ãåãäžããå¿ èŠããããããã®åæã« ã¯ãã€ã³ã·ãã³ããçæçã»é·æçã«å€©ç¶è³æºãéççç©ã«äžãã圱é¿ãå€å®ããããã«çµç¹ ãå®æœããç°å¢åœ±é¿è©äŸ¡ããå©çšã§ããã°å«ããã¹ãã§ãããå ããŠãICS ã¯ç®¡çãããäžã æã«é 眮ãããŠããããåºç¯ãªå°åã«åæ£ãã管çãããŠããªãç°å¢ã«æãããŠããå Žåãã ãããšã«ãçæãã¹ãã§ãããæåŸã«ãç©çç°å¢ãžã®åœ±é¿ã¯ãã€ã³ã·ãã³ãã ICS ã®å€éšã«ã ãã€ã³ãã©ã«ã©ã®çšåºŠã®æ害ãäžãããã調æ»ãã¹ãã§ããïŒçºé»ã»éé»ã茞éã€ã³ãã©ãæ°Ž éäºæ¥çïŒã 3.3.3 ICS ããã»ã¹ã®ç©ççäžæã«ããåœ±é¿ ç©çç°å¢ãžã®åœ±é¿ã«å ããŠããªã¹ã¯è©äŸ¡ã§ã¯ ICS ãå®è¡ããèæ ®å¯Ÿè±¡ã®ç©çããã»ã¹ãšä»ã®ã· ã¹ãã ãžã®åœ±é¿ãè©äŸ¡ãã¹ãã§ããã ICS ã«åœ±é¿ãäžãåŸå±ããã»ã¹ãäžæãããã€ã³ã·ãã³ãã¯ãä»ã® ICS é¢é£ããã»ã¹ãããã ãçãã補åã»ãµãŒãã¹ã«äŸåããŠããåœæ°ã«ãé£éçãªåœ±é¿ãåãŒããããªããé¢é£ ICS ã ãã»ã¹ãžã®åœ±é¿ã«ã¯ãçµç¹å ã®ã·ã¹ãã åã³ããã»ã¹ïŒèæ ®äžã®ã·ã¹ãã ã«å¶åŸ¡ãããããã» ã¹ã«äŸåããŠãã補é ããã»ã¹çïŒåã¯çµç¹å€ã®ã·ã¹ãã åã³ããã»ã¹ïŒçç£ãããšãã«ã®ãŒ ãè¿é£ã®ãã©ã³ãã«å£²ãå ¬å ±äºæ¥äœçïŒãå«ãŸãåŸãã ãµã€ããŒã€ã³ã·ãã³ãã¯ãèæ ®äžã®ç©çç ICS ã«ãæªåœ±é¿ãäžããããã®çš®ã®åœ±é¿ã«ã¯äž»ãšã ãŠãã©ã³ãã®ç©ççã€ã³ãã©ïŒã¿ã³ã¯ããã«ããã¢ãŒã¿çïŒãããžã¿ã«/éããžã¿ã«å¶åŸ¡ã¡ã« ããºã ïŒã±ãŒãã«ãPLCãå§åã²ãŒãžçïŒãå«ãŸãããICS ãç©ççãã©ã³ããžã®æ害ã¯ãã€ã³ ã·ãã³ãã®çšåºŠã«å¿ããŠçæåã¯é·æã®åæ¢ã«è³ããããªããICS ã«åœ±é¿ãããµã€ããŒã€ã³ã· ãã³ãã®äžäŸãšã㊠Stuxnet ãã«ãŠãšã¢ããããé å¿åé¢æ©ãç©ççã«æå·ããåŸå±ããã»ã¹ ãäžæãããã 58 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 3.3.4 Incorporating Non-digital Aspects of ICS into Impact Evaluations The impacts on the ICS cannot be adequately determined by focusing only on the digital aspects of the system, as there are often non-digital mechanisms available that provide fault tolerance and prevent the ICS from acting outside of acceptable parameters. Therefore, these mechanisms may help reduce any negative impact that a digital incident on the ICS might have and must be incorporated into the risk assessment process. For example, ICS often have non-digital control mechanisms that can prevent the ICS from operating outside of a safe boundary, and thereby limit the impact of an attack (e.g., a mechanical relief pressure valve). In addition, analog mechanisms (e.g., meters, alarms) can be used to observe the physical system state to provide operators with reliable data if digital readings are unavailable or corrupted. Table 31 provides a categorization of non-digital control mechanisms that could be available to reduce the impact of an ICS incident. Table 3-1. Categories of Non-Digital ICS Control Components System Type Analog Displays or Alarms Manual Control Mechanisms Analog Control Systems Description Non-digital mechanisms that measure and display the state of the physical system (e.g., temperature, pressure, voltage, current) and can provide the operator with accurate information in situations when digital displays are unavailable or corrupted. The information may be provided to the operator on some non-digital display (e.g., thermometers, pressure gauges) and through audible alarms. Manual control mechanisms (e.g., manual valve controls, physical breaker switches) provide operators with the ability to manually control an actuator without relying on the digital control system. This ensures that an actuator can be controlled even if the control system is unavailable or compromised. Analog control systems use non-digital sensors and actuators to monitor and control a physical process. These may be able to prevent the physical process from entering an undesired state in situations when the digital control system is unavailable or corrupted. Analog controls include devices such as regulators, governors, and electromechanical relays. Determination of the potential impact that a cyber incident may have on the ICS should incorporate analysis of all non-digital control mechanisms and the extent to which they can mitigate potential negative impacts to the ICS. There are multiple considerations when considering the possible mitigation effects of non-digital control mechanisms, such as: ïŒ Non-digital control mechanisms may require additional time and human involvement to perform necessary monitoring or control functions and these efforts may be substantial. For example, such mechanisms may require operators to travel to a remote site to perform certain control functions. Such mechanisms may also depend on human response times, which may be slower than automated controls. ïŒ Manual and analog systems may not provide monitoring or control capabilities with the same degree of accuracy and reliability as the digital control system. This may present risk if the primary control system is unavailable or corrupted due to reduced quality, safety, or efficiency of the system. For example, a digital/numeric protection relay provides more accuracy and reliable detection of faults than analog/static relays, therefore, the system maybe more likely to exhibit a spurious relay tripping if the digital relays are not available. 59 SP800-82 第 2 ç 3.3.4 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã®éããžã¿ã«é¢ã圱é¿è©äŸ¡ã«å«ãã ãã©ãŒã«ããã¬ã©ã³ã¹ãçºæ®ããICS ã蚱容ãã©ã¡ãŒã¿ãéžè±ããªãããã«é²æ¢ã§ããéããž ã¿ã«ã¡ã«ããºã ãå©çšã§ããã®ã§ãã·ã¹ãã ã®ããžã¿ã«é¢ã«ã®ã¿æ³šç®ããŠãããšãICS ãžã®åœ± é¿ãé©æ£ã«å€å®ããããšãã§ããªãããããã£ãŠããã®ãããªã¡ã«ããºã ã¯ãICS äžã®ããžã¿ ã«ã€ã³ã·ãã³ãã«èµ·å ããæªåœ±é¿ãæžããããããªã¹ã¯è©äŸ¡ããã»ã¹ã«çµã¿èŸŒãå¿ èŠãããã äŸãã°ãICS ã«ã¯éããžã¿ã«å¶åŸ¡ã¡ã«ããºã ãæã€ãã®ãå€ããICS ãå®å šéçãè¶ ããªããã ã«ããŠãæ»æã®åœ±é¿ãå¶éããŠããïŒæ©æ¢°åŒã®å§åãªãªãŒããã«ãçïŒããŸãã¢ããã°ã¡ã«ã ãºã ïŒã¡ãŒã¿ãã¢ã©ãŒã çïŒã䜿çšããŠãã·ã¹ãã ã®ç©ççãªç¶æ ã芳å¯ããããžã¿ã«è¡šç€ºã® å©çšäžèœã»äžææã«ãä¿¡é Œã§ããããŒã¿ãæäœå¡ã«æ瀺ããããšãã§ãããè¡š 3-1 ã¯ãICS 〠ã³ã·ãã³ãã®åœ±é¿ãæžãããéããžã¿ã«å¶åŸ¡ã¡ã«ããºã ã®åºåã§ããã è¡š 3-1. éããžã¿ã« ICS å¶åŸ¡ã³ã³ããŒãã³ãã®ã«ããŽãªãŒ ã·ã¹ãã ã®çš®é¡ å 容 ã¢ããã°ãã£ã¹ãã¬ã€å㯠ã¢ã©ãŒã ç©ççã·ã¹ãã ã®ç¶æ ïŒæž©åºŠãå§åãé»å§ãé»æµçïŒãèšæž¬ã»è¡šç€ºããããžã¿ã«ã ã£ã¹ãã¬ã€ã®å©çšäžèœã»äžææã«æ£ç¢ºãªç¶æ³æ å ±ãæäœå¡ã«æäŸã§ããéããžã¿ã« ã¡ã«ããºã ãæ å ±ã¯éããžã¿ã«ãã£ã¹ãã¬ã€ïŒæž©åºŠèšãå§åèšçïŒãé³å£°ã¢ã©ãŒã ã«ããæäœå¡ã«æäŸããã æåå¶åŸ¡ã¡ã«ããºã æåå¶åŸ¡ã¡ã«ããºã ïŒæåãã«ãå¶åŸ¡ãç©ççãã¬ãŒã«ã¹ã€ããçïŒãããã°ãæ äœå¡ã¯ããžã¿ã«å¶åŸ¡ã·ã¹ãã ã«äŸåããããšãªãã¢ã¯ãã¥ãšãŒã¿ãæã§æäœã§ã ãããã®ããå¶åŸ¡ã·ã¹ãã ãå©çšäžèœã»äžèª¿ã§ãã¢ã¯ãã¥ãšãŒã¿ãå¶åŸ¡ã§ããã ã¢ããã°å¶åŸ¡ã·ã¹ãã ã¢ããã°å¶åŸ¡ã·ã¹ãã ã¯éããžã¿ã«ã»ã³ãµãšã¢ã¯ãã¥ãšãŒã¿ã䜿çšããŠãç©çãã ã»ã¹ãç£èŠã»å¶åŸ¡ããããã®ããããžã¿ã«å¶åŸ¡ã·ã¹ãã ãå©çšäžèœã»äžææã§ãã ç©çããã»ã¹ã奜ãŸãããªãç¶æ ã«é¥ããªãã§ãããã¢ããã°å¶åŸ¡ã«ã¯ã¬ã®ã¥ã¬ãŒ ã¿ãã¬ãããŒãé»åæ©æ¢°åŒãªã¬ãŒçã®ããã€ã¹ãããã ãµã€ããŒã€ã³ã·ãã³ãã ICS ã«äžãåŸã圱é¿åºŠã®å€å®ã«ã¯ãå šãŠã®éããžã¿ã«å¶åŸ¡ã¡ã«ã㺠ã ã®åæãšããããã ICS ãžã®æªåœ±é¿ãç·©åã§ããçšåºŠãçã蟌ãã¹ãã§ãããéããžã¿ã« å¶åŸ¡ã¡ã«ããºã ã«ãããã®ãããªç·©åå¹æãæ€èšããéã«ã¯ã次ã®ãããªèæ ®äºé ãããã ïŒ éããžã¿ã«å¶åŸ¡ã¡ã«ããºã ãå¿ èŠãªç£èŠåã¯å¶åŸ¡æ©èœãçºæ®ããã«ã¯ãäœåã®æéãšäººã®é¢ äžãäžå¯æ¬ ã§ããããããªãã®çšåºŠã«ãªãããšããããäŸãã°ãæäœå¡ãé æ¹ã®çŸå ŽãŸã§åº åããŠãããçš®ã®å¶åŸ¡ãè¡ããªããã°ãªããªãå ŽåãããããŸã人ã«ãã察å¿æéãããã ãããèªåå¶åŸ¡ã«æ¯ã¹ããšé ããªãã ïŒ æååã³ã¢ããã°ã·ã¹ãã ã®ç£èŠåã¯å¶åŸ¡èœåã¯ãããžã¿ã«å¶åŸ¡ã·ã¹ãã ã»ã©ã®ç²ŸåºŠãä¿¡é Œ æ§ã«ã¯åã°ãªãããšããããã·ã¹ãã ã®å質ãå®å šæ§åã¯å¹çãäœäžããŠããã©ã€ããªå¶åŸ¡ ã·ã¹ãã ãå©çšäžèœãäžæã«ãªã£ãå Žåã«ãããã¯ãªã¹ã¯ãšãªãåŸããäŸãã°ãããžã¿ã«/æ° å€ä¿è·ãªã¬ãŒã¯ãã¢ããã°/ã¹ã¿ãã£ãã¯ãªã¬ãŒãããé害æ€ç¥ç²ŸåºŠãä¿¡é Œæ§ãé«ãã®ã§ãã ãžã¿ã«ãªã¬ãŒãå©çšã§ããªããšãã·ã¹ãã ã¯ãªã¬ãŒã®ç䌌ããªãããçãããããªãã 60 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 3.3.5 Incorporating the Impact of Safety Systems Safety systems may also reduce the impact of a cyber incident to the ICS. Safety systems are often deployed to perform specific monitoring and control functions to ensure the safety of people, the environment, process, and ICS. While these systems are traditionally implemented to be fully redundant with respect to the primary ICS, they may not provide complete redundancy from cyber incidents, specifically from a sophisticated attacker. The impact of the implemented security controls on the safety system should be evaluated to determine that they do not negatively impact the system. 3.3.6 Considering the Propagation of Impact to Connected Systems Evaluating the impact of an incident must also incorporate how the impact from the ICS could propagate to a connected ICS or physical system. An ICS may be interconnected with other systems, such that failures in one system or process can easily cascade to other systems either within or external to the organization. Impact propagation could occur due to both physical and logical dependencies. Proper communication of the results of risk assessments to the operators of connected or interdependent systems and processes is one way to mitigate such impacts. Logical damage to an interconnected ICS could occur if the cyber incident propagated to the connected control systems. An example could be if a virus or worm propagated to a connected ICS and then impacted that system. Physical damage could also propagate to other interconnected ICS. If an incident impacts the physical environment of an ICS, it may also impact other related physical domains. For example, the impact could result in a physical hazard which degrades nearby physical environments. Additionally, the impact could also degrade the common shared dependencies (e.g., power supply), or result in a shortage of material needed for a later stage in an industrial process. 61 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 3.3.5 å®å šã·ã¹ãã ã®åœ±é¿ãå«ãã å®å šã·ã¹ãã ã§ã¯ãICS ã«äžãããµã€ããŒã€ã³ã·ãã³ãã®åœ±é¿ãæžããå®å šã·ã¹ãã ã¯äººã»ç° å¢ã»ããã»ã¹ã»ICS ã®å®å šã確ä¿ããããã«ãç¹æ®ãªç£èŠã»å¶åŸ¡æ©èœçšã«å±éãããããšãå€ ããããããã·ã¹ãã ã§ã¯ããã©ã€ã㪠ICS ã«é¢ããŠã¯åŸæ¥å®å šãªåé·æ§ã確ä¿ãããŠãã äžæ¹ãç¹ã«å·§åŠãªæ»æè ããã®ãµã€ããŒã€ã³ã·ãã³ãã«é¢ããŠã¯å®å šãªåé·æ§ããªããå®è£ ãããã»ãã¥ãªãã£ç®¡çãå®å šã·ã¹ãã ã«äžãã圱é¿ã®è©äŸ¡ã¯ãã·ã¹ãã ãžã®æªåœ±é¿ã®æç¡ ãå€å®ãã¹ãã§ããã 3.3.6 æ¥ç¶ã·ã¹ãã ãžã®åœ±é¿æ³¢åã«å¯Ÿããèæ ® ã€ã³ã·ãã³ãã®åœ±é¿ãè©äŸ¡ããéã«ã¯ãICS ããã®åœ±é¿ããæ¥ç¶ãããå¥ã® ICS ãç©ççã·ã¹ã ã ã«ã©ã®çšåºŠæ³¢åããããšããç¹ãå«ããªããã°ãªããªãã1 ã€ã® ICS ã¯ãããã€ãã®ã·ã¹ãã ãšé£æ¥ãããŠããå Žåããããããã·ã¹ãã åã¯ããã»ã¹ã®é害ãçµç¹å å€ã®ä»ã®ã·ã¹ãã ã«å®¹ æã«é£éããããšãããã圱é¿ã®æ³¢åã¯ãç©ççåŸå±é¢ä¿ãšè«ççåŸå±é¢ä¿ã®åæ¹ã«èµ·å ããŠç ãåŸãããããã圱é¿ãç·©åãã 1 ã€ã®æ¹æ³ã¯ããªã¹ã¯è©äŸ¡ã®çµæãé£æ¥åã¯çžäºäŸåããã·ã¹ ãã åã³ããã»ã¹ã®æäœå¡ã«é©åã«äŒããããšã§ããã é£æ¥ ICS ã®è«ççæ害ã¯ããµã€ããŒã€ã³ã·ãã³ããé£æ¥å¶åŸ¡ã·ã¹ãã ã«æ³¢åããå Žåã«çãåŸãã ãŠã€ã«ã¹ãã¯ãŒã ãé£æ¥ ICS ã«æ³¢åãã次ãã§ã·ã¹ãã ã«åœ±é¿ãäžããå Žåããã®äžäŸã§ããã ç©ççæ害ãå¥ã®é£æ¥ ICS ã«æ³¢åãåŸããããã€ã³ã·ãã³ãã ICS ã®ç©çç°å¢ã«åœ±é¿ããå Žåã ä»ã®é¢é£ç©çé åã«ã圱é¿ãåãŒãåŸããäŸãã°ã圱é¿ã«ããç©ççå±å®³ãçãããããé£æ¥ã® ç©çç°å¢ãå£åãããå Žåããã®äžäŸã§ããã ãŸã圱é¿ã¯å ±éçãªå ±æåŸå±é¢ä¿ïŒé»æºçïŒããå£åãããç£æ¥ããã»ã¹ã®åŸç¶æ®µéã§å¿ èŠãšãª ãè³æã«äžè¶³ããããäºæ ã«ããªãåŸãã 62 SPECIAL PUBLICATION 800-82 REVISION 2 4. GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS Security Program Development and Deployment Section 2 addresses critical operational differences between ICS and IT systems, and Section 3 addresses risk management. This section combines these two concerns by addressing how organizations should develop and deploy an ICS security program. ICS security plans and programs should be consistent and integrated with existing IT security experience, programs, and practices, but must account for the specific requirements and characteristics of ICS technologies and environments. Organizations should review and update their ICS security plans and programs regularly to reflect changes in technologies, operations, standards, and regulations, as well as the security needs of specific facilities. This section provides an overview of the development and deployment of an ICS security program. Section 4.1 describes how to establish a business case for an ICS security program, including suggested content for the business case. Sections 4.2 through 4.5 discuss the development of a comprehensive ICS security program and provide information on several major steps in deploying the program. Information on specific security controls that might be implemented as part of the security program is provided in Section 6. Effectively integrating security into an ICS requires defining and executing a comprehensive program that addresses all aspects of security, ranging from identifying objectives to day-to-day operation and ongoing auditing for compliance and improvement. An ICS information security manager with appropriate scope, responsibility, and authority must be identified. This section describes the basic process for developing a security program, including the following: ïŒ Develop a business case for security. ïŒ Build and train a cross-functional team. ïŒ Define charter and scope. ïŒ Define specific ICS policies and procedures. ïŒ Implement an ICS Security Risk Management Framework. ïŒ o Define and inventory ICS assets. o Develop security plan for ICS Systems. o Perform a risk assessment. o Define the mitigation controls. Provide training and raise security awareness for ICS staff. More detailed information on the various steps is provided in ISA-62443-2-1 Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program [34]. The commitment to a security program begins at the top. Senior management must demonstrate a clear commitment to information security. Information security is a business responsibility shared by all members of the enterprise and especially by leading members of the business, process, and management teams. Information security programs with adequate funding and visible, top-level support from organization leaders are more likely to achieve compliance, function more smoothly, and have greater success than programs that lack that support. 63 SP800-82 第 2 ç 4. ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã»ãã¥ãªãã£ããã°ã©ã ã®éçºåã³å±é ã»ã¯ã·ã§ã³ 2 ã§ã¯ ICS ã·ã¹ãã ãš IT ã·ã¹ãã ã®éçšäžã®å€§ããªéãããã»ã¯ã·ã§ã³ 3 ã§ã¯ãªã¹ ã¯ç®¡çã«ã€ããŠåãäžããããã®ã»ã¯ã·ã§ã³ã§ã¯ãçµç¹ã¯ããã« ICS ã»ãã¥ãªãã£ããã°ã©ã ã çå®ããŠå±éãã¹ããã«ã€ããŠèå¯ããããã 2 ã€ã®é¢å¿äºãé¢é£ã¥ãããICS ã»ãã¥ãªãã£ã® èšç»åã³ããã°ã©ã ã¯éŠå°Ÿäžè²«ããæ¢åã® IT ã»ãã¥ãªãã£çµéšã»ããã°ã©ã ã»èŠç¯ãšäžäœåã ãŠããã¹ãã§ããããICS æè¡ã»ç°å¢ã®ç¹æ®èŠä»¶åã³ç¹æ§ãåãäžããŠããªããã°ãªããªããçµ ç¹ã¯ãICS ã»ãã¥ãªãã£ã®èšç»åã³ããã°ã©ã ãå®æçã«èŠçŽããŠæŽæ°ããæè¡ã»éçšã»èŠæ Œã» èŠåã®å€æŽç¹ã®ã»ããç¹æ®æœèšã®ã»ãã¥ãªãã£éèŠãåæ ãã¹ãã§ããã ãã®ã»ã¯ã·ã§ã³ã§ã¯ãICS ã»ãã¥ãªãã£ããã°ã©ã ã®éçºåã³å±éã«ã€ããŠæŠèª¬ãããã»ã¯ã·ã§ ã³ 4.1 ã§ã¯ãICS ã»ãã¥ãªãã£ããã°ã©ã ã«é¢ããäºæ¥ã®ãå 容æ¡ãå«ããæ§ç¯äŸã«ã€ããŠç€ºãã 4.2ïœ4.5 ã§ã¯ãå æ¬ç㪠ICS ã»ãã¥ãªãã£ããã°ã©ã ã®éçºã«ã€ããŠåäžãããããå±éããã ãã®å€§ãŸããªæé ãããã€ã瀺ããã»ãã¥ãªãã£ããã°ã©ã ã®äžç°ãšããŠå®è£ ãããç¹å®ã®ã»ã ã¥ãªãã£ç®¡çã«ã€ããŠã¯ãã»ã¯ã·ã§ã³ 6 ã§åãäžããã ICS ã«ã»ãã¥ãªãã£ãå¹æçã«çµã¿èŸŒãã«ã¯ãæ¥åžžæ¥åã®ç®çããã³ã³ãã©ã€ã¢ã³ã¹ã»æ¹åã«é¢ ããç£æ»ãŸã§ãå€å²ã«ãããã»ãã¥ãªãã£ã®ããããé¢ãç¶²çŸ ããå æ¬çãªããã°ã©ã ãèšèšã ãŠå®è¡ããããšãå¿ èŠãšãªããé©æ£ãªç¯å²ã責任åã³æš©éãæãã ICS æ å ±ã»ãã¥ãªãã£ç®¡çè ãæ確ã«ããªããã°ãªããªãããã®ã»ã¯ã·ã§ã³ã§ã¯ã以äžãå«ãã»ãã¥ãªãã£ããã°ã©ã éçºã« é¢ããåºæ¬ããã»ã¹ã«ã€ããŠèª¬æããã ïŒ ã»ãã¥ãªãã£ã®ããžãã¹äºäŸäœæ ïŒ æ©èœæšªæããŒã ã®çµæã»æè²èšç·Ž ïŒ æ²ç« åã³é©çšç¯å²ã®æ確å ïŒ å ·äœç㪠ICS ã®æ¹éåã³æé ã®æ確å ïŒ ICS ã»ãã¥ãªãã£ãªã¹ã¯ç®¡çäœå¶ã®å®è¡ o ICS è³ç£ã®ç¹å®åã³æ现å o ICS ã·ã¹ãã ã»ãã¥ãªãã£èšç»çå® o ãªã¹ã¯è©äŸ¡å®æœ o ç·©å察çã®æ確å ïŒ ICS ã¹ã¿ããã®èšç·Žåã³ã»ãã¥ãªãã£æèã®åŒ·å çš®ã ã®æé ã«é¢ãã詳现ã¯ãISA-62443-2-1ãå·¥æ¥ãªãŒãã¡ãŒã·ã§ã³å¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ãªã ã£ïŒå·¥æ¥ãªãŒãã¡ãŒã·ã§ã³å¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ããã°ã©ã ã®æ§ç¯ã[34]ã«èšèŒãããŠããã ã»ãã¥ãªãã£ããã°ã©ã ãžã®å¯Ÿå¿ã¯çµç¹ã®ãããããå§ãŸããäžçŽç®¡çè ã¯ãæ å ±ã»ãã¥ãªã㣠ãžã®æ確ãªå¯Ÿå¿ãæããã«ããªããã°ãªããªããæ å ±ã»ãã¥ãªãã£ã¯äŒæ¥ã®å šç€Ÿå¡ãå ±æããŠã ãä»äºäžã®è²¬åã§ããããç¹ã«äºæ¥ãããã»ã¹åã³ç®¡çããŒã ã®æå°è ã¯ããèšãããååãªè³ éãããŠããããçµç¹ã®ãããã¬ãã«ã®å¯èŠåãããæ¯æŽãåããæ å ±ã»ãã¥ãªãã£ããã°ã©ã ã¯ããããåŸãããªãããã°ã©ã ã«æ¯ã¹ãŠãã³ã³ãã©ã€ã¢ã³ã¹ãéæããããã¹ã ãŒãºã«æ©èœãã ãã倧ããªæåãšãªãå ¬ç®ãé«ããªãã 64 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Whenever a new system is being designed and installed, it is imperative to take the time to address security throughout the lifecycle, from architecture to procurement to installation to maintenance to decommissioning. There are serious risks in deploying systems to production based on the assumption that they will be secured later. If there is insufficient time and resources to secure the system properly before deployment, it is unlikely that there will be sufficient time and resources later to address security. Designing and implementing a new system is quite rare. It is much more common to improve, expand, or update an existing system. Everything in this section, indeed in this document, applies to managing the risk of existing ICS. Building an ICS Security Program and applying it to existing systems is much more complex and challenging. 4.1 Business Case for Security The first step in implementing an information security program for ICS is to develop a compelling business case for the unique needs of the organization. The business case should capture the business concerns of senior management while being founded in the experience of those who are already dealing with many of the same risks. The business case provides the business impact and financial justification for creating an integrated information security program. It should include detailed information about the following: ïŒ Benefits, including improved control system reliability and availability, of creating an integrated security program. ïŒ Prioritized potential costs and damage scenarios if an information security program for the ICS is not implemented. ïŒ High-level overview of the process required to implement, operate, monitor, review, maintain, and improve the information security program. ïŒ Costs and resources required to develop, implement and maintain the security program. Before presenting the business case to management, there should be a well-thought-out and developed security implementation and cost plan. For example, simply requesting a firewall is insufficient. 4.1.1 Benefits Responsible risk management policy mandates that the threat to the ICS should be measured and monitored to protect the interests of employees, the public, shareholders, customers, vendors, society, and the nation. Risk analysis enables costs and benefits to be weighed so that informed decisions can be made on protective actions. In addition to reducing risks, exercising due-diligence and displaying responsibility also helps organizations by: ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ Improving control system safety, reliability and availability. Improving employee morale, loyalty, and retention. Reducing community concerns. Increasing investor confidence. Reducing legal liabilities. Meeting regulatory requirements. Enhancing the corporate image and reputation. Helping with insurance coverage and cost. Improving investor and banking relations. 65 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ°ããã·ã¹ãã ãèšèšã»å°å ¥ããå Žåã¯åžžã«ãã¢ãŒããã¯ãã£ãã調éãå°å ¥ãä¿å®ãå»æ£ã«è³ ããŸã§ãã©ã€ããµã€ã¯ã«å šäœãèŠéããã»ãã¥ãªãã£ã«ã€ããŠèå¯ããæéãåãåããããšã èèŠã§ãããã»ãã¥ãªãã£ã¯åŸã§èãããšãã£ãæ³å®ã«åºã¥ããŠãã·ã¹ãã ãçç£çŸå Žã«å±éã ãããšã«ã¯é倧ãªãªã¹ã¯ããããå±éåã«ã·ã¹ãã ã»ãã¥ãªãã£ããã£ãã確ä¿ããããã®æé ãšãªãœãŒã¹ããªããã°ãå±éåŸã«ãããèŠãã ãããšãªã©ããŒã€ããªãã æ°èŠã«ã·ã¹ãã ãèšèšããŠå®è£ ããããšã¯ãŸãã§ãããæ¢åã®ã·ã¹ãã ãæ¹è¯ãæ¡åŒµåã¯æŽæ° ããå Žåãã¯ããã«å€ãããã®ã»ã¯ã·ã§ã³ã®å šãŠããšãããããæ¬æžã®å šãŠã®éšåããæ¢å ICS ã®ãªã¹ã¯ç®¡çã«è©²åœãããICS ã»ãã¥ãªãã£ããã°ã©ã ãæ§ç¯ããŠãæ¢åã·ã¹ãã ã«é©çš ããã®ã¯ã¯ããã«è€éã§èª²é¡ãå€ãã ã»ãã¥ãªãã£ã®äºæ¥äºäŸ 4.1 ICS ã®æ å ±ã»ãã¥ãªãã£ããã°ã©ã ãå®è£ ãã第 1 ã¹ãããã¯ãçµç¹ç¹æã®ããŒãºã«å¯Ÿå¿ãã 匷åãªäºæ¥äºäŸãäœæããããšã§ãããäºæ¥äºäŸã¯ãåæ§ã®ãªã¹ã¯ãå€åã«æ±ã£ãããšãã ãè ã®éå»ã®çµéšã«æ ¹ããã€ã€ããäžçŽç®¡çè ã®äºæ¥ãžã®é¢å¿äºããšãããŠããã¹ãã§ããã äºæ¥äºäŸã¯ãçµ±åæ å ±ã»ãã¥ãªãã£ããã°ã©ã ãäœæããäžã§ãäºæ¥ãžã®åœ±é¿ãäžããè³é æ åºã®çç±ãšãªãã以äžã«é¢ãã詳现ãªæ å ±ãç¶²çŸ ãã¹ãã§ããã ïŒ å¶åŸ¡ã·ã¹ãã ã®ä¿¡é Œæ§ã»å¯çšæ§ã®åäžãªã©ãçµ±åã»ãã¥ãªãã£ããã°ã©ã ãäœæããããšã« ããåŸããã䟿ç ïŒ ICS ã®æ å ±ã»ãã¥ãªãã£ããã°ã©ã ãå®è£ ããªãå Žåã«çãåŸãåªå çµè²»åã³æ害 ïŒ æ å ±ã»ãã¥ãªãã£ããã°ã©ã ã®å®è£ ã»éçšã»ç£èŠã»èŠçŽãã»ä¿å®ã»æ¹åã«èŠããããã»ã¹ã®ã é«ã¬ãã«ã®æŠèŠ ïŒ ã»ãã¥ãªãã£ããã°ã©ã ã®éçºã»å®è£ ã»ä¿å®ã«èŠããçµè²»åã³ãªãœãŒã¹ äºæ¥äºäŸãçµå¶é£ã«æ瀺ããåã«ãã»ãã¥ãªãã£ã®å®è£ ã»çµè²»èšç»ãæ éã«ç·ŽãäžããŠäœæ ãã¹ãã§ãããäŸãã°ãåã«ãã¡ã€ã¢ãŠã©ãŒã«ãèŠæ±ããã ãã§ã¯äžååã§ããã 4.1.1 䟿ç ãã£ãããããªã¹ã¯ç®¡çæ¹éã¯ãICS ã«å¯Ÿããè åšãèšæž¬ã»ç£èŠããŠãåŸæ¥å¡ã»åœæ°ã»æ ªäž»ã»é¡§ 客ã»ãã³ããŒã»ç€ŸäŒã»åœã®å©çãå®ãããšã矩åã¥ããŠããããªã¹ã¯åæã«ããã³ã¹ã/䟿çã® æ¯èŒèéãè¡ãããšãã§ããæ å ±ãåºã«ä¿è·å¯Ÿçã«é¢ãã決å®ãäžãããšãã§ããããªã¹ã¯åæž ã«å ãã以äžã«å¯Ÿããåœç¶ã®åªååã³è²¬ä»»ã瀺ãããšãçµç¹ã®çãšãªãã ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ å¶åŸ¡ã·ã¹ãã ã®å®å šæ§ã»ä¿¡é Œæ§ã»å¯çšæ§ã®åäž åŸæ¥å¡ã®å£«æ°ã»å¿ èª å¿ã»å€ç¶æ欲ã®åäž å ±åäœæžå¿µäºé ã®ç·©å æè³å®¶ã®ä¿¡é Œæã®å¢åŒ· æ³ç責任ã®è»œæž æ³çèŠä»¶ã®éµå® äŒæ¥ã€ã¡ãŒãžã»å声ã®æ¡å€§ ä¿éºéã»çµè²»ã«ããææž æè³å®¶ã»éè¡ãšã®é¢ä¿æ¹å 66 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY A strong safety and information security management program is fundamental to a sustainable business model. Improved control systems security and control system specific security policies can potentially enhance control system reliability and availability. This also includes minimizing unintentional control system information security impacts from inappropriate testing, policies, and misconfigured systems. 4.1.2 Potential Consequences The importance of secure systems should be further emphasized as business reliance on interconnectivity increases. Denial of Service (DoS) attacks and malware (e.g., worms, viruses) have become all too common and have already impacted ICS. Cyber attacks can have significant physical and consequential impacts. Risk management is addressed in Section 3. The major categories of impacts are as follows: ïŒ Physical Impacts. Physical impacts encompass the set of direct consequences of ICS failure. The potential effects of paramount importance include personal injury and loss of life. Other effects include the loss of property (including data) and potential damage to the environment. ïŒ Economic Impacts. Economic impacts are a second-order effect from physical impacts ensuing from an ICS incident. Physical impacts could result in repercussions to system operations, which in turn inflict a greater economic loss on the facility, organization, or others dependent on the ICS. Unavailability of critical infrastructure (e.g., electrical power, transportation) can have economic impact far beyond the systems sustaining direct and physical damage These effects could negatively impact the local, regional, national, or possibly global economy. ïŒ Social Impacts. Another second-order effect, the consequence from the loss of national or public confidence in an organization, is many times overlooked. It is, however, a very real consequence that could result from an ICS incident. The program to control such risks is addressed in Section 3. Note that items in this list are not independent. In fact, one can lead to another. For example, release of hazardous material can lead to injury or death. Examples of potential consequences of an ICS incident are listed below: ïŒ Impact on national securityâfacilitate an act of terrorism. ïŒ Reduction or loss of production at one site or multiple sites simultaneously. ïŒ Injury or death of employees. ïŒ Injury or death of persons in the community. ïŒ Damage to equipment. ïŒ Release, diversion, or theft of hazardous materials. ïŒ Environmental damage. ïŒ Violation of regulatory requirements. ïŒ Product contamination. ïŒ Criminal or civil legal liabilities. ïŒ Loss of proprietary or confidential information. ïŒ Loss of brand image or customer confidence. Undesirable incidents of any sort detract from the value of an organization, but safety and security incidents can have longer-term negative impacts than other types of incidents on all stakeholdersâemployees, shareholders, customers, and the communities in which an organization operates. The list of potential business consequences needs to be prioritized to focus on the particular business consequences that senior management will find the most compelling. The highest priority items shown in 67 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ããžãã¹ã¢ãã«ãæç¶ãããã«ã¯ããã£ããããå®å šæ§ã»æ å ±ã»ãã¥ãªãã£ç®¡çããã°ã©ã ãäžå¯æ¬ ã§ããã å¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ãªãã£åã³å¶åŸ¡ã·ã¹ãã ç¹æã®ã»ãã¥ãªãã£æ¹éãæ¹åããã°ãå¶åŸ¡ã·ã¹ ãã ã®ä¿¡é Œæ§ã»å¯çšæ§ãåäžããåŸããããã«ã¯äžé©åãªè©Šéšãæ¹éåã³èª€èšå®ãããã·ã¹ãã ããçãããå¶åŸ¡ã·ã¹ãã æ å ±ã»ãã¥ãªãã£ãžã®æ³å®å€ã®åœ±é¿ã極åæããããšãå«ãŸããã 4.1.2 çãåŸãçµæ ã»ãã¥ã¢ãªã·ã¹ãã ãéèŠãªããšã¯ãäºæ¥ãçžäºæ¥ç¶ã«ãŸããŸãäŸåããããã«ãªã£ãŠããããš ãããæããã§ããããµãŒãã¹åŠšå®³ïŒDoSïŒæ»æããã«ãŠãšã¢ïŒã¯ãŒã ããŠã€ã«ã¹çïŒã®ååšã¯ åžžæ ã«ãªã£ãŠãããICS ã«ã圱é¿ãåãã§ããããµã€ããŒæ»æã¯ç©ççãªåœ±é¿ãæ³¢åçãªåœ±é¿ã 倧ããããªã¹ã¯ç®¡çã«ã€ããŠã¯ã»ã¯ã·ã§ã³ 3 ã§åãäžããã圱é¿ã¯ä»¥äžã®ããã«å€§å¥ãããã ïŒ ç©çç圱é¿ãããã«ã¯ ICS é害ã«ããçŽæ¥ã®çµæãå«ãŸãããææªã®çµæãšããŠäººã®è² å·ã æ»äº¡ãçãåŸãããã®ã»ãè³ç£ã®åªå€±ïŒããŒã¿çïŒãç°å¢ç Žå£çãããã ïŒ çµæžç圱é¿ããã㯠ICS ã€ã³ã·ãã³ãã«èµ·å ããç©çç圱é¿ãã掟çããäºæ¬¡ç圱é¿ã§ãã· ã¹ãã éçšã«åœ±é¿ãåãŒãããã®çµææœèšãçµç¹ãã®ä» ICS ã«äŸåãããã®ã«å¯ŸããæŽã«å€§ ããªçµæžçæ倱ããããããéèŠã€ã³ãã©ïŒé»åã茞éçïŒãå©çšäžèœã«ãªããšãã·ã¹ãã ã®çŽæ¥ã®ç©ççæ害ãã¯ããã«è¶ããçµæžç圱é¿ãçããããã®çµæãå°å ãå°åãåœå®¶ã ããã«ã¯äžççµæžã«æªåœ±é¿ãåã³ãããªãã ïŒç€ŸäŒç圱é¿ãããã¯å¥ã®äºæ¬¡ç圱é¿ã§ãçµç¹ã«å¯Ÿããåœæ°ã®ä¿¡é Œæã倱ãããçµæçãããã èŠéããã«ãããã¡ã§ãããããããICS ã€ã³ã·ãã³ãããçããå®ã«çŸå®çãªçµæã§ããã ãã®ãããªãªã¹ã¯ã管çããããã®ããã°ã©ã ã«ã€ããŠã¯ã»ã¯ã·ã§ã³ 3 ã§åãäžããããã® ãªã¹ãäžã®é ç®ã¯ãããããç¬ç«ããŠããã®ã§ã¯ãªãããããããããã®ãå¥ã®ãã®ãå°ã ããšããããäŸãã°ãå±éºç©ã®æŸåºã¯è² å·ãæ»äº¡äºæ ã«ã€ãªãããICS ã€ã³ã·ãã³ãããçã åŸãçµæã以äžã«äŸç€ºããã ïŒ åœå®¶å®å šä¿éãžã®åœ±é¿âããè¡çºãå©é·ãã ïŒ 1 ãæåã¯è€æ°åæãµã€ãã«ãããçç£ã®æžå°ã»åªå€± ïŒ åŸæ¥å¡ã®è² å·ã»æ»äº¡ ïŒ å ±åäœæ§æå¡ã®è² å·ã»æ»äº¡ ïŒ è£ ååã®æ害 ïŒ å±éºç©ã®æŸåºã»æµçšã»çé£ ïŒ ç°å¢ç Žå£ ïŒ æ³çèŠä»¶ã®äŸµå®³ ïŒ è£œåã®æ±æ ïŒ åæ³åã¯æ°æ³äžã®è²¬ä»» ïŒ å°æã»ç§å¯æ å ±ã®åªå€± ïŒ ãã©ã³ãã€ã¡ãŒãžã»é¡§å®¢ã®ä¿¡çšã®åªå€± ã©ã®ãããªçš®é¡ã®ãã®ã§ãããæãŸãããªãã€ã³ã·ãã³ãã¯çµç¹ã®äŸ¡å€ãæžããããå®å šã ã»ãã¥ãªãã£ãé¢ä¿ããã€ã³ã·ãã³ãã¯ããã以å€ã®ã€ã³ã·ãã³ãã«æ¯ã¹ãŠãããé·æç㪠æªåœ±é¿ãåŸæ¥å¡ãæ ªäž»ã顧客åã³çµç¹ãå±ããå ±åäœãå«ããå šãŠã®é¢ä¿è ã«æããããã å¯èœæ§ã®ããäºæ¥çµæã®ãªã¹ããããäºæ¥çµæã®åªå 床ãæ€èšããäžçŽç®¡çè ãç¹ã«åœ±é¿åºŠã 倧ãããšæãããã®ã«æ³šåããå¿ èŠããããåªå çãªäºæ¥çµæãªã¹ãã®æåªå é ç®ã 68 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY the list of prioritized business consequences should be evaluated to obtain an estimate of the annual business impact, preferably but not necessarily in financial terms. The Sarbanes-Oxley Act requires corporate leaders to sign off on compliance with information accuracy and protection of corporate information. 19 Also, the demonstration of due diligence is required by most internal and external audit firms to satisfy shareholders and other organization stakeholders. By implementing a comprehensive information security program, management is exercising due diligence. 4.1.3 Resources for Building Business Case Significant resources for information to help form a business case can be found in external resources in other organizations in similar lines of businessâeither individually or in information sharing exchanges, trade and standards organizations, consulting firmsâand internal resources in related risk management programs or engineering and operations. External organizations can often provide useful tips as to what factors most strongly influenced management to support their efforts and what resources within their organizations proved most helpful. For different industries, these factors may be different, but there may be similarities in the roles that other risk management specialists can play. Appendix Dâ provides a list and short description of some of the current activities in ICS security. Internal resources in related risk management efforts (e.g., information security, health, safety and environmental risk, physical security, business continuity) can provide tremendous assistance based on their experience with related incidents in the organization. This information is helpful from the standpoint of prioritizing threats and estimating business impact. These resources can also provide insight into which managers are focused on dealing with which risks and, thus, which managers might be the most appropriate or receptive to serving as a champion. Internal resources in control systems engineering and operations can provide insight into the details of how control systems are deployed within the organization, such as the following: ïŒ ïŒ ïŒ ïŒ How networks are typically partitioned and segregated. What remote access connections are generally employed. How high-risk control systems or safety instrumented systems are typically designed. What security countermeasures are commonly used. 4.1.4 Presenting the Business Case to Leadership Section 3 describes a three-tiered approach that addresses risk at the: (i) organization level; (ii) mission/business process level; and (iii) information system level. The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organizationâs risk-related activities and effective inter-tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization. It is critical for the success of the ICS security program that organization level management buy into and participate in the ICS security program. Tier 1 organization level management that encompasses both IT and ICS operations has the perspective and authority to understand and take responsibility for the risks. The Tier 1 business leadership will be responsible for approving and driving information security policies, assigning security roles and responsibilities, and implementing the information security program across the organization. Funding for the entire program can usually be done in phases. While some 19 More information on the Sarbanes-Oxley Act, and a copy of the act itself, can be found at http://www.sec.gov/about/laws.shtml. 69 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è©äŸ¡ããŠã幎éäºæ¥åœ±é¿èŠç©ãäœæãã¹ãã§ãããèŠç©ã¯è²¡åçãªèŠ³ç¹ããè¡ãã®ãæãŸãã ãã矩åã§ã¯ãªãã Sarbanes-Oxley æ³ã¯ãæ å ±ã®æ£ç¢ºæ§ãšäŒæ¥æ å ± 20ã®ä¿è·éµå®ã«é¢ããŠãäŒæ¥è²¬ä»»è ã«çœ²åã矩 åã¥ããŠããããŸãã»ãšãã©ã®å å€ç£æ»æ³äººã«å¯ŸããŠãç¶ãã¹ãåªåãåŸæ³šããŠæ ªäž»ãã®ä»çµ ç¹é¢ä¿è ãæºè¶³ãããããæ±ããŠãããå æ¬çæ å ±ã»ãã¥ãªãã£ããã°ã©ã ãæœè¡ããããšã§ã çµå¶é£ã¯ãããã¹ãåªåãåŸæ³šããŠããããšã«ãªãã 4.1.3 äºæ¥äºäŸäœæã®ããã®ãªãœãŒã¹ äºæ¥äºäŸã®æ§ç¯ã«åœ¹ç«ã€ããªãã®ãªãœãŒã¹ãå€éšåæ¥çµç¹ã®ãªãœãŒã¹ã«ãããäŸãã°åã ã®äŒæ¥ã åã¯æ å ±å ±æ亀æãååŒçµç¹åã³èŠæ Œçµç¹ãã³ã³ãµã«ã¿ã³ãäŒæ¥ãªã©ã®ã»ããé¢é£ãªã¹ã¯ç®¡çã ãã°ã©ã ããšã³ãžãã¢ãªã³ã°ãæ¥åãšãã£ãå éšãªãœãŒã¹ãããå©çšã§ãããå€éšçµç¹ã¯ãçµå¶ é£ã®åçµã«æã倧ããªåœ±é¿ãäžããèŠå ã«ã€ããŠããŸãçµç¹å ã®ã©ã®ãªãœãŒã¹ãæã圹ç«ã£ãã ãšãã£ãç¹ã«é¢ããŠãæçšãªãã³ããäžããŠãããããšãå€ããæ¥çãç°ãªãã°ããããèŠå ã ç°ãªãããä»ã®ãªã¹ã¯ç®¡çæ åœè ãæãã圹å²ã«ã¯å ±éç¹ããããä»é² D ã«ã¯ãICS ã»ãã¥ãªã ã£ã«ãããçŸåšã®æŽ»åã®ããã€ããç°¡åã«çŽ¹ä»ãããªã¹ããããã é¢ä¿ãããªã¹ã¯ç®¡çã®åçµïŒæ å ±ã»ãã¥ãªãã£ãè¡çãå®å šã»ç°å¢ãªã¹ã¯ãç©ççã»ãã¥ãªãã£ã äºæ¥ç¶ç¶çïŒã«ãããå éšãªãœãŒã¹ã¯ãçµç¹ã®é¢é£ã€ã³ã·ãã³ãã§ã®çµéšãåºã«ã倧ããªå©ããš ãªãããã®æ å ±ã¯ãè åšã®åªå ä»ããšäºæ¥åœ±é¿ã®èŠç©ã®èŠ³ç¹ãã圹ç«ã€ããããããªãœãŒã¹ã掻 çšããã°ãã©ã®ç®¡çè ãã©ã®ãªã¹ã¯ã«å¯Ÿå¿ããŠãããããŸãã©ã®ç®¡çè ãæšé²è ãšããŠçžå¿ãã ãã察å¿åãããããå€æããããšãã§ããããå¶åŸ¡ã·ã¹ãã ãšã³ãžãã¢ãªã³ã°æ¥åã®å éšãªãœ ãŒã¹ã掻çšããã°ã以äžã®ãããªãçµç¹ãžã®å¶åŸ¡ã·ã¹ãã ã®è©³çŽ°ãªå±éæ¹æ³ãå€æããããšã㧠ããã é»åã¡ãŒã« ïŒ ïŒ ïŒ ïŒ ãããã¯ãŒã¯ã®äžè¬çãªåºç»ã»åå²æ¹æ³ äžè¬çã«æ¡çšãããªã¢ãŒãã¢ã¯ã»ã¹æ¥ç¶ é«ãªã¹ã¯å¶åŸ¡ã·ã¹ãã åã¯å®å šèšè£ ã·ã¹ãã ã®äžè¬çèšèš å ±éçã«äœ¿çšããã»ãã¥ãªãã£å¯Ÿç 4.1.4 äºæ¥äºäŸãçµç¹ã®é·ã«æ瀺ãã ã»ã¯ã·ã§ã³ 3 ã§ã¯æ¬¡ã® 3 ã¬ãã«ã§ã®ãªã¹ã¯ã«å¯Ÿå¿ãã 3 段éã®åçµã«ã€ããŠèª¬æãããïŒ1ïŒçµ ç¹ã¬ãã«ãïŒ2ïŒä»»åã»äºæ¥ããã»ã¹ã¬ãã«ã(3)æ å ±ã·ã¹ãã ã¬ãã«ããªã¹ã¯ç®¡çããã»ã¹ã¯ã çµç¹ã®ä»»åã»äºæ¥ã®æåã«å ±éã®é¢å¿ãæ±ãé¢ä¿è éã«ãããŠãçµç¹ã®ãªã¹ã¯é¢é£æŽ»ååã³å段 ééã»å段éå ã®å¹æçãªã³ãã¥ãã±ãŒã·ã§ã³ã絶ããæ¹åãããšããå šäœçãªç®çãæã£ãŠã 3 ã€ã®æ®µéã«ããã£ãŠã·ãŒã ã¬ã¹ã«è¡ãããã ICS ã»ãã¥ãªãã£ããã°ã©ã ãæåãããã«ã¯çµç¹ã¬ãã«ã§çµå¶é£ãåããã°ã©ã ã«çŽåŸããŠã åå ããããšãèèŠã§ãããIT åã³ ICS æ¥ååæ¹ãå å«ãã第 1 段éã®çµç¹ã¬ãã«çµå¶é£ã«ã¯ã ãªã¹ã¯ãç解ã責任ãåŒãåããèŠéããšæš©éãããã 第 1 段éã®äºæ¥ã®ãªãŒããŒã¯ãæ å ±ã»ãã¥ãªãã£ããªã·ãŒãæ¿èªã»æšé²ããã»ãã¥ãªãã£ã®åœ¹å² ãšè²¬ä»»ãä»äžããæ å ±ã»ãã¥ãªãã£ããã°ã©ã ãçµç¹å šäœã«ããã£ãŠå®è¡ãã責åãè² ãããã ã°ã©ã å šäœãžã®è³éæ åºã¯ãéåžžãã§ãŒãºããšã«è¡ãã 20 Sarbanes-Oxley æ³ã®è©³çŽ°åã³å ¥æã¯æ¬¡ã® URL ãåç §ã®ããšãhttp://www.sec.gov/about/laws.shtml. 70 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY funding may be required to start the information security activity, additional funding can be obtained later as the security vulnerabilities and needs of the program are better understood and additional strategies are developed. Additionally, the costs (both direct and indirect) should be considered for retrofitting the ICS for security vs. addressing security to begin with. Often, a good approach to obtain management buy-in to address the problem is to ground the business case in a successful actual third-party example. The business case should present to management that the other organization had the same problem and then present that they found a solution and how they solved it. This will often prompt management to ask what the solution is and how it might be applicable to their organization. 4.2 Build and Train a Cross-Functional Team It is essential for a cross-functional information security team to share their varied domain knowledge and experience to evaluate and mitigate risk in the ICS. At a minimum, the information security team should consist of a member of the organizationâs IT staff, a control engineer, a control system operator, security subject matter experts, and a member of the enterprise risk management staff. Security knowledge and skills should include network architecture and design, security processes and practices, and secure infrastructure design and operation. Contemporary thinking that both safety and security are emergent properties of connected systems with digital control suggests including a safety expert. For continuity and completeness, the information security team should also include the control system vendor and/or system integrator. The information security team should report directly to the information security manager at the mission/business process or organization tier, who in turn reports to the mission/business process manager (e.g., facility superintendent) or enterprise information security manager (e.g., the companyâs CIO/CSO), respectively. Ultimate authority and responsibility rests in the Tier 1 risk executive function that provides a comprehensive, organization-wide approach to risk management. The risk executive function works with the top management to accept a level of residual risk and accountability for the information security of the ICS. Management level accountability will help ensure an ongoing commitment to information security efforts. While the control engineers will play a large role in securing the ICS, they will not be able to do so without collaboration and support from both the IT department and management. IT often has years of security experience, much of which is applicable to ICS. As the cultures of control engineering and IT are often significantly different, their integration will be essential for the development of a collaborative security design and operation. 4.3 Define Charter and Scope The information security manager should establish policy that defines the guiding charter of the information security organization and the roles, responsibilities, and accountabilities of system owners, mission/business process managers, and users. The information security manager should decide upon and document the objective of the security program, the business organizations affected, all the computer systems and networks involved, the budget and resources required, and the division of responsibilities. The scope can also address business, training, audit, legal, and regulatory requirements, as well as timetables and responsibilities. The guiding charter of the information security organization is a constituent of the information security architecture which is part of the enterprise architecture, as discussed in Section 3. 71 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ å ±ã»ãã¥ãªãã£æŽ»åãéå§ãããšãã«ããçšåºŠã®è³éãããããè¿œå è³éã¯ãã»ãã¥ãªã㣠ã®è匱æ§ãšããã°ã©ã ã®å¿ èŠæ§ãããæ確ã«ãªããè¿œå æŠç¥ãçå®ããåŸã§åŸãããšãã§ããã ãŸãã³ã¹ãïŒçŽæ¥è²»ã»éæ¥è²»ïŒã¯ãICS ãžã®ã»ãã¥ãªãã£å®è£ ãšéå§æã®ã»ãã¥ãªãã£ãšãè æ ®ããŠæ±ºããã¹ãã§ããã çµå¶é£ãåé¡ã«é¢ããããã«ããããã®åçµãšããŠãäºæ¥äºäŸãæåãã第äžè ã®å®äŸã«å£ã ãšäžæãè¡ãããšãå€ããäºæ¥äºäŸã¯çµå¶é£ã«å¯Ÿããä»ã®çµç¹ã§ãåãåé¡ãæ±ããããšã解 決çãèŠãã ããããã«è§£æ±ºãããã瀺ãã¹ãã§ãããããããããšã§çµå¶é£ã¯ããã®è§£æ±ºç ã¯äœããèªåãã¡ã®çµç¹ã«ã©ãå¿çšã§ããã®ããåãããšãã§ããããã«ãªãã 4.2 æ©èœæšªæããŒã ã®çµæã»æè²èšç·Ž æ©èœæšªæåæ å ±ã»ãã¥ãªãã£ããŒã ãå€æ§ãªåéã®ç¥èã»çµéšãå ±æãåããICS ã®ãªã¹ã¯ã è©äŸ¡ã»ç·©åããããšãäžå¯æ¬ ãšãªããæ å ±ã»ãã¥ãªãã£ããŒã ã®æ§æã¯ãå°ãªããšãçµç¹ã® IT è·å¡ãå¶åŸ¡ãšã³ãžãã¢ãå¶åŸ¡ã·ã¹ãã æäœå¡ãã»ãã¥ãªãã£åé¡æ åœè åã³äŒæ¥ã®ãªã¹ã¯ç®¡ç è·å¡ãå«ããã¹ãã§ãããã»ãã¥ãªãã£ã®ç¥èã»ã¹ãã«ã«ã¯ããããã¯ãŒã¯ã¢ãŒããã¯ãã£ã» èšèšãã»ãã¥ãªãã£ããã»ã¹ã»èŠç¯åã³ã»ãã¥ã¢ãªã€ã³ãã©ã»æ¥åãå«ããã¹ãã§ãããå®å š ãšã»ãã¥ãªãã£ã¯ããžã¿ã«å¶åŸ¡ãåããæ¥ç¶ã·ã¹ãã ã®æ°ããç¹åŸŽã§ãããšããæè¿ã®èãæ¹ ã«ã¯ãå®å šã®ãšãã¹ããŒããå«ããããšã瀺åãããŠãããç¶ç¶æ§ãšå®å šæ§ã確ä¿ããããã æ å ±ã»ãã¥ãªãã£ããŒã ã«ã¯ãå¶åŸ¡ã·ã¹ãã ã®ãã³ããŒãã·ã¹ãã ã€ã³ãã°ã¬ãŒã¿ããå«ãã ã¹ãã§ããã æ å ±ã»ãã¥ãªãã£ããŒã ã«ã¯ãä»»åã»äºæ¥ããã»ã¹åã¯çµç¹ã¬ãã«ã®æ å ±ã»ãã¥ãªãã£ç®¡ç è ã«çŽæ¥å ±åãäžããã¹ãã§ã次ãã§å管çè ã¯ãããããä»»åã»äºæ¥ããã»ã¹ç®¡çè ïŒæœ èšç£ç£çïŒåã¯äŒæ¥æ å ±ã»ãã¥ãªãã£ç®¡çè ïŒCIO/CSO çïŒã«å ±åãããæçµçãªæš©éãšè²¬ä»» ã¯ããªã¹ã¯ç®¡çã«å¯ŸããŠå šäœçãçµç¹å šäœã«ãããåçµãè¡ãã第 1 段éã«ããããªã¹ã¯æ åœåœ¹å¡ã«ããããªã¹ã¯æ åœåœ¹å¡ã¯ãçµå¶ã®ããããšé£æºããŠãICS ã®æ å ±ã»ãã¥ãªãã£ã«é¢ã ãæ®ãã®ãªã¹ã¯ã¬ãã«ãšèª¬æ責任ãåãå ¥ãããçµå¶é£ã¬ãã«ã®èª¬æ責任ã¯ãæ å ±ã»ãã¥ãª ãã£ãžã®åçµã«å¯ŸããŠè¡ãããŠãã姿å¢ã確åºãããã®ã«ããã®ã«åœ¹ç«ã€ã å¶åŸ¡ãšã³ãžãã¢ã¯ ICS ã®ã»ãã¥ãªãã£ç¢ºä¿ã«å€§ããªåœ¹å²ãæããããIT éšéãšçµå¶é£ããã®å åã»æ¯æŽããªããã°åãŸããªããIT ã«ãããã»ãã¥ãªãã£ã®çµéšã¯æ°å¹Žã«åã¶ããšãå€ããã ãã®å€§éšå㯠ICS ã«ãå¿çšã§ãããå¶åŸ¡ãšã³ãžãã¢ãš IT ã®æåã¯ãããã倧ããç°ãªããã ååçãªã»ãã¥ãªãã£ã®èšèšã»å®æœãå®æããã«ã¯äž¡è ã®äžäœåãäžå¯æ¬ ãšãªãã 4.3 æ²ç« åã³é©çšç¯å²ã®æ確å æ å ±ã»ãã¥ãªãã£ç®¡çè ã¯ãæ å ±ã»ãã¥ãªãã£ã®çµç¹ãã·ã¹ãã ææè ãä»»åã»äºæ¥ããã»ã¹ 管çè åã³ãŠãŒã¶ã®åœ¹å²ã»è²¬ä»»ã»èª¬æ責任ãæ確ã«ãããæéãšãªãæ²ç« ãå®ããã¹ãã§ããã æ å ±ã»ãã¥ãªãã£ç®¡çè ã¯ãã»ãã¥ãªãã£ããã°ã©ã ã®ç®çã圱é¿ãåããäºæ¥çµç¹ãé¢ä¿ã ãå šãŠã®ã³ã³ãã¥ãŒã¿ã·ã¹ãã ãšãããã¯ãŒã¯ãå¿ èŠãªäºç®ãšãªãœãŒã¹åã³è²¬ä»»ã®åæ ãæã ãã«ããŠãææžåãã¹ãã§ããã ãŸãããã«ã¯äºæ¥ãèšç·Žãç£æ»ãæ³çèŠä»¶åã³äºå®è¡šãšè²¬ä»»ãå«ãŸãããæ å ±ã»ãã¥ãªã㣠çµç¹ã®æéãšãªãæ²ç« ã¯ãã»ã¯ã·ã§ã³ 3 ã§èª¬æããäŒæ¥ã¢ãŒããã¯ãã£ã®äžéšããªãæ å ±ã» ãã¥ãªãã£ã¢ãŒããã¯ãã£ãæ§æããèŠçŽ ãšãªãã 72 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY There may already be an information security program in place or being developed for the organizationâs IT business systems. The ICS information security manager should identify which existing practices to leverage and which practices are specific to the control system. In the long run, it will be easier to get positive results if the team can share resources with others in the organization that have similar objectives. 4.4 Define ICS-specific Security Policies and Procedures Policies and procedures are at the root of every successful security program. Wherever possible, ICSspecific security policies and procedures should be integrated with existing operational/management policies and procedures. Policies and procedures help to ensure that security protection is both consistent and current to protect against evolving threats. Appendix C cites a lack of security policy as an important vulnerability. Appendix Gâ, the ICS overlay, contains many ICS information security policy recommendations. After an information security risk analysis has been performed, the information security manager should examine existing security policies to see if they adequately address the risks to the ICS. If needed, existing policies should be revised or new policies created. As discussed in Section 3, Tier 1 management is responsible for developing and communicating the risk tolerance of the organizationâthe level of risk the organization is willing to acceptâwhich allows the information security manager to determine the level of risk mitigation that should be taken to reduce residual risk to acceptable levels. The development of the security policies should be based on a risk assessment that will set the security priorities and goals for the organization so that the risks posed by the threats are mitigated sufficiently. Procedures that support the policies need to be developed so that the policies are implemented fully and properly for the ICS. Security procedures should be documented, tested, and updated periodically in response to policy, technology, and threat changes. 4.5 Implement an ICS Security Risk Management Framework From an abstract viewpoint, the management of ICS risks is another risk added to the list of risks confronting an organization (e.g., financial, safety, IT, environmental). In each case, managers with responsibility for the mission or business process establish and conduct a risk management program in coordination with top managementâs risk executive function. NIST Special Publication 800-39, Managing Information Security RiskâOrganization, Mission, and Information System View [20], is the foundation of such a risk management program. Just like the other mission/business process areas, the personnel concerned with ICS apply their specialized subject matter knowledge to establishing and conducting ICS security risk management and to communicating with enterprise management to support effective risk management across all the enterprise. NIST Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems [21], introduces the risk management framework which addresses the process of implementing the framework. The following sections summarize this process and apply the RMF to an ICS environment. The RMF process includes a set of well-defined risk-related tasks that are to be carried out by selected individuals or groups within well-defined organizational roles (e.g., risk executive [function], authorizing official, authorizing official designated representative, chief information officer, senior information security officer, enterprise architect, information security architect, information owner/steward, information system owner, common control provider, information system security officer, and security control assessor). Many risk management roles have counterpart roles defined in the routine system development life cycle processes. RMF tasks are executed concurrently with or as part of system development life cycle processes, taking into account appropriate dependencies. 73 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ¢ã«çµç¹ã® IT äºæ¥ã·ã¹ãã ã«é¢ããæ å ±ã»ãã¥ãªãã£ããã°ã©ã ãæœè¡ãããŠããããäœæäž ãšããå ŽåããããICS æ å ±ã»ãã¥ãªãã£ç®¡çè ã¯ãæ¢åã®èŠç¯ã§æŽ»çšã§ãããã®ãšãå¶åŸ¡ã· ã¹ãã ã«åºæã®èŠç¯ãšãç¹å®ãã¹ãã§ãããé·ãç®ã§èŠãã°ãçµç¹ã§åæ§ã®ç®çãæã£ãã㌠ã å士ããªãœãŒã¹ãå ±æãåãããšã§ãããçµæãåŸããããªãã 4.4 ICS åºæã®ã»ãã¥ãªãã£ããªã·ãŒåã³æé ã®æ確å ããªã·ãŒãšæé ã¯ãããããã»ãã¥ãªãã£ããã°ã©ã ãæåã«å°ãèŠã§ãããå¯èœã§ããã°ã ICS åºæã®ã»ãã¥ãªãã£ããªã·ãŒãšæé ãæ¢åã®æ¥å/管çããªã·ãŒåã³æé ãšäžäœåãã¹ã ã§ãããããªã·ãŒãšæé ã¯ãé²åããè åšã«å¯ŸããŠãã»ãã¥ãªãã£ä¿è·ãäžè²«æ§ãšææ°æ§ã åãããã®ã«ããäžã§åœ¹ç«ã€ãä»é² C ã«ã¯ãã»ãã¥ãªãã£ããªã·ãŒã®æ¬ åŠãé倧ãªè匱æ§ãš ããŠèšåããŠãããä»é² G ã® ICS ãªãŒããŒã¬ã€ã«ã¯ãæ°ã ã® ICS æ å ±ã»ãã¥ãªãã£ããªã·ãŒ ã«é¢ããæšå¥šäºé ãå«ãŸããŠãããæ å ±ã»ãã¥ãªãã£ã®ãªã¹ã¯åæãå®æœåŸãæ å ±ã»ãã¥ãª ãã£ç®¡çè ã¯æ¢åã®ã»ãã¥ãªãã£ããªã·ãŒãæ€èšŒããICS ãžã®ãªã¹ã¯ããã£ããåãäžããã ãŠããã確èªãã¹ãã§ãããå¿ èŠã§ããã°ãæ¢åã®ã»ãã¥ãªãã£ããªã·ãŒãæ¹æ£ããããäœ ãçŽãã¹ãã§ããã ã»ã¯ã·ã§ã³ 3 ã§è¿°ã¹ããšããã第 1 段éã®çµå¶é£ã¯çµç¹ã®ãªã¹ã¯ãã¬ã©ã³ã¹ãçå®ããŠäŒéã ã責任ãæããããªã¹ã¯ãã¬ã©ã³ã¹ãšã¯çµç¹ãåãå ¥ãå¯èœãªã¬ãã«ã®ãªã¹ã¯ããããããã åºã«æ å ±ã»ãã¥ãªãã£ç®¡çè ã¯ãæ®ãã®ãªã¹ã¯ãå容ã¬ãã«ã«ãŸã§ç·©åããããã®ãªã¹ã¯ã¬ã ã«ç·©åçã決ããããšãã§ãããã»ãã¥ãªãã£ããªã·ãŒã®çå®ã¯ããªã¹ã¯è©äŸ¡ã«åºã¥ããã㪠ã¹ã¯è©äŸ¡ã¯çµç¹ã®ã»ãã¥ãªãã£åªå 床ãšç®æšãèšå®ããè åšããããããªã¹ã¯ãååç·©åã§ã ãããã«ãããããªã·ãŒãæ¯ããæé ã¯ãããªã·ãŒã ICS ã«å¯ŸããŠååãã€é©æ£ã«å®æœã§ãã ããã«çå®ããå¿ èŠããããã»ãã¥ãªãã£æé ã¯ããªã·ãŒãæè¡åã³è åšã®å€åã«å¯Ÿå¿ããŠã ææžåããæ€èšŒããå®æçã«æŽæ°ãã¹ãã§ããã 4.5 ICS ã»ãã¥ãªãã£ãªã¹ã¯ç®¡çäœå¶ã®å®è¡ æœè±¡çãªãšããæ¹ãããã°ãICS ãªã¹ã¯ã®ç®¡çã¯ãçµç¹ãçŽé¢ãããªã¹ã¯ãªã¹ãïŒè²¡æ¿ãå®å šã ITãç°å¢çïŒã«è¿œå ãããä»å çãªã¹ã¯ãšãããããããã®å Žåããä»»åãäºæ¥ããã»ã¹ã«è²¬ ä»»ãæãã管çè ã¯ãçµå¶ãããã®ãªã¹ã¯æ åœåœ¹å¡ãšå調ããŠããªã¹ã¯ç®¡çããã°ã©ã ãçå® ãå®è¡ãããNIST ç¹å¥åºçç© 800-39ãæ å ±ã»ãã¥ãªãã£ãªã¹ã¯ã®ç®¡çïŒçµç¹ãä»»åããã³æ å ±ã·ã¹ãã ã®ç²Ÿæ»ã[20]ã¯ããã®ãããªãªã¹ã¯ç®¡çããã°ã©ã ã®åºæ¬ã§ãããä»ã®ä»»åã»äºæ¥ ããã»ã¹åéãšåæ§ãICS ã«é¢ãã人å¡ã¯ããããã®å°éç¥èããICS ã»ãã¥ãªãã£ãªã¹ã¯ç®¡ çã®çå®ããäŒæ¥çµå¶é£ãšé£æºããŠå šç€Ÿçãã€å¹æçãªãªã¹ã¯ç®¡çã®æ¯æŽã«é©çšãããNIST ç¹ å¥åºçç© 800-37ãé£éŠæ å ±ã·ã¹ãã ã«ãªã¹ã¯ç®¡çäœå¶ãé©çšããããã®ã¬ã€ãã [21]ã¯ã㪠ã¹ã¯ç®¡çäœå¶ã«ã€ããŠèª¬æããäœå¶æ§ç¯ããã»ã¹ãåãäžããŠãããç¶ãã»ã¯ã·ã§ã³ã§ã¯ãã ã®ããã»ã¹ãèŠçŽããICS ç°å¢ãžã®ãªã¹ã¯ç®¡çäœå¶ïŒRMFïŒã®é©çšã説æããã RMF ããã»ã¹ã«ã¯ãæ確åãããçµç¹ç圹å²ïŒãªã¹ã¯æ åœåœ¹å¡ãèš±å¯æš©è ãèš±å¯æš©è ãæåã ã代衚è ãæé«æ å ±è²¬ä»»è ãæ å ±ã»ãã¥ãªãã£äž»ä»»ãäŒæ¥èšèšè ãæ å ±ã»ãã¥ãªãã£èšèšè ã æ å ±ææè /å·äºãæ å ±ã·ã¹ãã ææè ãå ±éå¶åŸ¡ãããã€ããæ å ±ã·ã¹ãã ã»ãã¥ãªãã£æ åœè ãã»ãã¥ãªãã£ç®¡çæ»å®è çïŒã®ç¯å²å ã§éžã°ããå人ãã°ã«ãŒããéè¡ãã¹ããæ確å ããããªã¹ã¯é¢é£äœæ¥ãå«ãŸããŠããããªã¹ã¯ç®¡çäžã®åœ¹å²ã®å€ãã«ã¯ãæåžžçãªã·ã¹ãã é çºã©ã€ããµã€ã¯ã«ããã»ã¹ã§æããã«ãããŠãããã®ã«çžåœãã圹å²ãå«ãŸãããRMF äœæ¥ã¯ã é©æ£ãªçžäºäŸåãèæ ®ã«å ¥ããäžã§ãã·ã¹ãã éçºã©ã€ããµã€ã¯ã«ããã»ã¹ãšåæã«ãåã¯ã ã®äžéšãšããŠå®æœããã 74 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Organizations may also wish to consult ISA-62443-2-1, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program, which describes another view of the elements contained in a cybersecurity management system for use in the industrial automation and control systems environment [34]. It provides guidance on how to meet the requirements described for each element. Sections 4 through 6 correspond most closely to NIST SP 800-39; other sections correspond to other NIST Special Publications and to the ICS overlay in Appendix Gâ of this document. All of these guidance documents recognize that one size does not fit all; rather, domain knowledge should be applied in tailoring or adapting the guidance to the specific organization. 4.5.1 Categorize ICS Systems and Networks Assets The information security team should define, inventory, and categorize the applications and computer systems within the ICS, as well as the networks within and interfacing to the ICS. The focus should be on systems rather than just devices, and should include PLCs, DCS, SCADA, and instrument-based systems that use a monitoring device such as an HMI. Assets that use a routable protocol or are dial-up accessible should be documented. The team should review and update the ICS asset list annually and after each asset addition or removal. There are several commercial enterprise IT inventory tools that can identify and document all hardware and software resident on a network. Care must be taken before using these tools to identify ICS assets; teams should first conduct an assessment of how these tools work and what impact they might have on the connected control equipment. Tool evaluation may include testing in similar, non-production control system environments to ensure that the tools do not adversely impact the production systems. Impact could be due to the nature of the information or the volume of network traffic. While this impact may be acceptable in IT systems, it may not be acceptable in an ICS. An automated management system for inventory (e.g., Computerized Maintenance Management System (CMMS), Computer Aided Facility Management System (CAFM), Building Information Model (BIM), Geospatial Information System (GIS), Construction-Operations Building information exchange data (COBie, Building Automation Management information exchange (BAMie), Sustainment Management Systems (SMS) Builder) allows an organization to keep an accurate account of what is on the system for security reasons and budgetary reasons as well. 4.5.2 Select ICS Security Controls The security controls selected based on the security categorization of the ICS are documented in the security plan to provide an overview of the security requirements for the ICS information security program and describes the security controls in place or planned for meeting those requirements. The development of security plans is addressed in NIST Special Publication 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems [19]. The security plan can be one document, or it can be the set of all documents addressing the security concerns for a system and the plans for countering these concerns. In addition to security controls, NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations [20], provides a set of information security program management (PM) controls that are typically implemented at the organization level and not directed at individual organizational information systems. This section addresses how an organization establishes and carries out these program management controls. The successful implementation of security controls for organizational information systems depends on the successful implementation of organization-wide program management controls. The manner in which organizations implement the program management controls depends on specific organizational characteristics including, for example, the size, complexity, and mission/business requirements of the 75 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ISA-62443-2-1ãç£æ¥ãªãŒãã¡ãŒã·ã§ã³åã³å¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ãªãã£ïŒç£æ¥ãªãŒãã¡ãŒã· ã§ã³åã³å¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ãªãã£ããã°ã©ã ã®æ§ç¯ã[34]ã¯ãç£æ¥ãªãŒãã¡ãŒã·ã§ã³åã³ å¶åŸ¡ã·ã¹ãã ç°å¢çšã®ãµã€ããŒã»ãã¥ãªãã£ç®¡çã·ã¹ãã ã«å¯Ÿããå¥ã®èŠæ¹ã玹ä»ããŠããã åèã«ããããšãã§ããããèŠçŽ ããšã«èŠä»¶ãæºè¶³ããããã®æ¹æ³ã«ã€ããŠãæéãèšèŒãã ãŠãããã»ã¯ã·ã§ã³ 4ïœ6 㯠NIST SP 800-39 ã«ã»ãŒå¯Ÿå¿ããŠãããä»ã®ã»ã¯ã·ã§ã³ã¯ããä»¥å€ ã® NIST ç¹å¥åºçç©åã³æ¬æžä»é² G ã® ICS ãªãŒããŒã¬ã€ã«å¯Ÿå¿ããŠããããããã¬ã€ãã³ã¹æ æžã¯ã©ããã¿ãªãäžã€ã®ãµã€ãºã§å šãŠã«ãã£ãããããããªãã®ã¯ãªããšè¿°ã¹ãŠããããããã ããåéã®ç¥èŠãå¿çšããŠãã¬ã€ãã³ã¹ãç¹å®ã®çµç¹ã«é©å¿ãããã¹ãã§ããã 4.5.1 ICS ã·ã¹ãã ãšãããã¯ãŒã¯è³ç£ã®åé¡ æ å ±ã»ãã¥ãªãã£ããŒã ã¯ãICS å ã®ã¢ããªã±ãŒã·ã§ã³åã³ã³ã³ãã¥ãŒã¿ã·ã¹ãã 䞊ã³ã« ICS å åã³ ICS ãšé£æ¥ãããããã¯ãŒã¯ãå®çŸ©ããç®é²ãäœæããåé¡ãã¹ãã§ãããããã€ã¹ã® ã¿ãªããã·ã¹ãã ã«é æ ®ããPLCsãDCSãSCADAããã®ä» HMI çã®ç£èŠããã€ã¹ã䜿çšããèšåš äž»äœã®ã·ã¹ãã ãå«ããã¹ãã§ãããã«ãŒãã£ã³ã°ãããã³ã«ã䜿çšããè³ç£ããã€ã¢ã«ã¢ã ãã§ã¢ã¯ã»ã¹ããè³ç£ã¯ææžåãã¹ãã§ãããããŒã 㯠ICS è³ç£ãªã¹ãã幎ã«äžåºŠããŸãè¿œå ãåé€ããããã³ã«èŠçŽããŠæŽæ°ãã¹ãã§ããã ãããã¯ãŒã¯ã«åžžé§ããŠããå šãŠã®ããŒããŠãšã¢/ãœãããŠãšã¢ãèå¥ããŠèšé²ã§ãããåžè²© ã®äŒæ¥ IT ã€ã³ãã³ããªãŒããŒã«ãããã€ããããããããããŒã«ã䜿çšã㊠ICS è³ç£ãèå¥ ããåã«æ³šæãå¿ èŠãšãªããããŒã ã¯ãŸãããŒã«ã®åããšãæ¥ç¶ãããå¶åŸ¡è£ ååã«åã¶åœ± é¿ã調ã¹ãã¹ãã§ãããããŒã«ãè©äŸ¡ããã«ã¯ãé¡äŒŒã®éçç£ç°å¢ã«ãããè©Šéšãè¡ããç ç£ã·ã¹ãã ã«ã¯æªåœ±é¿ããªãããšã確èªãããšããã圱é¿ã¯ãæ å ±ã®æ§è³ªããããã¯ãŒã¯ã ã©ãã£ãã¯éã«èµ·å ããããšãããããããã圱é¿ã¯ IT ã·ã¹ãã ã§ã¯èš±å®¹ã§ããŠããICS 㧠ã¯åãå ¥ããããªãããšãããã ã€ã³ãã³ããªãŒçšèªå管çã·ã¹ãã ïŒã³ã³ãã¥ãŒã¿ä¿å®ç®¡çã·ã¹ãã [CMMS]ãã³ã³ãã¥ãŒã¿æŽ çšæœèšç®¡çã·ã¹ãã [CAFM]ããã«æ å ±ã¢ãã«[BIM]ãå°ç空éæ å ±ã·ã¹ãã [GIS]ã建èšäœæ¥ã ã«æ å ±äº€æããŒã¿[COBie]ããã«ãªãŒãã¡ãŒã·ã§ã³ç®¡çæ å ±äº€æ[BAMie]ãæç¶ç®¡çã·ã¹ãã [SMS]ãã«ããŒçïŒã¯ã»ãã¥ãªãã£ç®çãšäºç®ç®çã§ã·ã¹ãã äžã«ãããã®ãæ£ç¢ºã«ææ¡ãã ããšãã§ããã 4.5.2 ICS ã»ãã¥ãªãã£ç®¡çã®éžæ ICS ã®ã»ãã¥ãªãã£åé¡ã«åŸã£ãŠéžæããã»ãã¥ãªãã£ç®¡çã¯ãã»ãã¥ãªãã£èšç»æžã«èšé²ã ããICS æ å ±ã»ãã¥ãªãã£ããã°ã©ã ã®ã»ãã¥ãªãã£èŠä»¶ã®æŠèŠã瀺ããèŠä»¶ãéµå®ãããã ã«æœè¡äžåã¯èšç»äžã®ã»ãã¥ãªãã£ç®¡çã«ã€ããŠèª¬æãäžãããã»ãã¥ãªãã£èšç»æžã®äœæã« ã€ããŠã¯ãNIST ç¹å¥åºçç© 800-18 æ¹èšç¬¬ 1 çãé£éŠæ å ±ã·ã¹ãã çšã»ãã¥ãªãã£èšç»æžã®äœ æã¬ã€ãã[19]ã§åãäžããããŠãããã»ãã¥ãªãã£èšç»æžã¯äžåã®ææžã§ããããã·ã¹ãã ã®ã»ãã¥ãªãã£äžã®èª²é¡ãšãã®å¯ŸåŠèšç»ãåããå šææžã®äžéšã§ãã£ãŠããããã»ãã¥ãªã㣠管çã«å ããŠãNIST ç¹å¥åºçç© 800-53 æ¹èšç¬¬ 4 çãé£éŠæ å ±ã·ã¹ãã ã»çµç¹çšã»ãã¥ãªã ã£ã»ãã©ã€ãã·ãŒç®¡çã[20]ã«ã¯ãäžè¬ã«çµç¹ã¬ãã«ã§å®è£ ãããåã ã®çµç¹æ å ±ã·ã¹ãã ã« ã¯ãªãæ å ±ã»ãã¥ãªãã£ããã°ã©ã 管çïŒPMïŒå¶åŸ¡ã«ã€ããŠåãäžããããŠããããã®ã»ã¯ã· ã§ã³ã§ã¯ãããã°ã©ã 管çå¶åŸ¡ã®æ§ç¯åã³å®æœèŠé ã«ã€ããŠåãäžããã çµç¹ã®æ å ±ã·ã¹ãã çšã»ãã¥ãªãã£ç®¡çãéŠå°Ÿããå®è£ ã§ãããã©ããã¯ãçµç¹å šäœã«ããã ããã°ã©ã 管çå¶åŸ¡ãéŠå°Ÿããå®è£ ã§ãããã©ããã«ããã£ãŠãããããã°ã©ã 管çå¶åŸ¡ã®å® è£ æ¹æ³ã¯ãããããã®äŒæ¥ã®èŠæš¡ãè€éæ§ãä»»åã»äºæ¥èŠä»¶ãšãã£ãäŒæ¥ã®æ§æ Œã«å·Šå³ãããã 76 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY respective organizations. The program management controls complement the security controls and focus on the programmatic, organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs. Organizations document program management controls in the information security program plan. The organization-wide information security program plan supplements the individual security plans developed for each organizational information system. Together, the security plans for the individual information systems and the information security program cover the totality of security controls employed by the organization. 4.5.3 Perform Risk Assessment Because every organization has a limited set of resources, organizations should assess the impacts to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation (e.g., using FIPS 199 [15] or a more granular approach). As discussed in Section 3, organizations can experience the consequences/impact of adverse events at the individual ICS system level (e.g., failing to perform as required), at the mission/business process level (e.g., failing to fully meet mission/business objectives), and at the organizational level (e.g., failing to comply with legal or regulatory requirements, damaging reputation or relationships, or undermining long-term viability). An adverse event can have multiple consequences and different types of impact, at different levels, and in different time frames. NIST SP 800-53 [22] and the ICS overlay in Appendix Gâ incorporate baseline security controls that derive from this determination of impact. The organization may perform a detailed risk assessment for the highest impact systems and assessments for lower impact systems as deemed prudent and as resources allow. The risk assessment will help identify any weaknesses that contribute to information security risks and mitigation approaches to reduce the risks. Risk assessments are conducted multiple times during a systemâs life cycle. The focus and level of detail varies according to the systemâs maturity. 4.5.4 Implement the Security Controls Organizations should analyze the detailed risk assessment and the impacts to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, and prioritize selection of mitigation controls. Organizations should focus on mitigating risk with the greatest potential impact. Security control implementation is consistent with the organizationâs enterprise architecture and information security architecture. The controls to mitigate a specific risk may vary among types of systems. For example, user authentication controls might be different for ICS than for corporate payroll systems and e-commerce systems. The ICS information security manager should document and communicate the selected controls, along with the procedures for using the controls. Some risks may be identified that can be mitigated by âquick fixâ solutionsâlow-cost, high-value practices that can significantly reduce risk. Examples of these solutions are restricting Internet access and eliminating email access on operator control stations or consoles. Organizations should identify, evaluate, and implement suitable quick fix solutions as soon as possible to reduce security risks and achieve rapid benefits. The Department of Energy (DOE) has a â21 Steps to Improve Cyber Security of SCADA Networksâ [33] document that could be used as a starting point to outline specific actions to increase the security of SCADA systems and other ICS. 77 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ããã°ã©ã 管çå¶åŸ¡ã¯ã»ãã¥ãªãã£ç®¡çãè£å®ãããã®ã§ãç¹å®ã®æ å ±ã·ã¹ãã ããç¬ç«ããã æ å ±ã»ãã¥ãªãã£ããã°ã©ã ã®ç®¡çã«äžå¯æ¬ ãªãããã°ã©ã ã«åŸã£ãå šçµç¹çæ å ±ã»ãã¥ãªã㣠èŠä»¶ã«çŠç¹ãåœãŠãŠããã çµç¹ã¯ãããã°ã©ã 管çå¶åŸ¡ãæ å ±ã»ãã¥ãªãã£ããã°ã©ã èšç»æžã®äžã«èšèŒãããå šçµç¹ç æ å ±ã»ãã¥ãªãã£ããã°ã©ã èšç»æžã¯ãåçµç¹ã®æ å ±ã·ã¹ãã çšåå¥ã»ãã¥ãªãã£èšç»æžãè£ å®ãããåæã«åã ã®æ å ±ã·ã¹ãã çšã»ãã¥ãªãã£èšç»æžãšæ å ±ã»ãã¥ãªãã£ããã°ã©ã ã¯ã çµç¹ãæ¡çšããã»ãã¥ãªãã£ç®¡çãå šäœçã«ç¶²çŸ ããã 4.5.3 ãªã¹ã¯è©äŸ¡å®æœ ã©ã®çµç¹ã«ãããçšåºŠã®ãªãœãŒã¹ããããããçµç¹ã¯çµç¹æ¥åãžã®åœ±é¿ïŒä»»åãæ©èœãã€ã¡ãŒ ãžãè©å€çïŒãçµç¹ã®è³ç£ãå人ãä»ã®çµç¹ãåœã«å¯Ÿãã圱é¿ãè©äŸ¡ãã¹ãã§ãã ïŒFIPS199[15]ãã®ä»ã®ã¢ãããŒãã䜿çšïŒãã»ã¯ã·ã§ã³ 3 ã§èª¬æããããã«ãçµç¹ã¯åã ã® ICS ã·ã¹ãã ã¬ãã«ã§ïŒèŠä»¶äžå±¥è¡çïŒãä»»åã»äºæ¥ããã»ã¹ã¬ãã«ã§ïŒä»»åã»äºæ¥ç®çã®äž å®å šãªéè¡çïŒãçµç¹ã¬ãã«ã§ïŒæ³çèŠä»¶ã®äžå±¥è¡ãè©å€ã»é¢ä¿ã®æ¯æãé·æçå®çŸæ§ã®é»å®³ çïŒãæ害äºè±¡ã®çµæã»åœ±é¿ã被ãããšããããæ害äºè±¡ãããããçµæã¯çš®ã ãããå€æ§ãª 圱é¿ãæ§ã ãªã¬ãã«ãæé垯ã§çããããšããããNIST SP 800-53[22]åã³ä»é² G ã® ICS ãªãŒ ããŒã¬ã€ã«ã¯ããã®åœ±é¿å€å®ããåŸãåºæ¬ãšãªãã»ãã¥ãªãã£ç®¡çãåãäžããããŠããã çµç¹ã¯é©åãšèããããå ŽåããªãœãŒã¹ã®èš±ãç¯å²ã§ãæ倧ã®åœ±é¿ãåããã·ã¹ãã ã«ã¯è©³çŽ° ãªãªã¹ã¯è©äŸ¡ãè¡ããæ¯èŒç圱é¿ã®å°ãªãã·ã¹ãã ã«ãè©äŸ¡ãè¡ãããšãã§ããããªã¹ã¯è©äŸ¡ ã¯ãæ å ±ã»ãã¥ãªãã£ã®ãªã¹ã¯ã«å¯äžãã匱ç¹ãšããªã¹ã¯ç·©åçãèŠæ¥µããã®ã«åœ¹ç«ã€ããªã¹ ã¯è©äŸ¡ã¯ã·ã¹ãã ã®ã©ã€ããµã€ã¯ã«æéäžãäœåºŠãè¡ããéç¹ãšè©³çŽ°ã¬ãã«ã¯ã·ã¹ãã ã®å®æ 床ã«å¿ããŠç°ãªãã 4.5.4 ã»ãã¥ãªãã£ç®¡çã®å®è£ çµç¹ã¯è©³çŽ°ãªãªã¹ã¯è©äŸ¡ãšãçµç¹æ¥åïŒä»»åãæ©èœãã€ã¡ãŒãžãè©å€çïŒãçµç¹è³ç£ãå人ã ä»ã®çµç¹ãåœã«å¯Ÿãã圱é¿ãåæããç·©åçã®éžå®ãåªå ä»ããã¹ãã§ããããŸãæ倧ã®åœ± é¿ããããããªãªã¹ã¯ã®ç·©åã«æ³šåãã¹ãã§ãããã»ãã¥ãªãã£ç®¡çã®å®è£ ã¯ãçµç¹ã®äŒæ¥ ã¢ãŒããã¯ãã£åã³æ å ±ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ãšæŽåããã ç¹å®ã®ãªã¹ã¯ã®ç·©åçã¯ãã·ã¹ãã ã®çš®é¡ã«å¿ããŠç°ãªããäŸãã°ãICS ã§ã®ãŠãŒã¶èªèšŒç®¡ç ã¯ãäŒæ¥ã®çµŠäžæ¯æã·ã¹ãã ã e ã³ããŒã¹ã·ã¹ãã ãšã¯ç°ãªããICS æ å ±ã»ãã¥ãªãã£ç®¡çè ã¯ãéžãã 察çãšãã®äœ¿çšæé ã«ã€ããŠèšé²ããäŒéãã¹ãã§ããããè¿ éè£ä¿®ããœãªã¥ãŒã· ã§ã³ãã€ãŸããªã¹ã¯ãå€§å¹ ã«æžãããäœã³ã¹ãã§é«äŸ¡å€ãªèŠç¯ã«ããç·©åå¯èœãªãªã¹ã¯ãæã ãã«ãªãããšãããããããããœãªã¥ãŒã·ã§ã³ã®äŸãšããŠãæäœå¡å¶åŸ¡ã¹ããŒã·ã§ã³ãã³ã³ãœ ãŒã«ãžã®ã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ã®å¶éãé»åã¡ãŒã«ã¢ã¯ã»ã¹ã®æé€ãªã©ããããçµç¹ã¯ã»ã ã¥ãªãã£ãªã¹ã¯ãæžãããããã«äŸ¿çãåŸãããããã«ãé©æ£ãªè¿ éè£ä¿®çã®èå¥ã»è©äŸ¡ã»å® è£ ãå¯åçéããã«è¡ãã¹ãã§ããããšãã«ã®ãŒçïŒDOEïŒã«ã¯ãSCADA ãããã¯ãŒã¯ã®ãµã€ã ãŒã»ãã¥ãªãã£ãæ¹åãã 21 ã®ã¹ãããã[33]ããããSCADA ã·ã¹ãã ãã®ä» ICS ã®å ·äœçã» ãã¥ãªãã£åäžçãèããã¹ã¿ãŒãã£ã³ã°ãã€ã³ããšããŠäœ¿çšããããšãã§ããã 78 SPECIAL PUBLICATION 800-82 REVISION 2 5. GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS Security Architecture When designing a network architecture for an ICS deployment, it is usually recommended to separate the ICS network from the corporate network. The nature of network traffic on these two networks is different: Internet access, FTP, email, and remote access will typically be permitted on the corporate network but should not be allowed on the ICS network. Rigorous change control procedures for network equipment, configuration, and software changes may not be in place on the corporate network. If ICS network traffic is carried on the corporate network, it could be intercepted or be subjected to DoS or Man-in-the-Middle attacks [5.14]. By having separate networks, security and performance problems on the corporate network should not be able to affect the ICS network. Practical considerations, such as cost of ICS installation or maintaining a homogenous network infrastructure, often mean that a connection is required between the ICS and corporate networks. This connection is a significant security risk and should be protected by boundary protection devices. If the networks must be connected, it is strongly recommended that only minimal (single if possible) connections be allowed and that the connection is through a firewall and a DMZ. A DMZ is a separate network segment that connects directly to the firewall. Servers containing the data from the ICS that needs to be accessed from the corporate network are put on this network segment. Only these systems should be accessible from the corporate network. With any external connections, the minimum access should be permitted through the firewall, including opening only the ports required for specific communication. The following sections elaborate on these architectural considerations. The ICS-CERT recommended practices working group provides additional guidance as recommended practices 21. 5.1 Network Segmentation and Segregation This section addresses partitioning the ICS into security domains and separating the ICS from other networks, such as the corporate network, and presents illustrative security architecture. Operational risk analysis should be performed to determine critical parts of each ICS network and operation and help define what parts of the ICS need to be segmented. Network segmentation involves partitioning the network into smaller networks. For example, one large ICS network is partitioned into multiple ICS networks, where the partitioning is based on factors such as management authority, uniform policy and level of trust, functional criticality, and amount of communications traffic that crosses the domain boundary. Network segmentation and segregation is one of the most effective architectural concepts that an organization can implement to protect its ICS. Segmentation establishes security domains, or enclaves, that are typically defined as being managed by the same authority, enforcing the same policy, and having a uniform level of trust. Segmentation can minimize the method and level of access to sensitive information, ICS communication and equipment configuration, and can make it significantly more difficult for a malicious cyber adversary and can contain the effects of non-malicious errors and accidents. A practical consideration in defining a security domain is the amount of communications traffic that crosses the domain boundary, because domain protection typically involves examining boundary traffic and determining whether it is permitted. The aim of network segmentation and segregation is to minimize access to sensitive information for those systems and people who donât need it, while ensuring that the organization can continue to operate effectively. This can be achieved using a number of techniques and technologies depending on the networkâs architecture and configuration. 21 ICS-CERT recommended practices may be found at http://ics-cert.us-cert.gov/Recommended-Practices. 79 SP800-82 第 2 ç 5. ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã»ãã¥ãªãã£ã¢ãŒããã¯ã㣠ICS å±éã®ãããã¯ãŒã¯ã¢ãŒããã¯ãã£ãèšèšããéã«ã¯ãICS ãããã¯ãŒã¯ãäŒæ¥ãããã¯ãŒ ã¯ããåãé¢ãããšãåžžã«æšå¥šããããäž¡è ã«ããããããã¯ãŒã¯ãã©ãã£ãã¯ã®æ§è³ªã¯ç°ãªãã äŒæ¥ãããã¯ãŒã¯ã§ã¯ã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ãFTPãé»åã¡ãŒã«åã³ãªã¢ãŒãã¢ã¯ã»ã¹ãéåžž èš±å¯ãããŠããããICS ãããã¯ãŒã¯ã§ã¯èš±å¯ãã¹ãã§ãªãããããã¯ãŒã¯è£ ååãæ§æåã³ãœ ãããŠãšã¢å€æŽã«é¢ããå³æ Œãªå€æŽç®¡çæé ã¯ãäŒæ¥ãããã¯ãŒã¯ã§ã¯å®æœãããªããICS ãã ãã¯ãŒã¯ãäŒæ¥ãããã¯ãŒã¯ãšäžç·ã«ãããšãååãããã DoS ã人ãä»åšããæ»æã«ããã ããããªã[5.14]ããããã¯ãŒã¯ãåãé¢ãããšã§ãäŒæ¥ãããã¯ãŒã¯ã®æ§èœãåé¡ãçããŠãã ICS ãããã¯ãŒã¯ã«ã¯åœ±é¿ãåã°ãªãã ICS ã®èšçœ®ã³ã¹ããå質ãªãããã¯ãŒã¯ã€ã³ãã©ã®ä¿å®ã³ã¹ããšãã£ãçŸå®çãªèæ ®ã®çµæã ICS ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒã¯ãæ¥ç¶ããããšãããããããã®ãããªæ¥ç¶ã«ã¯å€§ããªã» ãã¥ãªãã£ãªã¹ã¯ããããå¢çä¿è·ããã€ã¹ã§ä¿è·ãã¹ãã§ãããäž¡ãããã¯ãŒã¯ãæ¥ç¶ããå Ž åãæ¥ç¶ãæå°éïŒå¯èœãªãã·ã³ã°ã«ïŒã«ãšã©ãããã¡ã€ã¢ãŠã©ãŒã«ãš DMZ ãèšããããšã匷 ãæšå¥šããããDMZ ã¯å¥åã®ãããã¯ãŒã¯ã»ã°ã¡ã³ãã§ããã¡ã€ã¢ãŠã©ãŒã«ã«çŽæ¥æ¥ç¶ãããã ICS ããã®ããŒã¿ãæã£ãŠãããµãŒãã§ãäŒæ¥ãããã¯ãŒã¯ããæ¥ç¶ãããã®ã«ã€ããŠã¯ããã® ãããã¯ãŒã¯ã»ã°ã¡ã³ãã«çœ®ããäŒæ¥ãããã¯ãŒã¯ããæ¥ç¶å¯èœãªã®ã¯ããã®ãããªã·ã¹ãã ã® ã¿ãšãã¹ãã§ãããã©ã®ãããªå€éšæ¥ç¶ã§ãããæå°éã®ã¢ã¯ã»ã¹ã®ã¿ãã¡ã€ã¢ãŠã©ãŒã«çµç±ã§ èš±å¯ããç¹å®ã®æ¥ç¶ã«å¿ èŠãªããŒãã®ã¿éæŸãã¹ãã§ãããç¶ãã»ã¯ã·ã§ã³ã§ã¯ããã®ãããªã¢ ãŒããã¯ãã£äžã®èæ ®äºé ã詳ããåãäžãããICS-CERT æšå¥šèŠç¯äœæ¥ã°ã«ãŒãã¯ãæšå¥šèŠç¯ ãšããŠä»å çãªã¬ã€ãã³ã¹ãæäŸããŠããã 22 5.1 ãããã¯ãŒã¯ã®åå²ãšåé¢ ãã®ã»ã¯ã·ã§ã³ã§ã¯ãICS ã®ã»ãã¥ãªãã£é åãžã®åºç»åãšãäŒæ¥ãããã¯ãŒã¯çä»ã®ããã㯠ãŒã¯ããã® ICS ã®åé¢ã«ã€ããŠèª¬æããã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ã®äŸã瀺ããæ¥åäžã®ãªã¹ ã¯åæãå®æœããå ICS ãããã¯ãŒã¯åã³æ¥åã®éèŠéšåãå€å¥ããåå²ãã¹ã ICS éšäœã®æ確 åãæ¯æŽããããããã¯ãŒã¯ã®åå²ã«ã¯ããããã¯ãŒã¯ãããå°ãããããã¯ãŒã¯ã«åºç»ããã ãšãå«ãŸãããäŸãã°ã倧ã㪠ICS ãããã¯ãŒã¯ãè€æ°ã® ICS ãããã¯ãŒã¯ã«åºç»åããããåº ç»ã¯çµå¶é£ã®æš©éãçµ±äžçãªããªã·ãŒåã³ä¿¡é Œã¬ãã«ãæ©èœäžã®éèŠåºŠãé åå¢çãè¶ããéä¿¡ ãã©ãã£ãã¯éãšãã£ãèŠå ãåºã«ããããããã¯ãŒã¯ã®åå²ãšåé¢ã¯ãçµç¹ããã® ICS é²è·ã® ããã«å®è£ ã§ããæãå¹æçãªã¢ãŒããã¯ãã£æŠå¿µã® 1 ã€ã§ãããåå²ã«ãã£ãŠã»ãã¥ãªãã£ã¢ ãŒããã¯ãã£é åãã€ãŸãé£ã³å°ãã§ããããããã¯åãããªã·ãŒãæœè¡ããçµ±äžãããä¿¡é Œã¬ ãã«ãæã€åäžã®æš©éã«ãã管çããããã®ãšãäžè¬ã«å®çŸ©ãããŠãããåå²ã«ããèŠæ³šææ å ±ã ICS éä¿¡ãåã³è£ ååèšå®ãžã®ã¢ã¯ã»ã¹æ¹æ³ãã¬ãã«ãæå°éã«æããæªæãããµã€ããŒæ»æã èããå°é£ã«ããæªæã«ãããªãé誀ãäºæ ã®åœ±é¿ãå°ã蟌ããããšãã§ãããã»ãã¥ãªãã£é åãæ確ã«ããéã®çŸå®çãªèæ ®äºé ãšããŠãé åå¢çãè¶ããéä¿¡ãã©ãã£ãã¯éãããããš ããã®ã¯ãé åã®ä¿è·ã«ã¯ãéåžžå¢çãã©ãã£ãã¯ã®æ€èšŒãšèš±å¯ã®æç¡ã«å¯Ÿããå€å®ãé¢ä¿ã㊠ããããã§ããã ãããã¯ãŒã¯åå²ã»åé¢ã®äž»çŒã¯ãå¿ èŠãšããŠããªãã·ã¹ãã ã人ãèŠæ³šææ å ±ã«ã¢ã¯ã»ã¹ãã ã®ãæå°éã«æããäžæ¹ã§ãçµç¹ã®åæ»ãªæ¥åéè¡ã確ä¿ããããšã«ãããããã¯ããããã¯ãŒ ã¯ã¢ãŒããã¯ãã£åã³æ§æã«å¿ããŠãçš®ã ã®ææ³ãæè¡ãé§äœ¿ããããšã§éæãããã 22 ICS-CERT æšå¥šã®èŠç¯ã«ã€ããŠã¯ãå³èšã®ããŒãžãåç §ã®ããšãhttp://ics-cert.us-cert.gov/Recommended-Practices. 80 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Traditionally, network segmentation and segregation is implemented at the gateway between domains. ICS environments often have multiple well-defined domains, such as operational LANs, control LANs, and operational DMZs, as well as gateways to non-ICS and less trustworthy domains such as the Internet and the corporate LANs. When insider attacks, social engineering, mobile devices, and other vulnerabilities and predisposing conditions discussed in Appendix Câ are considered, protecting domain gateways is prudent and worth considering. Network segregation involves developing and enforcing a ruleset controlling which communications are permitted through the boundary. Rules typically are based on source and destination identity and the type or content of the data being transferred. When implementing network segmentation and segregation correctly you are minimizing the method and level of access to sensitive information. This can be achieved using a variety of technologies and methods. Depending on the architecture and configuration of your network, some of the common technologies and methods used include: ïŒ Logical network separation enforced by encryption or network device-enforced partitioning. ïŒ Virtual Local Area Networks (VLANS). Encrypted Virtual Private Networks (VPNs) use cryptographic mechanisms to separate traffic combined on one network. o Unidirectional gateways restrict communications between connections to a single direction, therefore, segmenting the network. Physical network separation to completely prevent any interconnectivity of traffic between domains. o o ïŒ Network traffic filtering which can utilize a variety of technologies at various network layers to enforce security requirements and domains. o Network layer filtering that restricts which systems are able to communicate with others on the network based on IP and route information. o Stateâbased filtering that restricts which systems are able to communicate with others on the network based on their intended function or current state of operation. o Port and/or protocol level filtering that restricts the number and type of services that each system can use to communicate with others on the network. o Application filtering that commonly filters the content of communications between systems at the application layer. This includes application-level firewalls, proxies, and content-based filter. Some vendors are making products to filter ICS protocols at the application level which they market as ICS firewalls. Regardless of the technology chosen to implement network segmentation and segregation, there are four common themes that implement the concept of defense-in-depth by providing for good network segmentation and segregation: ïŒ Apply technologies at more than just the network layer. Each system and network should be segmented and segregated, where possible, from the data link layer up to and including the application layer. ïŒ Use the principles of least privilege and needâtoâknow. If a system doesnât need to communicate with another system, it should not be allowed to. If a system needs to talk only to another system on a specific port or protocol and nothing elseâor it needs to transfer a limited set of labeled or fixedformat data, it should be restricted as such. 81 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã åŸæ¥ãããã¯ãŒã¯ã®åå²ã»åé¢ã¯ãé åéã®ã²ãŒããŠã§ã€ã«å®è£ ããããICS ç°å¢ã¯ãæ¥åçš LANã管ççš LANãæ¥åçš DMZãé ICS ãžã®ã²ãŒããŠã§ã€ãã€ã³ã¿ãŒããããäŒæ¥ LAN çä¿¡é Œæ§ ã®äœãé åãžã®ã²ãŒããŠã§ã€ãšãã£ããæ確ã«å®çŸ©ãããè€æ°ã®é åãæã€ãã®ãå€ããä»é² C ã§åãäžããããŠããã€ã³ãµã€ããŒæ»æããœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ã°ãã¢ãã€ã«ããã€ã¹ ãã®ä»ã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ã«ã€ããŠæ€èšããå Žåãé åã²ãŒããŠã§ã€ãé²è·ããããš ã¯å å®ã§ãããæ€èšã«å€ããã ãããã¯ãŒã¯ã®åå²ã«ã¯ãå¢çãè¶ããŠãããéä¿¡ã管çããèŠåãçå®ããå®è¡ããããšã å«ãŸãããèŠåã¯ãéä¿¡ããŒã¿ã®çºä¿¡å ã»çä¿¡å IDãçš®é¡åã¯å 容ãåºã«ããã ãããã¯ãŒã¯ã®åå²ã»åé¢ãé©æ£ã«å®è£ ããã°ãèŠæ³šææ å ±ãžã®ã¢ã¯ã»ã¹æ¹æ³ãã¬ãã«ãæå° éã«æããããšã«ãªããããã¯å€æ§ãªæè¡ãæ¹æ³ãçšããããšã§å®çŸããããããã¯ãŒã¯ã®ã¢ ãŒããã¯ãã£åã³æ§æã«å¿ããŠãå ±éã«çšããããæè¡ã»æ¹æ³ãšããŠæ¬¡ã®ãããªãã®ãããã ïŒ æå·ååã¯ãããã¯ãŒã¯ããã€ã¹ã«ããåºç»åã«ããå®è¡ãããè«çãããã¯ãŒã¯åé¢ o o o ä»®æ³ LANïŒVLANSïŒ æå·åä»®æ³ãã©ã€ããŒããããã¯ãŒã¯ïŒVPNsïŒã¯æå·ã¡ã«ããºã ã䜿çšããŠã ãããããã¯ãŒã¯äžã®ãã©ãã£ãã¯ã®çµåãåé¢ãã åæ¹åã²ãŒããŠã§ã€ã¯æ¥ç¶ç¹éã®éä¿¡ãäžæ¹åã«å¶éããŠããããã¯ãŒã¯ãåå² ãã ïŒ ç©ççãããã¯ãŒã¯åé¢ã¯é åéã®ãã©ãã£ãã¯ã®çžäºé£æ¥ãå šãŠé²æ¢ãã ïŒ ãããã¯ãŒã¯ãã©ãã£ãã¯ãã£ã«ã¿ãªã³ã°ã¯å€æ§ãªæè¡ãçš®ã ã®ãããã¯ãŒã¯å±€ã§äœ¿çšãã ã»ãã¥ãªãã£èŠä»¶åã³é åãæœè¡ãã o ãããã¯ãŒã¯å±€ãã£ã«ã¿ãªã³ã°ã¯ãIP åã³ã«ãŒãæ å ±ãåºã«ããããã¯ãŒã¯äžã® ä»ã®ã·ã¹ãã ãšäº€ä¿¡å¯èœãªã·ã¹ãã ãå¶éãã o ç¶æ ããŒã¹ãã£ã«ã¿ãªã³ã°ã¯ãç®çãšããæ©èœãåäœã®çŸç¶ãåºã«ããããã¯ãŒã¯ o o äžã®ä»ã®ã·ã¹ãã ãšäº€ä¿¡å¯èœãªã·ã¹ãã ãå¶éãã ããŒãåã¯ãããã³ã«ã¬ãã«ãã£ã«ã¿ãªã³ã°ã¯ããããã¯ãŒã¯äžã®ä»ã®ã·ã¹ã ã ãšäº€ä¿¡ããããã«ã·ã¹ãã ã䜿çšã§ãããµãŒãã¹ã®æ°ãšçš®é¡ãå¶éãã ã¢ããªã±ãŒã·ã§ã³ãã£ã«ã¿ãªã³ã°ã¯éåžžãã·ã¹ãã éã®äº€ä¿¡å 容ãã¢ããªã±ãŒã· ã§ã³å±€ã§ãã£ã«ã¿ãªã³ã°ãããã¢ããªã±ãŒã·ã§ã³ã¬ãã«ã®ãã¡ã€ã¢ãŠã©ãŒã«ãã ããã·åã³ã³ã³ãã³ãããŒã¹ã®ãã£ã«ã¿ãŒãå«ãŸããã ãã³ããŒã«ãã£ãŠã¯ã補åã ICS ãããã³ã«ãã¢ããªã±ãŒã·ã§ã³ã¬ãã«ã§ãã£ã«ã¿ãªã³ã°ã ãããã«ãªã£ãŠãããããã ICS ãã¡ã€ã¢ãŠã©ãŒã«ãšããŠè²©å£²ããŠããã ãããã¯ãŒã¯åå²ã»åé¢ã®ããã«éžãã æè¡ãšã¯ãããããªããè¯å¥œãªãããã¯ãŒã¯åå²ã» åé¢ãå ·åããããšã§ãå€å±€é²åŸ¡æŠå¿µãå®è£ ãã次㮠4 ã€ã®å ±éçãªããŒããããã ïŒ ãããã¯ãŒã¯å±€ä»¥å€ã«ãæè¡ãé©çšãããå¯èœã§ããã°ãããŒã¿ãªã³ã¯å±€ããã¢ããªã±ãŒã· ã§ã³å±€ãŸã§ã·ã¹ãã ããšã«ãããã¯ãŒã¯ããšã«åå²ã»åé¢ãã¹ãã§ããã ïŒ æå°æš©éã®ååãšç¥ãå¿ èŠã®ååãé©çšãããä»ã®ã·ã¹ãã ãšã®éä¿¡ãäžèŠã§ããã°ãäžèš± å¯ãšãã¹ãã§ãããä»ã®ã·ã¹ãã ãšç¹å®ã®ããŒãããããã³ã«ã§ã®ã¿äº€ä¿¡ããå Žåãåã¯é å®ãããã©ãã«ã®ããŒã¿ã»ãããåºå®æ§åŒã®ããŒã¿ã®ã¿ãéä¿¡ããå Žåããã®ããã«å¶éã ã¹ãã§ããã 82 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Separate information and infrastructure based on security requirements. This may include using different hardware or platforms based on different threat and risk environments in which each system or network segment operates. The most critical components require more strict isolation from other components. In addition to network separation, the use of virtualization could be employed to accomplish the required isolation. ïŒ Implement whitelisting 23 instead of blacklisting; that is, grant access to the known good, rather than denying access to the known bad. The set of applications that run in ICS is essentially static, making whitelisting more practical. This will also improve an organizationâs capacity to analyze log files. 5.2 Boundary Protection Boundary protection devices control the flow of information between interconnected security domains to protect the ICS against malicious cyber adversaries and non-malicious errors and accidents. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. Boundary protection devices are key components of specific architectural solutions that enforce specific security policies. Organizations can isolate ICS and business system components performing different missions and/or business functions. Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy greater levels of protection for selected components. Separating system components with boundary protection mechanisms provides the capability for increased protection of individual components and more effective control of information flows between those components. Boundary protection controls include gateways, routers, firewalls, guards, network-based malicious code analysis and virtualization systems, intrusion detection systems (networked and host-based), encrypted tunnels, managed interfaces, mail gateways, and unidirectional gateways (e.g., data diodes). Boundary protection devices determine whether data transfer is permitted, often by examining the data or associated metadata. Network and ICS security architects must decide which domains are to be permitted direct communication, the policies governing permitted communication, the devices to be used to enforce the policy, and the topology for provisioning and implementing these decisions, which are typically based on the trust relationship between domains. Trust involves the degree of control that the organization has over the external domain (e.g., another domain in the same organization, a contracted service provider, the Internet). Boundary protection devices are arranged in accordance with organizational security architecture. A common architectural construct is the demilitarized zones (DMZ), a host or network segment inserted as a âneutral zoneâ between security domains. Its purpose is to enforce the ICS domainâs information security policy for external information exchange and to provide external domains with restricted access while shielding the ICS domain from outside threats. Additional architectural considerations and functions that can be performed by boundary protection devices for inter-domain communications include: 23 A whitelist is a list or register of those that are being provided a particular privilege, service, mobility, access or recognition. Only those on the list will be accepted, approved or recognized (i.e., permitted). Whitelisting is the reverse of blacklisting, the practice of identifying those that are denied, unrecognized, or ostracized (i.e., prohibited). 83 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ã»ãã¥ãªãã£èŠä»¶ã«åºã¥ããæ å ±ãšã€ã³ãã©ãåé¢ãããããã«ã¯ãçš®ã ã®è åšãåã·ã¹ã ã åã¯ãããã¯ãŒã¯ã»ã°ã¡ã³ããåäœãããªã¹ã¯ç°å¢ã«åŸã£ãŠãç°ãªãããŒããŠãšã¢ããã© ããããŒã ã䜿çšããããšãå«ãŸãããæéèŠã³ã³ããŒãã³ãã¯ãä»ã®ã³ã³ããŒãã³ããã ããå³æ Œã«åé¢ããå¿ èŠãããããããã¯ãŒã¯ã®åé¢ã«å ããŠãå¿ èŠãªåé¢ãå®çŸãããã ã«ä»®æ³åãçšããããšãã§ããã ïŒ ãã©ãã¯ãªã¹ãã§ã¯ãªããã¯ã€ããªã¹ã 24ãå®è¡ãããã€ãŸããæ¢ç¥ã®æªã«ã¢ã¯ã»ã¹ãæåŠ ããã®ã§ã¯ãªããæ¢ç¥ã®è¯ã«ã¢ã¯ã»ã¹ãèš±å¯ãããICS ã§å®è¡ããã¢ããªã±ãŒã·ã§ã³ã»ãã ã¯åºæ¬çã«éçã§ããããããã¯ã€ããªã¹ããããçŸå®çã§ãããããã«ããçµç¹ã®ãã°ã ã¡ã€ã«åæèœåãåäžããã 5.2 å¢çã®ä¿è· å¢çã®ä¿è·ããã€ã¹ã¯ãé£æ¥ãããã»ãã¥ãªãã£é åéã®æ å ±ã®æµããå¶åŸ¡ããICS ãæªæãã ãµã€ããŒæ»æãæªæã®ãªãé誀ã»äºæ ããä¿è·ãããå¥ã®ã»ãã¥ãªãã£ããªã·ãŒãæã£ãã»ã㥠ãªãã£é åã®ç°ãªãã·ã¹ãã éã§æ å ±éä¿¡ããããšã¯ãé åã®ã»ãã¥ãªãã£ããªã·ãŒãå°ãªããš ãäžã€ã¯ç¯ããšãããªã¹ã¯ãæã¡èŸŒãŸãããå¢çä¿è·ããã€ã¹ã¯ãç¹å®ã®ã»ãã¥ãªãã£ããªã·ãŒ ãæœè¡ããç¹å®ã®ã¢ãŒããã¯ãã£ãœãªã¥ãŒã·ã§ã³ã®éèŠã³ã³ããŒãã³ãã§ããã çµç¹ã¯ ICS ãšãå¥ã®ä»»åãäºæ¥æ©èœãæãããŠããäºæ¥ã·ã¹ãã ã³ã³ããŒãã³ããåé¢ããããš ãã§ãããåé¢ããããšã§ãã·ã¹ãã ã³ã³ããŒãã³ãéã®æªèš±å¯æ å ±ã®æµããå¶éããéžå®ãã ã³ã³ããŒãã³ãã«ããé«ã¬ãã«ã®ä¿è·ãäžãããå¢çä¿è·ã¡ã«ããºã ãåããã·ã¹ãã ã³ã³ã㌠ãã³ããåé¢ããããšã§ãåã ã®ã³ã³ããŒãã³ãã®ä¿è·èœåãåäžãããããã³ã³ããŒãã³ãé ã®æ å ±ã®æµããããå¹æçã«å¶åŸ¡ããããšãã§ããã å¢çä¿è·å¶åŸ¡ã«ã¯ãã²ãŒããŠã§ã€ãã«ãŒã¿ããã¡ã€ã¢ãŠã©ãŒã«ãã¬ãŒãããããã¯ãŒã¯ããŒã¹ã® æªæããã³ãŒã解æã»ä»®æ³åã·ã¹ãã ãäŸµå ¥æ€ç¥ã·ã¹ãã ïŒãããã¯ãŒã¯åã³ãã¹ãããŒã¹ïŒã æå·åãã³ãã«ã管çã€ã³ã¿ãã§ãŒã¹ãã¡ãŒã«ã²ãŒããŠã§ã€åã³åæ¹åã²ãŒããŠã§ã€ïŒããŒã¿ã ã€ãªãŒãçïŒãå«ãŸãããå¢çä¿è·ããã€ã¹ã¯ãããŒã¿åã¯é¢é£ã¡ã¿ããŒã¿ãæ€èšŒããããšã§ã ããŒã¿éä¿¡ãèš±å¯ãããŠãããã©ãããå€å®ããã ãããã¯ãŒã¯åã³ ICS ã»ãã¥ãªãã£ã®èšèšè ã¯ãçŽæ¥äº€ä¿¡ãèš±å¯ãã¹ãé åãèš±å¯ããã亀信ã çµ±å¶ããããªã·ãŒãããªã·ãŒã®å®è¡çšããã€ã¹ã決å®ããéåžžããã¡ã€ã³éã®ä¿¡é Œé¢ä¿ãåºã«ã ãããã®ãããªæ±ºå®ã®æºåã»å®è£ ããããžãŒã決å®ããªããã°ãªããªããä¿¡é Œã«ã¯ãçµç¹ãå€éš é åïŒåãçµç¹å ã®å¥é åãå§èšãµãŒãã¹ãããã€ããã€ã³ã¿ãŒãããçïŒã«å¯ŸããŠæããå¶åŸ¡ ã®çšåºŠãé¢ä¿ããã å¢çä¿è·ããã€ã¹ã¯ãçµç¹ã®ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ã«åŸã£ãŠé 眮ãããå ±éçãªã¢ãŒãã ã¯ãã£æ§æã¯ãéæŠè£ å°åž¯ïŒDMZïŒããã¹ãåã¯ã»ãã¥ãªãã£é åéã«ãäžç«å°åž¯ããšããŠæ¿ å ¥ããããããã¯ãŒã¯ã»ã°ã¡ã³ããšãªããç®çã¯ãå€éšãšã®æ å ±äº€æçš ICS é åæ å ±ã»ãã¥ãªã ã£ããªã·ãŒãæœè¡ããICS é åãå€éšè åšããã·ãŒã«ããã€ã€ãå€éšé åã«ã¢ã¯ã»ã¹å¶éã課ã ãããšã«ããã é åé亀信çšå¢çä¿è·ããã€ã¹ã«ããå®æœå¯èœãªä»å çãªã¢ãŒããã¯ãã£ã®èæ ®äºé åã³æ©èœã« ã¯æ¬¡ã®ãã®ãããã 24 ãã¯ã€ããªã¹ããšã¯ãç¹å®ã®æš©éããµãŒãã¹ã移åãã¢ã¯ã»ã¹åã¯èªèãä»äžããã人å¡ã®ç»é²ãªã¹ããããããªã¹ãã« æ²èŒãããŠããè ã®ã¿ãå容ãæ¿èªåã¯èªèïŒèš±å¯ïŒãããããã¯ã€ããªã¹ãã¯ãã©ãã¯ãªã¹ãã®å察ã§ãåŸè ã¯æåŠã éèªèåã¯è¿œæŸïŒçŠæ¢ïŒãããè ãèå¥ããããšãããã 84 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Denying communications traffic by default and allowing communications traffic by exception (i.e., deny all, permit by exception). A deny-all, permit-by-exception communications traffic policy ensures that only those connections which are approved are allowed. This is known as a white-listing policy. ïŒ Implementing proxy servers that act as an intermediary for external domainsâ requesting information system resources (e.g., files, connections, or services) from the ICS domain. External requests established through an initial connection to the proxy server are evaluated to manage complexity and to provide additional protection by limiting direct connectivity. ïŒ Preventing the unauthorized exfiltration of information. Techniques include, for example, deep packet inspection firewalls and XML gateways. These devices verify adherence to protocol formats and specification at the application layer and serve to identify vulnerabilities that cannot be detected by devices operating at the network or transport layers. The limited number of formats, especially the prohibition of free form text in email, eases the use of such techniques at ICS boundaries. ïŒ Only allowing communication between authorized and authenticated source and destinations address pairs by one or more of the organization, system, application, and individual. ïŒ Extending the DMZ concept to other separate subnetworks is useful, for example, in isolating ICS to prevent adversaries from discovering the analysis and forensics techniques of organizations. ïŒ Enforcing physical access control to limit authorized access to ICS components. ïŒ Concealing network addresses of ICS components from discovery (e.g., network address not published or entered in domain name systems), requiring prior knowledge for access. ïŒ Disabling control and troubleshooting services and protocols, especially those employing broadcast messaging, which can facilitate network exploration. ïŒ Configuring boundary protection devices to fail in a predetermined state. Preferred failure states for ICS involve balancing multiple factors including safety and security. ïŒ Configuring security domains with separate network addresses (i.e., as disjoint subnets). ïŒ Disabling feedback (e.g., non-verbose mode) to senders when there is a failure in protocol validation format to prevent adversaries from obtaining information. ïŒ Implementing one-way data flow, especially between different security domains. ïŒ Establishing passive monitoring of ICS networks to actively detect anomalous communications and provide alerts. 5.3 Firewalls Network firewalls are devices or systems that control the flow of network traffic between networks employing differing security postures. In most modern applications, firewalls and firewall environments are discussed in the context of Internet connectivity and the UDP/IP protocol suite. However, firewalls have applicability in network environments that do not include or require Internet connectivity. For example, many corporate networks employ firewalls to restrict connectivity to and from internal networks servicing more sensitive functions, such as the accounting or human resource departments. Firewalls can 85 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ããã©ã«ãã§éä¿¡ãã©ãã£ãã¯ãæ絶ããäŸå€çã«éä¿¡ãã©ãã£ãã¯ãèš±å¯ããïŒå šãŠæ絶 ããäŸå€ã®ã¿èš±å¯ïŒãå šãŠæ絶ãäŸå€ã®ã¿èš±å¯ã®éä¿¡ãã©ãã£ãã¯ããªã·ãŒã¯ãæ¿èªæžã¿ã® æ¥ç¶ã ããèš±å¯ãããããã«ãããããã¯ãã¯ã€ããªã¹ãããªã·ãŒãšããŠç¥ãããŠããã ïŒ ãããã·ãµãŒããå®è£ ããå€éšé åãã ICS é åãžã®æ å ±ã·ã¹ãã ãªãœãŒã¹ïŒãã¡ã€ã«ãæ¥ ç¶ããµãŒãã¹çïŒèŠæ±ã仲ä»ãããããããã·ãµãŒããžã®æåã®æ¥ç¶ãéããŠç¢ºç«ãããå€ éšèŠæ±ã¯ãè€éæ§ã管çããçŽæ¥æ¥ç¶ãå¶éããããšã§ä»å çãªä¿è·ãäžããããã«è©äŸ¡ã åããã ïŒ èš±å¯ãããŠããªãæ å ±ãããæããããšãé²æ¢ãããäŸãã°ããã£ãŒããã±ããã€ã³ã¹ã㯠ã·ã§ã³ãã¡ã€ã¢ãŠã©ãŒã«ãXMLãã²ãŒããŠã§ã€çã®æè¡ãããããããããã€ã¹ã¯ããã ãã³ã«åœ¢åŒãšä»æ§ã®æŽåæ§ãã¢ããªã±ãŒã·ã§ã³å±€ã§æ€èšŒãããããã¯ãŒã¯å±€ããã©ã³ã¹ã㌠ãå±€ã§åäœããããã€ã¹ã«ã¯æ€åºã§ããªãè匱æ§ãç¹å®ããã圢åŒã®æ°ãéå®ãããŠããã ç¹ã«é»åã¡ãŒã«ã«ãããèªç±ãã©ãŒãããã¯çŠããããŠããããããã®ãããªæè¡ã ICS å¢çã§äœ¿çšããã®ã¯å®¹æã§ããã ïŒ çµç¹ãã·ã¹ãã ãã¢ããªã±ãŒã·ã§ã³åã³å人㮠1 ã€åã¯è€æ°ã®æ¿èªã»èªèšŒæžã¿ãœãŒã¹ãšå®å ã¢ãã¬ã¹ã®ãã¢éã§ã®ã¿äº€ä¿¡ãèš±å¯ããã ïŒ DMZ ã®æŠå¿µãã»ãã®åé¢ãµããããã¯ãŒã¯ã«æ¡åŒµããã®ã¯æçšã§ãäŸãã°ãICS ãéé¢ã ãéã«ãæ»æåŽãçµç¹ã®åæãææ»æè¡ãèŠãã ããªãããã«ã§ããã ïŒ ç©ççã¢ã¯ã»ã¹å¶åŸ¡ãå®æœããŠãICS ã³ã³ããŒãã³ããžã®ã¢ã¯ã»ã¹èš±å¯ãå¶éããã ïŒ ICS ã³ã³ããŒãã³ãã®ãããã¯ãŒã¯ã¢ãã¬ã¹ãåãããªãããã«é èœãïŒå ¬éããªãããã¡ ã€ã³åã·ã¹ãã ã«å ¥ããªããªã©ïŒãäºåã®ç¥èããªããã°ã¢ã¯ã»ã¹ã§ããªãããã«ããã ïŒ ç®¡çãµãŒãã¹ããã©ãã«ã·ã¥ãŒãã£ã³ã°ãµãŒãã¹åã³ãããã³ã«ã䜿çšäžèœã«ãããç¹ã«ã ããã¯ãŒã¯æ¢æ»ã容æã«ã§ãããããŒããã£ã¹ãã¡ãã»ãŒãžã䜿çšããŠãããã®ã«ã€ããŠèš ããã ïŒ å¢çä¿è·ããã€ã¹ã決ããããç¶æ ã§æ©èœããªããªãããã«èšå®ãããICS ã«å¯Ÿããæ æã® æ©èœäžèœç¶æ ã¯ãå®å šæ§ãšã»ãã¥ãªãã£ççš®ã ã®èŠå éã§ãã©ã³ã¹ãåãããšãé¢ä¿ããã ïŒ ã»ãã¥ãªãã£é åã«ç¬ç«ãããããã¯ãŒã¯ã¢ãã¬ã¹ãèšå®ããïŒå šãå¥ã®ãµããããçïŒã ïŒ ãããã³ã«ã®åŠ¥åœæ§æ€èšŒåœ¢åŒã«äžåãããå Žåãéä¿¡åŽã«ãã£ãŒãããã¯ãéããªãïŒéå é·ã¢ãŒãçïŒããã«ããŠãæ»æåŽãæ å ±ãåŸãããªãããã ïŒ åæ¹åã®ããŒã¿ãããŒãç¹ã«å¥ã ã®ã»ãã¥ãªãã£é åéã«å®è£ ããã ïŒ ICS ãããã¯ãŒã¯ãããã·ãç£èŠããŠãç°åžžäº€ä¿¡ãç©æ¥µçã«æ€åºããã¢ã©ãŒããçºããã 5.3 ãã¡ã€ã¢ãŠã©ãŒã« ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãå¥ã ã®ã»ãã¥ãªãã£ç¶æ ã«ãããããã¯ãŒã¯éã§ããããã¯ãŒã¯ãã©ã ã£ãã¯ã®æµããå¶åŸ¡ããããã€ã¹åã¯ã·ã¹ãã ã®ããšã§ãããã»ãšãã©ã®æ°ããã¢ããªã±ãŒã· ã§ã³ã§ã¯ããã¡ã€ã¢ãŠã©ãŒã«åã³ãã¡ã€ã¢ãŠã©ãŒã«ç°å¢ã¯ãã€ã³ã¿ãŒãããæ¥ç¶ã UDP/IP ã ããã³ã«ã¹ã€ãŒããšã®é¢ä¿ã§èšåãããããã ããã¡ã€ã¢ãŠã©ãŒã«ã¯ãã€ã³ã¿ãŒãããæ¥ç¶ã å«ãŸãªããåã¯å¿ èŠãšããªããããã¯ãŒã¯ç°å¢ã«ãé©çšå¯èœã§ãããäŸãã°ãå€ãã®äŒæ¥ãã ãã¯ãŒã¯ã§ã¯ãã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããŠãäŒèšã人äºéšéçãç§å¿ãèŠããæ©èœãæãã瀟 å ãããã¯ãŒã¯ãžã®æ¥ç¶ãå¶éããŠãããæŽã«ãã¡ã€ã¢ãŠã©ãŒã«ã¯ã 86 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY further restrict ICS inter-subnetwork communications between functional security subnets and devices. By employing firewalls to control connectivity to these areas, an organization can prevent unauthorized access to the respective systems and resources within the more sensitive areas. There are three general classes of firewalls: ïŒ Packet Filtering Firewalls. The most basic type of firewall is called a packet filter. Packet filter firewalls are essentially routing devices that include access control functionality for system addresses and communication sessions. The access control is governed by a set of directives collectively referred to as a rule set. In their most basic form, packet filters operate at layer 3 (network) of the Open Systems Interconnection (OSI), ISO/IEC 7498 model. This type of firewall checks basic information in each packet, such as IP addresses, against a set of criteria before forwarding the packet. Depending on the packet and the criteria, the firewall can drop the packet, forward it, or send a message to the originator. This type of firewall can offer a high level of security, but could result in overhead and delay impacts on network performance. ïŒ Stateful Inspection Firewalls. Stateful inspection firewalls are packet filters that incorporate added awareness of the OSI model data at layer 4 (transport). Stateful inspection firewalls filter packets at the network layer, determine whether session packets are legitimate, and evaluate the contents of packets at the transport layer (e.g., TCP, UDP) as well. Stateful inspection keeps track of active sessions and uses that information to determine if packets should be forwarded or blocked. It offers a high level of security and good performance, but it may be more expensive and complex to administer. Additional rule sets for ICS applications may be required. ïŒ Application-Proxy Gateway Firewalls. This class of firewalls examines packets at the application layer and filters traffic based on specific application rules, such as specified applications (e.g., browsers) or protocols (e.g., FTP). Firewalls of this type can be very effective in preventing attacks on the remote access and configuration services provided by ICS components. They offer a high level of security, but could have overhead and delay impacts on network performance, which can be unacceptable in an ICS environment. NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy [85], provides general guidance for the selection of firewalls and the firewall policies. In an ICS environment, firewalls are most often deployed between the ICS network and the corporate network [34]. Properly configured, they can greatly restrict undesired access to and from control system host computers and controllers, thereby improving security. They can also potentially improve a control networkâs responsiveness by removing non-essential traffic from the network. When properly designed, configured, and maintained, dedicated hardware firewalls can contribute significantly to increasing the security of todayâs ICS environments. Firewalls provide several tools to enforce a security policy that cannot be accomplished locally on the current set of process control devices available in the market, including the ability to: ïŒ Block all communications with the exception of specifically enabled communications between devices on the unprotected LAN and protected ICS networks. Blocking can be based on, for example, source and destination IP address pairs, services, ports, state of the connection, and specified applications or protocols supported by the firewall. Blocking can occur on both inbound and outbound packets, which is helpful in limiting high-risk communications such as email. ïŒ Enforce secure authentication of all users seeking to gain access to the ICS network. There is flexibility to employ varying protection levels of authentication methods including simple passwords, complex passwords, multi-factor authentication technologies, tokens, biometrics and smart cards. Select the particular method based upon the vulnerability of the ICS network to be protected, rather than using the method that is available at the device level. 87 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ©èœçãªã»ãã¥ãªãã£ãµãããããšããã€ã¹éã® ICS ãµããããé亀信ãå¶éããããã¡ã€ã¢ãŠ ã©ãŒã«ãæ¡çšããŠãããããšãªã¢ãžã®æ¥ç¶ã管çããã°ãçµç¹ã¯ããæ©å¯åºŠã®é«ããšãªã¢å ã®ã· ã¹ãã ããªãœãŒã¹ãžã®äžæ£ã¢ã¯ã»ã¹ãé²æ¢ã§ããããã¡ã€ã¢ãŠã©ãŒã«ã¯æ¬¡ã® 3 ã€ã«å€§å¥ã§ããã ïŒ ãã±ãããã£ã«ã¿ãªã³ã°ãã¡ã€ã¢ãŠã©ãŒã«ãæãããŒã·ãã¯ãªã¿ã€ãã®ãã¡ã€ã¢ãŠã©ãŒã«ã ãã±ãããã£ã«ã¿ãšåŒã°ããããã±ãããã£ã«ã¿ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãåºæ¬çã«ã«ãŒãã£ã³ ã°ããã€ã¹ã§ãã·ã¹ãã ã¢ãã¬ã¹ãšäº€ä¿¡ã»ãã·ã§ã³ã®ã¢ã¯ã»ã¹å¶åŸ¡æ©èœãæã€ãã¢ã¯ã»ã¹å¶ 埡ã¯ãã«ãŒã«ã»ãããšç·ç§°ãããäžåŒã®æ什ã«ããå¶åŸ¡ããããæãããŒã·ãã¯ãªåœ¢æ ã§ã¯ã ãã±ãããã£ã«ã¿ã¯ ISO/IEC 7498 ã¢ãã«ããªãŒãã³ã·ã¹ãã é£æ¥ïŒOSIïŒã®ã¬ã€ã€ãŒ3ïŒã ããã¯ãŒã¯ïŒã§åäœããããã®ã¿ã€ãã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ããã±ããã転éããåã«ãå ãã±ããäžã® IP ã¢ãã¬ã¹çã®åºæ¬æ å ±ãåºæºã«ç §ãããŠãã§ãã¯ããããã±ãããšåºæºã« å¿ããŠããã¡ã€ã¢ãŠã©ãŒã«ã¯ãã±ããã®ããããã転éãè¡ãã»ããã¡ãã»ãŒãžãçºä¿¡è ã« éãããã®ã¿ã€ãã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãã»ãã¥ãªãã£ã®ã¬ãã«ã¯é«ããããªãŒããŒããã ãé 延ãçãããããã¯ãŒã¯ããã©ãŒãã³ã¹ã«åœ±é¿ãäžããããšãããã ïŒ ã¹ããŒããã«ã€ã³ã¹ãã¯ã·ã§ã³ãã¡ã€ã¢ãŠã©ãŒã«ããã㯠OSI ã¢ãã«ããŒã¿ã®è¿œå 泚æäºé ãã¬ã€ã€ãŒ4ïŒãã©ã³ã¹ããŒãïŒã«çµã¿èŸŒãã ãã±ãããã£ã«ã¿ã§ããããã±ãããããã ã¯ãŒã¯ã¬ã€ã€ãŒã§ãã£ã«ã¿ãªã³ã°ããã»ãã·ã§ã³ãã±ããã®é©æ Œæ§ãå€å®ãããã±ããå 容 ããã©ã³ã¹ããŒãã¬ã€ã€ãŒïŒTCPãUDP çïŒã§ãè©äŸ¡ãããã¹ããŒããã«ã€ã³ã¹ãã¯ã·ã§ ã³ã¯ã¢ã¯ãã£ãã»ãã·ã§ã³ã远跡ãããã®æ å ±ãåºã«ãã±ããã®è»¢éåã¯ãããã¯ãå€å®ã ããã»ãã¥ãªãã£ã®ã¬ãã«ã¯é«ãããã©ãŒãã³ã¹ãè¯å¥œã§ããããé«äŸ¡ã§ç®¡çè ã«ãšã£ãŠè€ éãšãªããICS ã¢ããªã±ãŒã·ã§ã³ã®ä»å çãªã«ãŒã«ã»ãããå¿ èŠã«ãªãããšãããã ïŒ ã¢ããªã±ãŒã·ã§ã³ã»ãããã·ã²ãŒããŠã§ã€ãã¡ã€ã¢ãŠã©ãŒã«ããã®ã¯ã©ã¹ã®ãã¡ã€ã¢ãŠã©ãŒ ã«ã¯ããã±ãããã¢ããªã±ãŒã·ã§ã³å±€ã§æ€èšŒããç¹å®ã®ã¢ããªã±ãŒã·ã§ã³ïŒãã©ãŠã¶ãŒçïŒ ããããã³ã«ïŒFTP çïŒãšãã£ãç¹å®ã¢ããªã±ãŒã·ã§ã³ã«ãŒã«ã«åŸã£ãŠãã©ãã£ãã¯ãã㣠ã«ã¿ãªã³ã°ããããã®ã¿ã€ãã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ããªã¢ãŒãã¢ã¯ã»ã¹ã ICS ã³ã³ããŒã ã³ããæäŸããèšå®ãµãŒãã¹ã«å¯Ÿããæ»æã®äºé²ã«æ¥µããŠå¹æããããã»ãã¥ãªãã£ã®ã¬ã ã«ã¯é«ããããªãŒããŒããããé 延ãçãããããã¯ãŒã¯ããã©ãŒãã³ã¹ã«åœ±é¿ãäžããã ãšããããããICS ç°å¢ã§ã¯åãå ¥ããããªãå ŽåããããNIST SP800-41 æ¹èšç¬¬ 1 çãã ã¡ã€ã¢ãŠã©ãŒã«åã³ãã¡ã€ã¢ãŠã©ãŒã«ããªã·ãŒã¬ã€ãã©ã€ã³ã[85]ã«ã¯ããã¡ã€ã¢ãŠã©ãŒã« åã³ãã¡ã€ã¢ãŠã©ãŒã«ããªã·ãŒãéžå®ããããã®äžè¬çã¬ã€ãã³ã¹ãããã ICS ç°å¢ã§ã¯ããã¡ã€ã¢ãŠã©ãŒã«ã¯ ICS ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒã¯éã«å€çšãããŠãã [34]ãæ£ããèšå®ããã°ãå¶åŸ¡ã·ã¹ãã ã®ãã¹ãã³ã³ãã¥ãŒã¿ãšã³ã³ãããŒã©éã®äžæ£ã¢ã¯ã» ã¹ãèããå¶éããã»ãã¥ãªãã£ãæ¹åããããŸãäžèŠãªãã©ãã£ãã¯ããããã¯ãŒã¯ããé€ å»ãããããå¶åŸ¡ãããã¯ãŒã¯ã®å¿çæ床ãæ¹åããããšããããèšèšã»èšå®ã»ä¿å®ãé©æ£ã§ ããã°ãå°çšã®ããŒããŠãšã¢ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãä»æ¥ã® ICS ç°å¢ã®ã»ãã¥ãªãã£åäžã«å€§ã ãè²¢ç®ããã ãã¡ã€ã¢ãŠã©ãŒã«ã¯ããã€ãããŒã«ãæäŸããŠã»ãã¥ãªãã£ããªã·ãŒãæœè¡ãããããã®ãã ãªã»ãã¥ãªãã£ããªã·ãŒã¯ãçŸåšå ¥æå¯èœãªåžè²©ã®ããã»ã¹å¶åŸ¡ããã€ã¹ã«å¯ŸããŠããŒã«ã«ã§ å®çŸã§ããªããã®ã§ããã次ã®ãããªæ©èœãæããã ïŒ ä¿è·ãããŠããªã LAN äžã®ããã€ã¹ãšä¿è·ããã ICS ãããã¯ãŒã¯äžã®ããã€ã¹éã§ç¹ã« èš±å¯ããããã®ãé€ããå šãŠã®äº€ä¿¡ããããã¯ããããããã¯ã¯ãœãŒã¹åã³å®å ã® IP ã¢ã ã¬ã¹ãã¢ããµãŒãã¹ãããŒããæ¥ç¶ç¶æ ããã¡ã€ã¢ãŠã©ãŒã«ãèš±å¯ããç¹å®ã®ã¢ããªã±ãŒã· ã§ã³åã¯ãããã³ã«ã«åŸã£ãŠè¡ãããããã¯ã¯çä¿¡ãã±ããã§ãéä¿¡ãã±ããã§ãçãããã ãã㯠e ã¡ãŒã«çã®é«ãªã¹ã¯éä¿¡ãå¶éããäžã§åœ¹ç«ã€ã ïŒ ICS ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ããããšããå šãŠã®ãŠãŒã¶èªèšŒãã»ãã¥ã¢ã«ãããèªèšŒæ¹æ³ã« ã¯åçŽãªãã¹ã¯ãŒããè€éãªãã¹ã¯ãŒããè€åèŠçŽ èªèšŒæè¡ãããŒã¯ã³ãçç©èšæž¬åŠãã¹ã ㌠ã 㫠㌠ã ç ã ã ã ã çš® ã ã® ä¿ è· ã¬ ã ã« ã æ è» ã« æ¡ çš ã§ ã ã ã ããã€ã¹ã¬ãã«ã§å©çšã§ããæ¹æ³ã䜿çšããã®ã§ã¯ãªããä¿è·ãã¹ã ICS ãããã¯ãŒã¯ã® è匱æ§ãåºã«ãç¹å®ã®æ¹æ³ãéžå®ããã 88 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Enforce destination authorization. Users can be restricted and allowed to reach only the nodes on the control network necessary for their job function. This reduces the potential of users intentionally or accidentally gaining access to and control of devices for which they are not authorized, but adds to the complexity for on-the-job-training or cross-training employees. ïŒ Record information flow for traffic monitoring, analysis, and intrusion detection. ïŒ Permit the ICS to implement operational policies appropriate to the ICS but that might not be appropriate in an IT network, such as prohibition of less secure communications like email, and permitted use of easy-to-remember usernames and group passwords. ïŒ Be designed with documented and minimal (single if possible) connections that permit the ICS network to be severed from the corporate network, should that decision be made, in times of serious cyber incidents. Other possible deployments include using either host-based firewalls or small standalone hardware firewalls in front of, or running on, individual control devices. Using firewalls on an individual device basis can create significant management overhead, especially in change management of firewall configurations, however this practice will also simplify individual configuration rulesets. There are several issues that must be addressed when deploying firewalls in ICS environments, particularly the following: ïŒ The possible addition of delay to control system communications. ïŒ The lack of experience in the design of rule sets suitable for industrial applications. Firewalls used to protect control systems should be configured so they do not permit either incoming or outgoing traffic by default. The default configuration should be modified only when it is necessary to permit connections to or from trusted systems to perform authorized ICS functions. Firewalls require ongoing support, maintenance, and backup. Rule sets need to be reviewed to make sure that they are providing adequate protection in light of ever-changing security threats. System capabilities (e.g., storage space for firewall logs) should be monitored to make sure that the firewall is performing its data collection tasks and can be depended upon in the event of a security violation. Real-time monitoring of firewalls and other security sensors is required to rapidly detect and initiate response to cyber incidents. 5.4 Logically Separated Control Network The ICS network should, at a minimum, be logically separated from the corporate network on physically separate network devices. Based on the ICS network configuration, additional separation needs to be considered for Safety Instrumented Systems and Security Systems (e.g., physical monitoring and access controls, doors, gates, cameras, VoIP, access card readers) that are often either part of the ICS network or utilize the same communications infrastructure for remote sites. When enterprise connectivity is required: ïŒ There should be documented and minimal (single if possible) access points between the ICS network and the corporate network. Redundant (i.e., backup) access points, if present, must be documented. ïŒ A stateful firewall between the ICS network and corporate network should be configured to deny all traffic except that which is explicitly authorized. ïŒ The firewall rules should at a minimum provide source and destination filtering (i.e., filter on media access control [MAC] address), in addition to TCP and User Datagram Protocol (UDP) port filtering and Internet Control Message Protocol (ICMP) type and code filtering. 89 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ å®å ã®èš±å¯ããŠãŒã¶ã¯ãèªåã®æ¥åã«å¿ èŠãªå¶åŸ¡ãããã¯ãŒã¯äžã®ããŒãã«ããå°éã§ã㪠ãããã«å¶éãåãããããã«ãããŠãŒã¶ããèš±å¯ãããŠããªãããã€ã¹ã«ãæ æåã¯å¶ç¶ ã«ã¢ã¯ã»ã¹ããŠå¶åŸ¡ãè¡ãå¯èœæ§ã¯æžãããOJT ã亀差èšç·Žäžã®åŸæ¥å¡ã«ã¯è€éããå¢ãã ïŒ ãã©ãã£ãã¯ç£èŠã解æåã³äŸµå ¥æ€ç¥ã®ããã®æ å ±ã®æµãã®èšé²ã ïŒ IT ãããã¯ãŒã¯ã«ã¯é©åããªãããICS ã«ã¯é©åããæ¥åããªã·ãŒã ICS ãå®æœããããšã èš±å¯ãããäŸãã°é»åã¡ãŒã«çã®ã»ãã¥ãªãã£ã®äœãéä¿¡ãèŠãããããŠãŒã¶åãã°ã«ãŒã ãã¹ã¯ãŒãã®äœ¿çšãçŠæ¢ãããªã©ã ïŒ æ·±å»ãªãµã€ããŒã€ã³ã·ãã³ãã®éã«æ±ºå®ãããã°ãICS ãããã¯ãŒã¯ãäŒæ¥ãããã¯ãŒã¯ã ãåæã§ãããææžåãããæäœéã®ïŒã§ããã° 1 ã€ã®ã¿ïŒæ¥ç¶ã«ããã ãã®ä»å¯èœãªå±éãšããŠã¯ããã¹ãããŒã¹ã®ãã¡ã€ã¢ãŠã©ãŒã«ããå°åã®ã¹ã¿ã³ãã¢ããŒã³ã ãŒããŠãšã¢ãã¡ã€ã¢ãŠã©ãŒã«ãåã ã®å¶åŸ¡ããã€ã¹ã®åé¢ã«åã¯ããããããã€ã¹äžã«é 眮ã ãŠäœ¿çšããæ¡ããããåã ã®ããã€ã¹ã«ãã¡ã€ã¢ãŠã©ãŒã«ã䜿çšãããšãç¹ã«ãã¡ã€ã¢ãŠã©ãŒ ã«èšå®ã®äº€æ管çã«ãããªãã®ç®¡çãªãŒããŒããããçããããåã ã®èšå®ã«ãŒã«ã»ãããç°¡ çŽ åããããšã«ããªãã ICS ç°å¢ã«ãã¡ã€ã¢ãŠã©ãŒã«ãå±éããéã«ã¯ãç¹ã«æ¬¡ã®ãããªèæ ®ãã¹ãåé¡ãããã€ãã ãã ïŒ å¶åŸ¡ã·ã¹ãã ã®éä¿¡ã«é 延ãå ããå¯èœæ§ ïŒ ç£æ¥çšéã«åã£ãã«ãŒã«ã»ããã®èæ¡ã«ãããçµéšã®æ¬ åŠãå¶åŸ¡ã·ã¹ãã ã®ä¿è·ã«äœ¿çšãã ãã¡ã€ã¢ãŠã©ãŒã«ã®èšå®ã¯ãçä¿¡ãã©ãã£ãã¯ãéä¿¡ãã©ãã£ãã¯ãããã©ã«ãã§èš±å¯ã㪠ãããã«ãã¹ãã§ãããããã©ã«ãèšå®ã®å€æŽã¯ãä¿¡é ŒãããŠããã·ã¹ãã ãšã®æ¥ç¶ãèš±å¯ ããŠãèš±å¯ããã ICS æ©èœãå®æœããå¿ èŠãããå Žåã®ã¿ã«ãã¹ãã§ããã ãã¡ã€ã¢ãŠã©ãŒã«ã¯ã絶ãããµããŒãã»ä¿å®ã»ããã¯ã¢ãããå¿ èŠãšããã絶ããå€åããè åšãšãã芳ç¹ããããã£ããä¿è·ã確ä¿ã§ããããã«ãã«ãŒã«ã»ãããèŠçŽãå¿ èŠããããã· ã¹ãã ã®èœåïŒãã¡ã€ã¢ãŠã©ãŒã«ãã°ã®ã¹ãã¬ãŒãžå®¹éçïŒãç£èŠããŠããã¡ã€ã¢ãŠã©ãŒã«ã ããŒã¿åéäœæ¥ãç¶è¡ã§ããããã«ããã»ãã¥ãªãã£éåäºæ ãçããŠãä¿¡é Œæ§ãä¿ãããã ãã«ãã¹ãã§ããããã¡ã€ã¢ãŠã©ãŒã«ãã®ä»ã®ã»ãã¥ãªãã£ã»ã³ãµã¯ããªã¢ã«ã¿ã€ã ã§ç£èŠãã ãµã€ããŒã€ã³ã·ãã³ããæ€ç¥ããŠå³å¿ã§ããããã«ããªããã°ãªããªãã 5.4 è«ççã«åé¢ãããå¶åŸ¡ãããã¯ãŒã¯ å°ãªããšã ICS ãããã¯ãŒã¯ã¯ãç©ççã«åé¢ããããããã¯ãŒã¯ããã€ã¹äžã®äŒæ¥ãããã¯ãŒ ã¯ãããè«ççã«åé¢ãããŠããã¹ãã§ãããICS ãããã¯ãŒã¯èšå®ãåºã«ãä»å çãªåé¢ãå® å šèšè£ ã·ã¹ãã ãšã»ãã¥ãªãã£ã·ã¹ãã ïŒç©ççç£èŠã¢ã¯ã»ã¹å¶åŸ¡ããã¢ãã²ãŒããã«ã¡ã©ã VoIPãç«å ¥ã«ãŒããªãŒããŒçïŒåãã«æ€èšããå¿ èŠãããããããã·ã¹ãã ã¯ãICS ãããã¯ãŒ ã¯ã®äžéšããªãããåãéä¿¡ã€ã³ãã©ãé éãµã€ãçšã«äœ¿çšããŠããããšãå€ããäŒæ¥ã®æ¥ç¶ã å¿ èŠãªå Žåã ïŒ ææžåãããæäœéã®ïŒã§ããã° 1 ã€ã®ã¿ïŒã¢ã¯ã»ã¹ãã€ã³ãã ICS ãããã¯ãŒã¯ãšäŒæ¥ã ããã¯ãŒã¯éã«ããã¹ãã§ãããåé·ïŒããã¯ã¢ããïŒã¢ã¯ã»ã¹ãã€ã³ããããã°ãææžå ããªããã°ãªããªãã ïŒ ICS ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒã¯éã®ã¹ããŒããã«ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãæ瀺çã«èš±å¯ ããããã®ä»¥å€ãäžåã®ãã©ãã£ãã¯ãæ絶ããããã«èšå®ããã ïŒ TCP åã³ãŠãŒã¶ããŒã¿ã°ã©ã ãããã³ã«ïŒUDPïŒããŒããã£ã«ã¿ãªã³ã°ãã€ã³ã¿ãŒãããå¶ åŸ¡ã¡ãã»ãŒãžãããã³ã«ïŒICMPïŒã¿ã€ãã»ã³ãŒããã£ã«ã¿ãªã³ã°ã«å ããŠããã¡ã€ã¢ãŠã© ãŒã«ã«ãŒã«ã¯å°ãªããšããœãŒã¹åã³å®å ãã£ã«ã¿ãªã³ã°ïŒã¡ãã£ã¢ã¢ã¯ã»ã¹å¶åŸ¡[MAC]ã¢ã ã¬ã¹ã§ã®ãã£ã«ã¿ãªã³ã°ïŒãè¡ãã¹ãã§ããã 90 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY An acceptable approach to enabling communication between an ICS network and a corporate network is to implement an intermediate DMZ network. The DMZ should be connected to the firewall such that specific (restricted) communication may occur between only the corporate network and the DMZ, and the ICS network and the DMZ. The corporate network and the ICS network should not communicate directly with each other. This approach is described in Sections 5.5.4 and 5.5.5. Additional security may be obtained by implementing a Virtual Private Network (VPN) between the ICS and external networks. 5.5 Network Segregation ICS networks and corporate networks can be segregated to enhance cybersecurity using different architectures. This section describes several possible architectures and explains the advantages and disadvantages of each. Please note that the intent of the diagrams in Section 5.5 is to show the placement of firewalls to segregate the network. Not all devices that would be typically found on the control network or corporate network are shown. Section 5.6 provides guidance on a recommended defense-in-depth architecture. 5.5.1 Dual-Homed Computer/Dual Network Interface Cards (NIC) Dual-homed computers can pass network traffic from one network to another. A computer without proper security controls could pose additional threats. To prevent this, no systems other than firewalls should be configured as dual-homed to span both the control and corporate networks. All connections between the control network and the corporate network should be through a firewall. This configuration provides no security improvement and should not be used to bridge networks (e.g., ICS and corporate networks). 5.5.2 Firewall between Corporate Network and Control Network By introducing a simple two-port firewall between the corporate and control networks, as shown in Figure 5-1, a significant security improvement can be achieved. Properly configured, a firewall significantly reduces the chance of a successful external attack on the control network. Unfortunately, two issues still remain with this design. First, if the data historian resides on the corporate network, the firewall must allow the data historian to communicate with the control devices on the control network. A packet originating from a malicious or incorrectly configured host on the corporate network (appearing to be the data historian) would be forwarded to individual PLCs/DCS. 91 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒã¯éã®äº€ä¿¡ãå¯èœã«ããåãå ¥ããããã¢ãããŒãã¯ãäžé DMZ ãããã¯ãŒã¯ãå®è£ ããããšã§ãããDMZ ã¯ãã¡ã€ã¢ãŠã©ãŒã«ã«æ¥ç¶ãããäŒæ¥ããã㯠ãŒã¯ãš DMZ éåã³ ICS ãããã¯ãŒã¯ãš DMZ éã§ã®ã¿ç¹å®ã®ïŒå¶éãããïŒäº€ä¿¡ãçãããã ã«ãããäŒæ¥ãããã¯ãŒã¯ãš ICS ãããã¯ãŒã¯éã§ã¯çŽæ¥äº€ä¿¡ãçããªãããã«ãã¹ãã§ããã ãã®ã¢ãããŒãã¯ã»ã¯ã·ã§ã³ 5.5.4 åã³ 5.5.5 ã§èª¬æãããVPN ã ICS ãããã¯ãŒã¯ãšå€éšããã ã¯ãŒã¯éã«å®è£ ããã°ãæŽã«ã»ãã¥ãªãã£ãé«ãŸãã 5.5 ãããã¯ãŒã¯ã®åé¢ ICS ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒã¯ãåé¢ããå¥ã ã®ã¢ãŒããã¯ãã£ã䜿çšããŠãµã€ããŒã» ãã¥ãªãã£ãé«ããããšãã§ããããã®ã»ã¯ã·ã§ã³ã§ã¯ãããã€ãå¯èœãªã¢ãŒããã¯ãã£ã«ã€ ããŠåãäžããããããã®å©ç¹ã»æ¬ ç¹ã説æãããã»ã¯ã·ã§ã³ 5.5 ã®å³ã®æå³ã¯ããã¡ã€ã¢ãŠ ã©ãŒã«ã®é 眮ã«ãããããã¯ãŒã¯ã®åé¢ã瀺ãããšã«ããç¹ã«çæãããããå¶åŸ¡ãããã¯ãŒ ã¯ãäŒæ¥ãããã¯ãŒã¯äžã«éåžžããããã€ã¹ããå¿ ãããå šãŠç€ºãããŠããªããã»ã¯ã·ã§ã³ 5.6 ã§ã¯ãæšå¥šãããå€å±€é²åŸ¡ã¢ãŒããã¯ãã£ã®ã¬ã€ãã³ã¹ã瀺ãã 5.5.1 ãã¥ã¢ã«ããŒã ïŸïŸã³ã³ãã¥ãŒã¿/ãã¥ã¢ã«ãããã¯ãŒã¯ã€ã³ã¿ãã§ãŒã¹ã«ãŒã ïŒNICïŒ ãã¥ã¢ã«ããŒã ïŸïŸã³ã³ãã¥ãŒã¿ã¯ããããã¯ãŒã¯ãã©ãã£ãã¯ããããããã¯ãŒã¯ããå¥ã®ã ããã¯ãŒã¯ãžééãããããã£ããããã»ãã¥ãªãã£å¯Ÿçã®ãªãã³ã³ãã¥ãŒã¿ã§ã¯ãè åšãå¢ å ããããããé²ãã«ã¯ãå¶åŸ¡ãããã¯ãŒã¯ã§ãäŒæ¥ãããã¯ãŒã¯ã§ãããã¡ã€ã¢ãŠã©ãŒã«ä»¥ å€ã®ã·ã¹ãã ããã¥ã¢ã«ããŒã ïŸïŸã«èšå®ããããšã§ãããå¶åŸ¡ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒ ã¯éã®å šãŠã®æ¥ç¶ã¯ããã¡ã€ã¢ãŠã©ãŒã«çµç±ãšãã¹ãã§ããããã®èšå®ã§ã»ãã¥ãªãã£ãåäž ããããšã¯ãªãããããã¯ãŒã¯éã®ããªããžã«äœ¿çšãã¹ãã§ãªãïŒICS ãããã¯ãŒã¯ãšäŒæ¥ã ããã¯ãŒã¯çïŒã 5.5.2 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã« å³ 5-1 ã®ããã«ãäž¡ãããã¯ãŒã¯éã«åçŽãª 2 ããŒããã¡ã€ã¢ãŠã©ãŒã«ãèšçœ®ããããšã§ãã ãªãã»ãã¥ãªãã£ãåäžãããé©æ£ã«èšå®ããã°ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãå¶åŸ¡ãããã¯ãŒã¯ã«å¯Ÿ ããå€éšæ»æãæåããå¯èœæ§ãå€§å¹ ã«æžããã æ®å¿µãªãããã®èšèšã«ã¯ 2 ã€ã®åé¡ãããããŸããããŒã¿ãã¹ããªã¢ã³ãäŒæ¥ãããã¯ãŒã¯ã« åžžé§ããŠããå Žåããã¡ã€ã¢ãŠã©ãŒã«ã¯ãããŒã¿ãã¹ããªã¢ã³ãå¶åŸ¡ãããã¯ãŒã¯äžã®å¶åŸ¡ã ãã€ã¹ãšäº€ä¿¡ããã®ãèš±å¯ããªããã°ãªããªããæªæãããã¹ããäŒæ¥ãããã¯ãŒã¯äžã®èšå® ã«äžåãããïŒããŒã¿ãã¹ããªã¢ã³ã®ããã«èŠããïŒãã¹ãããã®ãã±ããã¯ãåã ã® PLCs/DCS ã«è»¢éãããã 92 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 5-1. Firewall between Corporate Network and Control Network If the data historian resides on the control network, a firewall rule must exist that allows all hosts from the enterprise to communicate with the historian. Typically, this communication occurs at the application layer as Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP) requests. Flaws in the historianâs application layer code could result in a compromised historian. Once the historian is compromised, the remaining nodes on the control network are vulnerable to a worm propagating or an interactive attack. Another issue with having a simple firewall between the networks is that spoofed packets can be constructed that can affect the control network, potentially permitting covert data to be tunneled in allowed protocols. For example, if HTTP packets are allowed through the firewall, then Trojan horse software accidentally introduced on an HMI or control network laptop could be controlled by a remote entity and send data (such as captured passwords) to that entity, disguised as legitimate traffic. In summary, while this architecture is a significant improvement over a non-segregated network, it requires the use of firewall rules that allow direct communications between the corporate network and control network devices. This can result in possible security breaches if not very carefully designed and monitored [35]. 93 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã äŒæ¥/å€ç ã€ã³ã¿ãŒããã/WAN äŒæ¥ãããã¯ãŒã¯ ã¢ããªã±ãŒã·ã§ã³ ãµãŒã ã¯ãŒã¯ã¹ããŒã·ã§ã³ ããŒã¿ ãã¹ããªã¢ã³ ã«ãŒã¿ ããªã³ã¿ ãã¡ã€ã¢ãŠã©ãŒã« ãã¡ã€ã¢ãŠã©ãŒã« å¶åŸ¡ãããã¯ãŒã¯ PLC å¶åŸ¡ãµãŒã PLC å³ 5-1.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã« ããŒã¿ãã¹ããªã¢ã³ãå¶åŸ¡ãããã¯ãŒã¯äžã«åžžé§ããŠããå Žåãå šãŠã®ãã¹ããäŒæ¥åŽãããã¹ ããªã¢ã³ã«éä¿¡ã§ãããã¡ã€ã¢ãŠã©ãŒã«èŠåããªããã°ãªããªããäžè¬ã«ãã®éä¿¡ã¯ãSQL å㯠HTTP èŠæ±ãšããŠã¢ããªã±ãŒã·ã§ã³å±€ã§çããããã¹ããªã¢ã³ã®ã¢ããªã±ãŒã·ã§ã³å±€ã³ãŒãã«äž åããããšããã¹ããªã¢ã³ã®æ©èœãäœäžããããããªããšãå¶åŸ¡ãããã¯ãŒã¯ã®æ®ãã®ããŒãã ã¯ãŒã ã®äŒæãã€ã³ã¿ã©ã¯ãã£ãæ»æã«å¯ŸããŠè匱ã«ãªãã ãããã¯ãŒã¯éã«åçŽãã¡ã€ã¢ãŠã©ãŒã«ãèšçœ®ããããäžã€ã®åé¡ç¹ã¯ããªãããŸããã±ããã çæãããå¶åŸ¡ãããã¯ãŒã¯ã«åœ±é¿ãåãŒããç§å¯ããŒã¿ãèš±å¯ããããããã³ã«ã§ãã³ãã«ã ããå¯èœæ§ããããäŸãã° HTTP ãã±ããã®ééããã¡ã€ã¢ãŠã©ãŒã«ããèš±å¯ããããšãHMI ã å¶åŸ¡ãããã¯ãŒã¯ã©ãããããã«å¶ç¶å ¥ã蟌ãã ããã€ã®æšéŠ¬ãå€éšå£äœã«é éæäœãããæ£åžž ãªãã©ãã£ãã¯ãè£ ã£ãŠãããŒã¿ïŒææãããã¹ã¯ãŒãçïŒãåœè©²å£äœã«éä¿¡ãããããšã«ãªãã ãŸãšããšããŠããã®ã¢ãŒããã¯ãã£ã¯éåé¢ãããã¯ãŒã¯ãããªãæ¹åããäžæ¹ã§ãäŒæ¥ããã ã¯ãŒã¯ããã€ã¹ãšå¶åŸ¡ãããã¯ãŒã¯ããã€ã¹éã®çŽæ¥äº€ä¿¡ãèš±å¯ãããšãããã¡ã€ã¢ãŠã©ãŒã«èŠ åã䜿çšããªããã°ãªããªãããã®çµæãèšèšãšç£èŠãããªãæ éã«è¡ããªããšãã»ãã¥ãªã㣠䟵害ãçããããšã«ãªãã 94 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.5.3 Firewall and Router between Corporate Network and Control Network A slightly more sophisticated design, shown in Figure 5-2, is the use of a router/firewall combination. The router sits in front of the firewall and offers basic packet filtering services, while the firewall handles the more complex issues using either stateful inspection or proxy techniques. This type of design is very popular in Internet-facing firewalls because it allows the faster router to handle the bulk of the incoming packets, especially in the case of DoS attacks, and reduces the load on the firewall. It also offers improved defense-in-depth because there are two different devices an adversary must bypass [35]. Figure 5-2. Firewall and Router between Corporate Network and Control Network 95 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.5.3 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã«ãšã«ãŒã¿ å³ 5-2 ã¯ããæŽç·Žãããèšèšã§ãã«ãŒã¿ãšãã¡ã€ã¢ãŠã©ãŒã«ã䜵çšããŠãããã«ãŒã¿ããã¡ã€ã¢ ãŠã©ãŒã«ã®åé¢ã«æ®ãããã±ããã®åºæ¬çãã£ã«ã¿ãªã³ã°ãè¡ããããã¡ã€ã¢ãŠã©ãŒã«ã¯ã¹ã㌠ããã«ã€ã³ã¹ãã¯ã·ã§ã³åã¯ãããã·æè¡ãçšããŠããè€éãªåé¡ã®åŠçã«åœããããããã®çš® ã®èšèšã¯ã€ã³ã¿ãŒãããã«é¢ãããã¡ã€ã¢ãŠã©ãŒã«ã§ã¯ããäžè¬çã§ããããããé«éãªã«ãŒã¿ ã«å€§éã®çä¿¡ãã±ãããåŠçãããŠãç¹ã« DoS æ»æã®å Žåã«åãããã¡ã€ã¢ãŠã©ãŒã«ãžã®è² è· ãæžããããã§ããããŸãæ»æåŽã¯ 2 çš®ã®ããã€ã¹ãééããªããã°ãªããªããããå€å±€é²åŸ¡ã æ¹åããã[35]ã äŒæ¥/å€ç ã€ã³ã¿ãŒããã/WAN äŒæ¥ãããã¯ãŒã¯ ã¢ããªã±ãŒã·ã§ã³ ãµãŒã ã¯ãŒã¯ã¹ããŒã·ã§ã³ ããŒã¿ ãã¹ããªã¢ã³ ã«ãŒã¿ ããªã³ã¿ ãã¡ã€ã¢ãŠã©ãŒã« ã«ãŒã¿ ãã¡ã€ã¢ãŠã©ãŒã« å¶åŸ¡ãããã¯ãŒã¯ PLC PLC å¶åŸ¡ãµãŒã å³ 5-2.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¡ã€ã¢ãŠã©ãŒã«ãšã«ãŒã¿ 96 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.5.4 Firewall with DMZ between Corporate Network and Control Network A significant improvement is the use of firewalls with the ability to establish a DMZ between the corporate and control networks. Each DMZ holds one or more critical components, such as the data historian, the wireless access point, or remote and third party access systems. In effect, the use of a DMZ-capable firewall allows the creation of an intermediate network. Creating a DMZ requires that the firewall offer three or more interfaces, rather than the typical public and private interfaces. One of the interfaces is connected to the corporate network, the second to the control network, and the remaining interfaces to the shared or insecure devices such as the data historian server or wireless access points on the DMZ network. Implementing continuous ingress and egress traffic monitoring on the DMZ is recommended. Additionally, firewall rulesets that only permit connections between the control network and DMZ that are initiated by control network devices are recommended. Figure 5-3 provides an example of this architecture. Figure 5-3. Firewall with DMZ between Corporate Network and Control Network 97 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.5.4 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã® DMZ ä»ããã¡ã€ã¢ãŠã©ãŒã« äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã« DMZ ãèšçœ®ã§ãããã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããã°ã ããªãã®æ¹åãšãªããå DMZ ã¯ããŒã¿ãã¹ããªã¢ã³ãã¯ã€ã¢ã¬ã¹ã¢ã¯ã»ã¹ãã€ã³ãããªã¢ãŒã ã¢ã¯ã»ã¹ã·ã¹ãã ããµãŒãããŒãã£ã¢ã¯ã»ã¹ã·ã¹ãã çã1 ååã¯è€æ°ã®éèŠã³ã³ããŒãã³ã ãæãããå®éã« DMZ èœåã®ãããã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããã°ãäžéãããã¯ãŒã¯ãæ§ç¯ã§ ããã DMZ ãèšçœ®ããã«ã¯ããã¡ã€ã¢ãŠã©ãŒã«ãéåžžã®ãããªãã¯ã»ãã©ã€ããŒãã€ã³ã¿ãã§ãŒã¹ã§ ã¯ãªãã3 ã€ä»¥äžã®ã€ã³ã¿ãã§ãŒã¹ãåããŠããããšãå¿ é ãšãªãããã® 1 ã€ã¯äŒæ¥ããã㯠ãŒã¯ã«æ¥ç¶ããã2 ã€ç®ã¯å¶åŸ¡ãããã¯ãŒã¯ã«ããã以å€ã®ã€ã³ã¿ãã§ãŒã¹ã¯ããŒã¿ãã¹ã㪠ã¢ã³ãµãŒãã DMZ ãããã¯ãŒã¯äžã®ã¯ã€ã¢ã¬ã¹ã¢ã¯ã»ã¹ãã€ã³ãçãå ±æåã¯ã»ãã¥ãªãã£ã® äœãããã€ã¹ã«æ¥ç¶ããããDMZ ã®çä¿¡ã»éä¿¡ãã©ãã£ãã¯ãé£ç¶çã«ç£èŠã§ããããã«å®è£ ããããšãèŠããããããŸããã¡ã€ã¢ãŠã©ãŒã«ã«ãŒã«ã»ããã¯ãå¶åŸ¡ãããã¯ãŒã¯ããã€ã¹ã éå§ãããå¶åŸ¡ãããã¯ãŒã¯ãš DMZ éã®æ¥ç¶ãèš±å¯ãããã®ãæšå¥šãããã å³ 5-3 ã«ãã®ã¢ãŒããã¯ãã£ã®äŸã瀺ãã äŒæ¥/å€ç ã€ã³ã¿ãŒããã/WAN äŒæ¥ãããã¯ãŒã¯ ã¯ãŒã¯ã¹ããŒã·ã§ã³ ããªã³ã¿ ã¢ããªã±ãŒã·ã§ã³ ãµãŒã ã«ãŒã¿ ãã¡ã€ã¢ãŠã©ãŒã« ãã¡ã€ã¢ãŠã©ãŒã« ããŒã¿ãã¹ããªã¢ã³ ããŒã¿ãµãŒã å¶åŸ¡ãããã¯ãŒã¯ å¶åŸ¡ãµãŒã å³ 5-3.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã® DMZ ä»ããã¡ã€ã¢ãŠã©ãŒã« 98 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY By placing corporate-accessible components in the DMZ, no direct communication paths are required from the corporate network to the control network; each path effectively ends in the DMZ. Most firewalls can allow for multiple DMZs, and can specify what type of traffic may be forwarded between zones. As Figure 5-3 shows, the firewall can block arbitrary packets from the corporate network from entering the control network, and can also regulate traffic from the other network zones including the control network. With well-planned rule sets, a clear separation can be maintained between the control network and other networks, with little or no traffic passing directly between the corporate and control networks. If a patch management server, an antivirus server, or other security server is to be used for the control network, it should be located directly on the DMZ. Both functions could reside on a single server. Having patch management and antivirus management dedicated to the control network allows for controlled and secure updates that can be tailored for the unique needs of the ICS environment. It may also be helpful if the antivirus product chosen for ICS protection is not the same as the antivirus product used for the corporate network. For example, if a malware incident occurs and one antivirus product cannot detect or stop the malware, it is somewhat likely that another product may have that capability. The primary security risk in this type of architecture is that if a computer in the DMZ is compromised, then it can be used to launch an attack against the control network via application traffic permitted from the DMZ to the control network. This risk can be greatly reduced if a concerted effort is made to harden and actively patch the servers in the DMZ and if the firewall ruleset permits only connections between the control network and DMZ that are initiated by control network devices. Other concerns with this architecture are the added complexity and the potential increased cost of firewalls with several ports. For more critical systems, however, the improved security should more than offset these disadvantages [35]. 99 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã äŒæ¥åŽããã¢ã¯ã»ã¹å¯èœãªã³ã³ããŒãã³ãã DMZ å ã«é 眮ããããšã§ãäŒæ¥ãããã¯ãŒã¯ãã å¶åŸ¡ãããã¯ãŒã¯ãžã®çŽæ¥çãªéä¿¡çµè·¯ã¯äžèŠãšãªããåçµè·¯ã¯ DMZ ã§ãã£ããå®çµãããè€ æ°ã® DMZ ãåãããã¡ã€ã¢ãŠã©ãŒã«ãå€ãããŸãŒã³éã§è»¢éãèš±ããããã©ãã£ãã¯ã®çš®é¡ã æå®ã§ããããã«ãªã£ãŠãããå³ 5-3 ã«ç€ºãããããã«ããã¡ã€ã¢ãŠã©ãŒã«ã¯ãäŒæ¥ããã㯠ãŒã¯ããæ¥ãäžå®ã®ãã±ãããå¶åŸ¡ãããã¯ãŒã¯ã«é²å ¥ããã®ããããã¯ããå¶åŸ¡ãããã¯ãŒ ã¯ãå«ããä»ã®ãããã¯ãŒã¯ãŸãŒã³ããæ¥ããã©ãã£ãã¯ã®èŠå¶ãè¡ããããèšç»ãããã«ãŒ ã«ã»ãããæã€ããšã§ãå¶åŸ¡ãããã¯ãŒã¯ãšä»ã®ãããã¯ãŒã¯éã®æ確ãªåé¢ãå¯èœã«ãªãã äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã«ã¯ã»ãšãã©åã¯å šããã©ãã£ãã¯ãåŸæ¥ããªããã ã«ãªãã å¶åŸ¡ãããã¯ãŒã¯ã«ããã管çãµãŒããã¢ã³ããŠã€ã«ã¹ãµãŒããã®ä»ã®ã»ãã¥ãªã㣠ãµãŒã ã䜿çšããå ŽåãçŽæ¥ DMZ ã«é 眮ãã¹ãã§ããããããã®æ©èœã 1 ã€ã®ãµãŒãã«åžžé§ã§ããã å¶åŸ¡ãããã¯ãŒã¯å°çšã®ããã管çåã³ã¢ã³ããŠã€ã«ã¹ç®¡çãæãŠã°ãICS ç°å¢ç¹æã®ããŒãº ã«ãã£ããããå¶åŸ¡ãããã»ãã¥ã¢ãªæŽæ°ãå¯èœã«ãªãããŸããICS ã®ä¿è·çšã«éžå®ããã¢ã³ ããŠã€ã«ã¹è£œåãšäŒæ¥ãããã¯ãŒã¯çšã®è£œåãéã£ãŠããã°ãããã圹ç«ã€ãäŸãã°ããã«ãŠ ãšã¢ã€ã³ã·ãã³ããèµ·ããŠãããã¢ã³ããŠã€ã«ã¹è£œåã§ã¯æ€ç¥ã»åæ¢äžèœã ã£ããšããŠããå¥ ã®è£œåã«ãã®èœåãããå Žåãããã ãã®çš®ã®ã¢ãŒããã¯ãã£ã«ãããäž»ãªã»ãã¥ãªãã£ãªã¹ã¯ã¯ãDMZ ã§ããã³ã³ãã¥ãŒã¿ã®æ§èœ ãäœäžããå Žåã«ããããå©çšããŠãDMZ ããå¶åŸ¡ãããã¯ãŒã¯ãžèš±å¯ãããŠããã¢ããªã±ãŒ ã·ã§ã³ãã©ãã£ãã¯çµç±ã§ãå¶åŸ¡ãããã¯ãŒã¯ãžã®æ»æãçºåããããšã§ãããDMZ å ã®ãµãŒ ãã®æèæ§ãé«ãç©æ¥µçã«ããããåœãŠãåçµããããã¡ã€ã¢ãŠã©ãŒã«ã®ã«ãŒã«ã»ããããå¶ åŸ¡ãããã¯ãŒã¯ããã€ã¹ãéå§ãããå¶åŸ¡ãããã¯ãŒã¯ãš DMZ éã®æ¥ç¶ã ããèš±å¯ããããã« ããã°ããã®ãªã¹ã¯ã¯èããæžãããã®ã¢ãŒããã¯ãã£ã«é¢ãããã®ä»ã®æžå¿µææãšããŠã¯ã è€éããå¢ãããšãšãè€æ°ã®ããŒããæã€ãã¡ã€ã¢ãŠã©ãŒã«ãã³ã¹ãé«ã«ãªãããšã§ãããã ãããããéèŠãªã·ã¹ãã ã§ã¯ãã»ãã¥ãªãã£ã®åäžã¯ããããæ¬ ç¹ãè£ã£ãŠäœããã[35]ã 100 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.5.5 Paired Firewalls between Corporate Network and Control Network A variation on the firewall with a DMZ solution is to use a pair of firewalls positioned between the corporate and ICS networks, as shown in Figure 5-4. Common servers such as the data historian are situated between the firewalls in a DMZ-like network zone sometimes referred to as a Manufacturing Execution System (MES) layer. As in the architectures described previously, the first firewall blocks arbitrary packets from proceeding to the control network or the shared historians. The second firewall can prevent unwanted traffic from a compromised server from entering the control network, and prevent control network traffic from impacting the shared servers. Figure 5-4. Paired Firewalls between Corporate Network and Control Network 101 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.5.5 äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¢ãŒããã¡ã€ã¢ãŠã©ãŒã« DMZ ä»ããã¡ã€ã¢ãŠã©ãŒã«ãœãªã¥ãŒã·ã§ã³ã®ããªãšãŒã·ã§ã³ãšããŠãå³ 5-4 ã«ç€ºãããã«ãã ã¡ã€ã¢ãŠã©ãŒã«ããã¢ã«ããŠäŒæ¥ãããã¯ãŒã¯ãš ICS ãããã¯ãŒã¯éã«é 眮ããæ¹æ³ããããã ãŒã¿ãã¹ããªã¢ã³ã®ãããªå ±éãµãŒãã¯ãçç£å®æœã·ã¹ãã ïŒMESïŒã¬ã€ã€ãŒãšåŒã°ãã DMZ ã«äŒŒããããã¯ãŒã¯ãŸãŒã³å ã®ãã¡ã€ã¢ãŠã©ãŒã«ãšãã¡ã€ã¢ãŠã©ãŒã«ã®éã«é 眮ããããåè¿°ã® ã¢ãŒããã¯ãã£ãšåæ§ãæåã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãäžå®ã®ãã±ãããå¶åŸ¡ãããã¯ãŒã¯ãå ±æ ãã¹ããªã¢ã³ãžè¡ããªãããã«ãããã¯ããã2 çªç®ã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãæ§èœãäœäžãããµ ãŒãããã®äžèŠã®ãã©ãã£ãã¯ãå¶åŸ¡ãããã¯ãŒã¯ãžé²å ¥ããªãããã«ããå¶åŸ¡ãããã¯ãŒã¯ã ã©ãã£ãã¯ãå ±æãµãŒãã«åœ±é¿ããªãããã«ããã äŒæ¥/å€ç ã€ã³ã¿ãŒããã/WAN äŒæ¥ãããã¯ãŒã¯ ã¢ããªã±ãŒã·ã§ã³ ãµãŒã ã¯ãŒã¯ã¹ããŒã·ã§ã³ ã«ãŒã¿ ããªã³ã¿ ãã¡ã€ã¢ãŠã©ãŒã« ãã¡ã€ã¢ãŠã©ãŒã« ãã¡ã€ã¢ãŠã©ãŒã« ããŒã¿ãã¹ããªã¢ã³ ããŒã¿ãµãŒã å¶åŸ¡ãããã¯ãŒã¯ å¶åŸ¡ãµãŒã å³ 5-4.äŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®ãã¢ãŒããã¡ã€ã¢ãŠã©ãŒã« 102 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY If firewalls from two different manufacturers are used, then this solution may offer an advantage. It also allows the control group and the IT group to have clearly separated device responsibility because each can manage a firewall on its own, if the decision is made within the organization to do so. The primary disadvantage with two-firewall architectures is the increased cost and management complexity. For environments with stringent security requirements or the need for clear management separation, this architecture has some strong advantages. 5.5.6 Network Segregation Summary In summary, dual-homed computers generally not provide suitable isolation between control networks and corporate networks. The two-zone solutions (no DMZ) are not recommended because they provide only weak protection. If used, they should only be deployed with extreme care. The most secure, manageable, and scalable control network and corporate network segregation architectures are typically based on a system with at least three zones, incorporating one or more DMZs. 5.6 Recommended Defense-in-Depth Architecture A single security product, technology or solution cannot adequately protect an ICS by itself. A multiple layer strategy involving two (or more) different overlapping security mechanisms, a technique also known as defense-in-depth, is desired so that the impact of a failure in any one mechanism is minimized. A defense-in-depth architecture strategy includes the use of firewalls, the creation of demilitarized zones, intrusion detection capabilities along with effective security policies, training programs, incident response mechanisms and physical security. In addition, an effective defense-in-depth strategy requires a thorough understanding of possible attack vectors on an ICS. These include: ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ Backdoors and holes in network perimeter. Vulnerabilities in common protocols. Attacks on field devices. Database attacks. Communications hijacking and âman-in-the-middleâ attacks. Spoofing attacks. Attacks on privileged and/or shared accounts. Figure 5-5 shows an ICS defense-in-depth architecture strategy that has been developed by the DHS Control Systems Security Program (CSSP) NCCIC/ICS-CERT Recommended Practices committee 25 as described in the Control Systems Cyber Security: Defense in Depth Strategies [36] document. Additional supporting documents that cover specific issues and associated mitigations are also included on the site. The Control Systems Cyber Security: Defense in Depth Strategies document provides guidance and direction for developing defense-in-depth architecture strategies for organizations that use control system networks while maintaining a multi-tiered information architecture that requires: ïŒ ïŒ ïŒ Maintenance of various field devices, telemetry collection, and/or industrial-level process systems. Access to facilities via remote data link or modem. Public facing services for customer or corporate operations. 25 Information on the CSSP Recommended Practices is located at http://ics-cert.us-cert.gov/RecommendedPractices 103 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç°ãªãäºã€ã®ã¡ãŒã«ãŒã®ãã¡ã€ã¢ãŠã©ãŒã«ã䜵çšãããšããã®ãœãªã¥ãŒã·ã§ã³ã«ã¯å©ç¹ãããã ãŸãå¶åŸ¡ã°ã«ãŒãåã³ IT ã°ã«ãŒãã®ããã€ã¹æ åœåºåãæ確ã«ã§ãããçç±ã¯ãçµç¹ã®æ±ºå®ã äžãããã°ããããããèªåã®ãã¡ã€ã¢ãŠã©ãŒã«ã管çã§ããããã§ãããäºéãã¡ã€ã¢ãŠã©ãŒ ã«ã¢ãŒããã¯ãã£ã®äž»ãªæ¬ ç¹ã¯ãã³ã¹ãé«ã«ãªã管çãè€éã«ãªãããšã§ãããå³æ Œãªã»ãã¥ãª ãã£èŠä»¶ã®ããç°å¢ãæ確ãªç®¡çã®åé¢ãæ±ããããç¶æ³ã§ã¯ããã®ã¢ãŒããã¯ãã£ã¯å€§ããªå© ç¹ãããã 5.5.6 ãããã¯ãŒã¯åé¢ã®ãŸãšã ãŸãšããšããŠãç·ããŠäºéããŒã ã³ã³ãã¥ãŒã¿ã¯ãå¶åŸ¡ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒã¯éã®å é¢ããã£ããè¡ãããã®ã§ã¯ãªãã2 ãŸãŒã³ãœãªã¥ãŒã·ã§ã³ïŒDMZ ãªãïŒã¯ãä¿è·ã«åŒ±ç¹ããã ããæšå¥šã§ããªãã䜿çšããå Žåã¯ã现å¿ã®æ³šæãæã£ãŠå±éãã¹ãã§ãããå¶åŸ¡ãããã¯ãŒã¯ ãšäŒæ¥ãããã¯ãŒã¯ãåé¢ããããã®æãã»ãã¥ã¢ã§ã管çããããã¹ã±ãŒã©ãã«ãªåé¢ã¢ãŒã ãã¯ãã£ã¯ãéåžž 1 ã€åã¯è€æ°ã® DMZ ãæã£ãæäœ 3 ã€ã®ãŸãŒã³ãæããã·ã¹ãã ãåºèª¿ãšã ãã 5.6 æšå¥šå€å±€é²åŸ¡ã¢ãŒããã¯ã㣠åäžã®ã»ãã¥ãªãã£è£œåãæè¡åã¯ãœãªã¥ãŒã·ã§ã³ã®ã¿ã§ ICS ããã£ããä¿è·ããããšã¯äžå¯èœ ã§ãããå€å±€é²åŸ¡æè¡ãšããŠãç¥ãããŠãã 2 ã€ä»¥äžã®ç°çš®éç³ã»ãã¥ãªãã£ã¡ã«ããºã ãçšã ããã«ãã¬ã€ã€ãŒæŠç¥ã¯ã1 ã€ã®ã¡ã«ããºã ã«é害ãåºãŠãããã®åœ±é¿ãæå°ã«é£ãæ¢ãããã ããæãŸãããå€å±€é²åŸ¡ã¢ãŒããã¯ãã£æŠç¥ã«ã¯ããã¡ã€ã¢ãŠã©ãŒã«ã®äœ¿çšãéæŠè£ å°åž¯ãäŸµå ¥ æ€ç¥æ©èœãå¹æçãªã»ãã¥ãªãã£ããªã·ãŒãèšç·Žèšç»ãã€ã³ã·ãã³ã察å¿ã¡ã«ããºã åã³ç©çç ã»ãã¥ãªãã£ã®æ§ç¯ãå«ãŸãããå ããŠãå¹æçãªå€å±€é²åŸ¡æŠç¥ãè¬ããã«ã¯ãICS ã«å¯ŸããŠæ» æå¯èœãªãã¯ã¿ãŒãååã«ç解ããããšãæ±ãããããããã«ã¯ä»¥äžãå«ãŸããã ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ãããã¯ãŒã¯åšèŸºã®ããã¯ãã¢åã³ããŒã« å ±éãããã³ã«ã®èåŒ±æ§ ãã£ãŒã«ãããã€ã¹ã«å¯Ÿããæ»æ ããŒã¿ããŒã¹ã«å¯Ÿããæ»æ éä¿¡ãã€ãžã£ãã¯åã³ã人ãä»åšãããæ»æ ãªãããŸãæ»æ æš©éã¢ã«ãŠã³ãåã¯å ±éã¢ã«ãŠã³ãã«å¯Ÿããæ»æ å³ 5-5 ã¯ããå¶åŸ¡ã·ã¹ãã ã®ãµã€ããŒã»ãã¥ãªãã£ïŒå€å±€é²åŸ¡æŠç¥ã[36]ã«èšè¿°ãããŠãã DHS å¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ããã°ã©ã ïŒCSSP) /ICS-CERT æšå¥šèŠç¯å§å¡äŒ 26ã«ããéçºãããã ICS ã®å€å±€é²åŸ¡ã¢ãŒããã¯ãã£æŠç¥ã瀺ããå ·äœçãªåé¡ç¹ãé¢é£ç·©åçã«é¢ããä»å çãªæ ¹æ ææžããµã€ãã«ããã ãå¶åŸ¡ã·ã¹ãã ã®ãµã€ããŒã»ãã¥ãªãã£ïŒå€å±€é²åŸ¡æŠç¥ãã«ã¯ãå¶åŸ¡ã·ã¹ãã ãããã¯ãŒã¯ã䜿 çšãã以äžãå¿ èŠãšããå€æ®µéæ å ±ã¢ãŒããã¯ãã£ãç¶æããŠããçµç¹åãã«ãå€å±€é²åŸ¡ã¢ãŒã ãã¯ãã£æŠç¥ãçå®ããããã®æéãšæ瀺ãèšèŒãããŠããã ïŒ çš®ã ã®ãã£ãŒã«ãããã€ã¹ããã¬ã¡ããªåéåã¯ç£æ¥ã¬ãã«ããã»ã¹ã·ã¹ãã ã®ä¿å® ïŒ é éããŒã¿ãªã³ã¯ãã¢ãã çµç±ã«ããæœèšãžã®ã¢ã¯ã»ã¹ ïŒ é¡§å®¢ã»äŒæ¥æ¥åçšå ¬å ±ãµãŒãã¹ 26 CSSP æšå¥šèŠç¯ã«é¢ããæ å ±ã¯æ¬¡ã® URL ããå ¥æã§ãããhttp://ics-cert.us-cert.gov/Recommended-Practices 104 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY This strategy includes firewalls, the use of demilitarized zones and intrusion detection capabilities throughout the ICS architecture. The use of several demilitarized zones in Figure 5-5 provides the added capability to separate functionalities and access privileges and has proved to be very effective in protecting large architectures comprised of networks with different operational mandates. Intrusion detection deployments apply different rule-sets and signatures unique to each domain being monitored. Figure 5-5. CSSP Recommended Defense-In-Depth Architecture 5.7 General Firewall Policies for ICS Once the defense-in-depth architecture is in place, the work of determining exactly what traffic should be allowed through the firewalls begins. Configuring the firewalls to deny all except for the traffic absolutely required for business needs is every organizationâs basic premise, but the reality is much more difficult. Exactly what does âabsolutely required for businessâ mean and what are the security impacts of allowing that traffic through? For example, many organizations considered allowing SQL traffic through the firewall as required for business for many data historian servers. Unfortunately, the SQL vulnerability was also the target for the Slammer worm [Table C-8. Example Adversarial Incidents]. Many important protocols used in the industrial world, such as HTTP, FTP, OPC/DCOM, EtherNet/IP, and Modbus/TCP, have significant security vulnerabilities. The remaining material in this section summarizes some of the key points from the Centre for the Protection of National Infrastructureâs (CPNI) Firewall Deployment for SCADA and Process Control Networks: Good Practice Guide [35]. When installing a single two-port firewall without a DMZ for shared servers (i.e., the architecture described in Section 5.5.2), particular care needs to be taken with the rule design. At a minimum, all rules 105 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãã®æŠç¥ã«ã¯ãICS ã¢ãŒããã¯ãã£å šäœãéããŠããã¡ã€ã¢ãŠã©ãŒã«ãéæŠè£ å°åž¯åã³äŸµå ¥æ€ç¥ æ©èœã®äœ¿çšãå«ãŸãããå³ 5-5 ã®è€æ°éæŠè£ å°åž¯ã®äœ¿çšã¯ãæ©èœãšã¢ã¯ã»ã¹æš©éãåããããã® ä»å çãªå¯Ÿçã§ãçš®ã ã®æ¥åãæ ãè€æ°ãããã¯ãŒã¯ãããªã倧èŠæš¡ã¢ãŒããã¯ãã£ã®ä¿è·ã«é åžžã«å¹æã®ããããšãåãã£ãŠãããäŸµå ¥æ€ç¥ã®å±éã¯ãå¥ã ã®ã«ãŒã«ã»ãããšç£èŠããé åã ãšã«äžæã®çœ²åãé©çšããã ã¯ã€ã¢ã¬ã¹ã¢ã¯ã»ã¹ãã€ã³ã ã³ã³ãããŒã© CS PBX CS ã¢ãã ããŒã« é»è©±éä¿¡ãã¡ã€ã¢ ãŠã©ãŒã« HMI ã¢ããªã±ãŒã·ã§ ããŒã¿ããŒã¹ãµ ã³ã³ãã¥ãŒã¿ ã³ãµãŒã ãŒã ãã¹ããªã¢ã³ èšå®ãµãŒã ãšã³ãžãã¢ãªã³ã° ã¯ãŒã¯ã¹ããŒã·ã§ã³ /RTU/PLC/IED ãã£ãŒã«ãå ±éãã¹ ãã£ãŒã«ãã®å Žæ å¶åŸ¡ã·ã¹ãã ãã£ãŒã«ãã ãã€ã¹ éä¿¡ã€ã³ã¿ ãã§ãŒã¹ ã€ã³ãã© ããŒã¿ ååŸãµãŒã å¶åŸ¡ã·ã¹ãã LAN å°çšå ±éçµè·¯ ããã¯ã¢ããå¶åŸ¡ ã»ã³ã¿ãŒ CS ãã¡ã€ã¢ ãŠã©ãŒã« å€éš VPN ã¢ã¯ã»ã¹ é éäºæ¥ã㢠é»è©±éä¿¡ãã¡ã€ã¢ ãŠã©ãŒã« äŒæ¥ PBX å€éšäºæ¥éä¿¡ WWW ãµãŒã ãµãŒã DB/ãã¹ããªã¢ã³ ã»ãã¥ãªã㣠ãµãŒã äºæ¥å ±é DMZ Web ãµãŒã DMZ DB DMZ ã»ãã¥ãªã㣠DMZ èªèšŒ DMZ äºæ¥ãµãŒã äºæ¥ã¯ãŒã¯ ã¹ããŒã·ã§ã³ Web ã¢ããªã±ãŒ ã·ã§ã³ãµãŒã äŒæ¥ LAN ã€ã³ã¿ãŒããã äŒæ¥ã¢ãã ããŒã« å€éšéä¿¡ã€ã³ãã© äŒæ¥ ãã¡ã€ã¢ãŠã©ãŒã« e ã¡ãŒã« ãµãŒã DNS ãµãŒã èªèšŒãµãŒã FTP ãµãŒã Web ãµãŒã ã¯ã€ã¢ã¬ã¹ ã¢ã¯ã»ã¹ ãã€ã³ã èªèšŒãµãŒã DNS DMZ e ã¡ãŒã« DMZ Web ãµãŒã DMZ FTP DMZ èªèšŒ DMZ ã¯ã€ã€ã¬ã¹ DMZ IDS ã»ã³ãµ å³ 5-5.CSSP ã®æšå¥šå€å±€é²åŸ¡ã¢ãŒããã¯ã㣠5.7 ICS ã®å šè¬çãã¡ã€ã¢ãŠã©ãŒã«ããªã·ãŒ å€å±€é²åŸ¡ã¢ãŒããã¯ãã£ãæœè¡ãããªãã次ã«ãã¡ã€ã¢ãŠã©ãŒã«ã§èš±å¯ãããã©ãã£ãã¯ãæ確 ã«æ±ºããäœæ¥ãå§ãŸããäºæ¥ã«çµ¶å¯Ÿå¿ èŠãªãã©ãã£ãã¯ä»¥å€ã¯å šãŠæ絶ããããã«ãã¡ã€ã¢ãŠã© ãŒã«ãèšå®ããããšã¯ãã©ã®äŒæ¥ã§ãåºæ¬ã§ããããçŸå®ã¯ã¯ããã«é£ããã ãäºæ¥ã«çµ¶å¯Ÿå¿ èŠããšã¯äœãæå³ããã®ãããã®ãã©ãã£ãã¯ãééããããšã©ããªã»ãã¥ãªã ã£äžã®åœ±é¿ãåºãã®ããäŸãã°ãå€ãã®çµç¹ã§ã¯ãäºæ¥äžå€æ°ã®ããŒã¿ãã¹ããªã¢ã³ãµãŒãã«å¿ èŠãªããšãããSQL ãã©ãã£ãã¯ã®ãã¡ã€ã¢ãŠã©ãŒã«ééãæ€èšãããæ®å¿µãªãããSQL ã®è匱 æ§ãã¹ã©ããŒã¯ãŒã ã®æšçã ã£ã[è¡š C-8.æ»æã€ã³ã·ãã³ãã®äŸ]ãHTTPãFTPãOPC/DCOMã EtherNet/IPãModbus/TCP çãç£æ¥çã§äœ¿çšãããŠããéèŠãããã³ã«ã®å€ãã«ã¯ã倧ããªã»ã ã¥ãªãã£äžã®è匱æ§ãããã ãã®ã»ã¯ã·ã§ã³ã®æ®ãã®éšåã§ã¯ãåœå®¶ã€ã³ãã©ä¿è·ã»ã³ã¿ãŒïŒCPNIïŒã®ãSCADA åã³ããã» ã¹å¶åŸ¡ãããã¯ãŒã¯çšãã¡ã€ã¢ãŠã©ãŒã«å±éïŒé©æ£èŠç¯ã¬ã€ãã[35]ããéèŠãã€ã³ãããã〠ãèŠçŽããã å ±æãµãŒãïŒã»ã¯ã·ã§ã³ 5.5.2 ã®ã¢ãŒããã¯ãã£çïŒçšã« DMZ ãªãã®åäž 2 ããŒããã¡ã€ã¢ãŠã© ãŒã«ãèšçœ®ããå Žåãã«ãŒã«ã®æ€èšã«ã¯ç¹ã«æ³šæãèŠãããå°ãªããšãã©ã®ã«ãŒã«ã 106 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY should be stateful rules that are both IP address and port (application) specific. The address portion of the rules should restrict incoming traffic to a very small set of shared devices (e.g., the data historian) on the control network from a controlled set of addresses on the corporate network. Allowing any IP addresses on the corporate network to access servers inside the control network is not recommended. In addition, the allowed ports should be carefully restricted to relatively secure protocols such as Hypertext Transfer Protocol Secure (HTTPS). Allowing HTTP, FTP, or other unsecured protocols to cross the firewall is a security risk due to the potential for traffic sniffing and modification. Rules should be added to deny hosts outside the control network from initiating connections with hosts on the control network. Rules should only allow devices internal to the control network the ability to establish connections outside the control network. On the other hand, if the DMZ architecture is being used, then it is possible to configure the system so that no traffic will go directly between the corporate network and the control network. With a few special exceptions (noted below), all traffic from either side can terminate at the servers in the DMZ. This allows more flexibility in the protocols allowed through the firewall. For example, Modbus/TCP might be used to communicate from the PLCs to the data historian, while HTTP might be used for communication between the historian and enterprise clients. Both protocols are inherently insecure, yet in this case they can be used safely because neither actually crosses between the two networks. An extension to this concept is the idea of using âdisjointâ protocols in all control network to corporate network communications. That is, if a protocol is allowed between the control network and DMZ, then it is explicitly not allowed between the DMZ and corporate network. This design greatly reduces the chance of a worm such as Slammer actually making its way into the control network, because the worm would have to use two different exploits over two different protocols. One area of considerable variation in practice is the control of outbound traffic from the control network, which could represent a significant risk if unmanaged. One example is Trojan horse software that uses HTTP tunneling to exploit poorly defined outbound rules. Thus, it is important that outbound rules be as stringent as inbound rules. Example outbound rules include: ïŒ Outbound traffic through the control network firewall should be limited to essential communications only and should be limited to authorized traffic originating from DMZ servers. ïŒ All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. In addition to these rules, the firewall should be configured with outbound filtering to stop forged IP packets from leaving the control network or the DMZ. In practice this is achieved by checking the source IP addresses of outgoing packets against the firewallâs respective network interface address. The intent is to prevent the control network from being the source of spoofed (i.e., forged) communications, which are often used in DoS attacks. Thus, the firewalls should be configured to forward IP packets only if those packets have a correct source IP address for the control network or DMZ networks. Finally, Internet access by devices on the control network should be strongly discouraged. 107 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã IP ã¢ãã¬ã¹ãšããŒãïŒã¢ããªã±ãŒã·ã§ã³ïŒã«åºæã®ã¹ããŒããã«ã«ãŒã«ã«ãã¹ãã§ãããã«ãŒ ã«ã®ã¢ãã¬ã¹éšäœã¯ãäŒæ¥ãããã¯ãŒã¯ã®ç®¡çãããã¢ãã¬ã¹ã»ããããæ¥ããã©ãã£ãã¯ãã å¶åŸ¡ãããã¯ãŒã¯äžã®ããå°ã»ããã®å ±æããã€ã¹ïŒããŒã¿ãã¹ããªã¢ã³çïŒã«éå®ãããäŒ æ¥ãããã¯ãŒã¯äžã® IP ã¢ãã¬ã¹ãå¶åŸ¡ãããã¯ãŒã¯å ã®ãµãŒãã«ã¢ã¯ã»ã¹ã§ããããã«ããã® ã¯èŠããããªãããŸããèš±å¯ããããŒãã¯çšå¿ã®ãããHTTPS çã®æ¯èŒçã»ãã¥ã¢ãªãããã³ ã«ã«éå®ãã¹ãã§ãããHTTPãFTP ãã®ä»ã»ãã¥ã¢ã§ãªããããã³ã«ããã¡ã€ã¢ãŠã©ãŒã«ãè¶ ããã®ã¯ããã©ãã£ãã¯ã®ã¹ãããã£ã³ã°ãå€æŽã®ãããããããããã»ãã¥ãªãã£ãªã¹ã¯ãš ãªããå¶åŸ¡ãããã¯ãŒã¯å€ã®ãã¹ããå¶åŸ¡ãããã¯ãŒã¯äžã®ãã¹ãã«æ¥ç¶ã§ããªãããã«ã«ãŒ ã«ãè¿œå ãã¹ãã§ãããå¶åŸ¡ãããã¯ãŒã¯å ã®ããã€ã¹ã ããå¶åŸ¡ãããã¯ãŒã¯ã®å€ã«æ¥ç¶ã§ ããã«ãŒã«ã«ãã¹ãã§ããã å察ã«ãDMZ ã¢ãŒããã¯ãã£ã䜿çšããŠããå Žåã¯ããã©ãã£ãã¯ãäŒæ¥ãããã¯ãŒã¯ãšå¶åŸ¡ ãããã¯ãŒã¯éã§çŽæ¥åŸæ¥ããªãããã«ã·ã¹ãã èšå®ããããšãã§ãããç¹å¥ãªå Žåãé€ã㊠ïŒäžèšåç §ïŒããããã®åŽããã®ãã©ãã£ãã¯ã DMZ å ã®ãµãŒãã§çµäºããããšã¯ã§ããªãã ããã«ãããã¡ã€ã¢ãŠã©ãŒã«ãééå¯èœãªãããã³ã«ã®æè»æ§ãåäžãããäŸãã°ãPLCs ã ãããŒã¿ãã¹ããªã¢ã³ãžã®éä¿¡ã« Modbus/TCP ã䜿çšããHTTP ã¯ãã¹ããªã¢ã³ãšäŒæ¥ã¯ã©ã€ã¢ ã³ãéã®éä¿¡ã«äœ¿çšã§ãããã©ã¡ãã®ãããã³ã«ãæ¬æ¥ã»ãã¥ã¢ã§ã¯ãªããããã®å Žå㯠2 〠ã®ãããã¯ãŒã¯ãè¶ããããšããªããããå®å šã«äœ¿çšã§ããããã®æŠå¿µãæ·è¡ãããã®ããå¥ çš®ããããã³ã«ãå šãŠã®å¶åŸ¡ãããã¯ãŒã¯ãšäŒæ¥ãããã¯ãŒã¯éä¿¡ã«äœ¿çšãããšããèãæ¹ã§ ãããã€ãŸãããããããã³ã«ãå¶åŸ¡ãããã¯ãŒã¯ãš DMZ éã§èš±å¯ããããDMZ ãšäŒæ¥ããã ã¯ãŒã¯éã§ã¯æ瀺çã«èš±å¯ããªããšãããã®ã§ããããã®èšèšã¯ã¹ã©ããŒã®ãããªã¯ãŒã ãå¶ åŸ¡ãããã¯ãŒã¯ã«äŸµå ¥ããæ©äŒãèããæžããããããã¯ãã®ã¯ãŒã ã 2 çš®é¡ã®ãããã³ã«ã å©çšããªããã°ãªããªãããã§ããã ããªãã®ããªãšãŒã·ã§ã³ãããã®ãå¶åŸ¡ãããã¯ãŒã¯ããã®éä¿¡ãã©ãã£ãã¯ã®å¶åŸ¡ã§ã管ç ãè¡ãå±ããªããšå€§ããªãªã¹ã¯ãšãªãããã®äžäŸãããã€ã®æšéŠ¬ã§ãHTTP ãã³ããªã³ã°ã䜿ãã å®çŸ©ã«äžåãããéä¿¡ã«ãŒã«ã欺ãããããã£ãŠãéä¿¡ã«ãŒã«ã¯çä¿¡ã«ãŒã«åæ§ã«å³æ Œã§ãªã ãã°ãªããªãã 以äžã¯éä¿¡ã«ãŒã«ã®äŸã§ããã ïŒå¶åŸ¡ãããã¯ãŒã¯ãã¡ã€ã¢ãŠã©ãŒã«ãè¶ããéä¿¡ãã©ãã£ãã¯ã¯ãäžå¯æ¬ ãªéä¿¡ã®ã¿ã«éå®ãã ãŸã DMZ ãµãŒãããã®èš±å¯ããããã©ãã£ãã¯ã®ã¿ã«éå®ãã¹ãã§ããã ïŒ å¶åŸ¡ãããã¯ãŒã¯ããäŒæ¥ããã¯ã¯ãŒã¯ãžã®å šãŠã®éä¿¡ãã©ãã£ãã¯ã¯ããµãŒãã¹ãšããŒã ã«ãããœãŒã¹åã³å®å å¶éãèšããã¹ãã§ããã ãããã®ã«ãŒã«ã«å ããŠããã¡ã€ã¢ãŠã©ãŒã«ã®èšå®ã¯éä¿¡ãã£ã«ã¿ããããŠãåœã® IP ãã±ãã ãå¶åŸ¡ãããã¯ãŒã¯ã DMZ ããå€ã«åºãªãããã«ãã¹ãã§ãããå®éã«ã¯ãéä¿¡ãã±ããã®ãœ ãŒã¹ IP ã¢ãã¬ã¹ãããã¡ã€ã¢ãŠã©ãŒã«ã®åãããã¯ãŒã¯ã€ã³ã¿ãã§ãŒã¹ã¢ãã¬ã¹ã«ç §ãããŠã ã§ãã¯ããããšã§ãããè¡ã£ãŠãããç®çã¯ãå¶åŸ¡ãããã¯ãŒã¯ã欺çïŒæ¬äŒŒïŒéä¿¡ã®ãœãŒã¹ã« ãªããªãããã«ããããšã§ããããã㯠DoS æ»æã§å€çšãããããã®ããã«ãã¡ã€ã¢ãŠã©ãŒã« ã¯ãå¶åŸ¡ãããã¯ãŒã¯ã DMZ ãããã¯ãŒã¯ã® IP ã¢ãã¬ã¹ãæ£ããå Žåã«ã®ã¿ãIP ãã±ããã転 éããããã«èšå®ãã¹ãã§ãããæåŸã«ãå¶åŸ¡ãããã¯ãŒã¯äžã®ããã€ã¹ã«ããã€ã³ã¿ãŒããã ã¢ã¯ã»ã¹ã¯ãæ¯éãšããããã¹ãã§ããã 108 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY In summary, the following should be considered as recommended practice for general firewall rule sets: ïŒ The base rule set should be deny all, permit none. ïŒ Ports and services between the control network environment and the corporate network should be enabled and permissions granted on a specific case-by-case basis. There should be a documented business justification with risk analysis and a responsible person for each permitted incoming or outgoing data flow. ïŒ All âpermitâ rules should be both IP address and TCP/UDP port specific, and stateful if appropriate. ïŒ All rules should restrict traffic to a specific IP address or range of addresses. ïŒ Traffic should be prevented from transiting directly from the control network to the corporate network. All traffic should terminate in the DMZ. ïŒ Any protocol allowed between the control network and DMZ should explicitly NOT be allowed between the DMZ and corporate networks (and vice-versa). ïŒ All outbound traffic from the control network to the corporate network should be source and destination-restricted by service and port. ïŒ Outbound packets from the control network or DMZ should be allowed only if those packets have a correct source IP address that is assigned to the control network or DMZ devices. ïŒ Control network devices should not be allowed to access the Internet. ïŒ Control networks should not be directly connected to the Internet, even if protected via a firewall. ïŒ All firewall management traffic should be carried on either a separate, secured management network (e.g., out of band) or over an encrypted network with multi-factor authentication. Traffic should also be restricted by IP address to specific management stations. ïŒ All firewall policies should be tested periodically. ïŒ All firewalls should be backed up immediately prior to commissioning. These should be considered only as guidelines. A careful assessment of each control environment is required before implementing any firewall rule sets. 5.8 Recommended Firewall Rules for Specific Services Beside the general rules described above, it is difficult to outline all-purpose rules for specific protocols. The needs and recommended practices vary significantly between industries for any given protocol and should be analyzed on an organization-by-organization basis. The Industrial Automation Open Networking Association (IAONA) offers a template for conducting such an analysis [37], assessing each of the protocols commonly found in industrial environments in terms of function, security risk, worst case impact, and suggested measures. Some of the key points from the IAONA document are summarized in this section. The reader is advised to consult this document directly when developing rule sets. 109 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãŸãšããšããŠãå šè¬çãªãã¡ã€ã¢ãŠã©ãŒã«ã®ã«ãŒã«ã»ããçšæšå¥šèŠç¯ãšããŠã次ã®ç¹ãèæ ®ãã¹ ãã§ããã ïŒ ã«ãŒã«ã»ããã®åºæ¬ã¯å šãŠæ絶ãäœãèš±å¯ããªãã§ããã ïŒ å¶åŸ¡ãããã¯ãŒã¯ç°å¢ãšäŒæ¥ãããã¯ãŒã¯éã®ããŒãåã³ãµãŒãã¹ã䜿çšå¯èœã«ããèš±å¯ã¯ ã±ãŒã¹ãã€ã±ãŒã¹ã§äžããã¹ãã§ãããããããäºæ¥çç±æžãšããŠææžåãããªã¹ã¯åæå ã³èš±å¯ããçä¿¡ã»éä¿¡ããŒã¿ãããŒã®è²¬ä»»è ãšãšãã«èšé²ããã ïŒ å šãŠãèš±å¯ãã«ãŒã«ã¯ãIP ã¢ãã¬ã¹åã³ TCP/UDP ããŒãåºæã«ããå¿ èŠãªãã¹ããŒããã« ãšããã ïŒ å šãŠã®ã«ãŒã«ã¯ããã©ãã£ãã¯ãç¹å®ã® IP ã¢ãã¬ã¹åã¯ã¢ãã¬ã¹ç¯å²ã«éå®ãã¹ãã§ããã ïŒ ãã©ãã£ãã¯ã¯ãå¶åŸ¡ãããã¯ãŒã¯ããäŒæ¥ãããã¯ãŒã¯ãžçŽæ¥éä¿¡ãããªãããã«ãã¹ã ã§ãããå šãŠã®ãã©ãã£ãã¯ã¯ DMZ ã§çµäºãã¹ãã§ããã ïŒ å¶åŸ¡ãããã¯ãŒã¯ãš DMZ éã§èš±å¯ããããããã³ã«ã¯ãDMZ ãšäŒæ¥ãããã¯ãŒã¯éïŒãã® éæ¹åãïŒã§ã¯æ瀺çã«èš±å¯ããªãããã«ãã¹ãã§ããã ïŒ å¶åŸ¡ãããã¯ãŒã¯ããäŒæ¥ããã¯ã¯ãŒã¯ãžã®å šãŠã®éä¿¡ãã©ãã£ãã¯ã¯ããµãŒãã¹ãšããŒã ã«ãããœãŒã¹åã³å®å å¶éãèšããã¹ãã§ããã ïŒ å¶åŸ¡ãããã¯ãŒã¯å㯠DMZ ããã®éä¿¡ãã±ããã¯ãå¶åŸ¡ãããã¯ãŒã¯å㯠DMZ ããã€ã¹ ã«å²ãåœãŠããããœãŒã¹ IP ã¢ãã¬ã¹ãæ£ããå Žåã«ã®ã¿èš±å¯ãã¹ãã§ããã ïŒ å¶åŸ¡ãããã¯ãŒã¯ããã€ã¹ã®ã€ã³ã¿ãŒãããã¢ã¯ã»ã¹ã¯èš±å¯ãã¹ãã§ãªãã ïŒ å¶åŸ¡ãããã¯ãŒã¯ã¯ããã¡ã€ã¢ãŠã©ãŒã«ã§ä¿è·ãããŠããŠããçŽæ¥ã€ã³ã¿ãŒãããã«æ¥ç¶ã ã¹ãã§ãªãã ïŒ å šãŠã®ãã¡ã€ã¢ãŠã©ãŒã«ç®¡çãã©ãã£ãã¯ã¯ãå¥åã®ãã»ãã¥ã¢ç®¡çãããã¯ãŒã¯ïŒãã³ã å€çïŒåã¯å€èŠçŽ èªèšŒãåããæå·åãããã¯ãŒã¯ãžç¶ãã¹ãã§ããããŸããã©ãã£ãã¯ã¯ã IP ã¢ãã¬ã¹ã«ããç¹å®ã®ç®¡çã¹ããŒã·ã§ã³ã«éå®ãã¹ãã§ããã ïŒ å šãŠã®ãã¡ã€ã¢ãŠã©ãŒã«ããªã·ãŒã¯ãå®æçã«æ€èšŒãã¹ãã§ããã ïŒ å šãŠã®ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãè©Šé転ãè¡ãçŽåã«ããã¯ã¢ãããã¹ãã§ããã 以äžã¯ãããŸã§ãæéãšããŠæ€èšãã¹ããã®ã§ããããã¡ã€ã¢ãŠã©ãŒã«ã«ãŒã«ã»ãããå®æœ ããåã«ãåå¶åŸ¡ç°å¢ãæ éã«è©äŸ¡ããå¿ èŠãããã 5.8 ç¹å®ãµãŒãã¹ã®æšå¥šãã¡ã€ã¢ãŠã©ãŒã«ã«ãŒã« äžèšã®å šè¬ã«ãŒã«ã«å ããŠãç¹å®ã®ãããã³ã«çšã«æ±çšçãªã«ãŒã«ã決ããã®ã¯é£ãããç¹å®ã® ãããã³ã«ã«é¢ããããŒãºãšæšå¥šèŠç¯ã¯ãæ¥çã«ãã£ãŠãŸã¡ãŸã¡ã§ãçµç¹ããšã«åæãã¹ãã§ã ããç£æ¥ãªãŒãã¡ãŒã·ã§ã³ãªãŒãã³ãããã¯ãŒãã³ã°åäŒïŒIAONAïŒã¯ããã®ãããªåæãè¡ ãããã®ã²ãªåœ¢ãæäŸããŠãã[37]ãç£æ¥ç°å¢ã§äœ¿çšããäžè¬çãªãããã³ã«ãæ©èœãã»ãã¥ãª ãã£ãªã¹ã¯ãææªäºæ ã®åœ±é¿åã³å¯Ÿçã®èŠ³ç¹ããåå¥ã«è©äŸ¡ããŠãããIAONA ææžã®éèŠç¹ã® ããã€ããèŠçŽãããã®ããã®ã»ã¯ã·ã§ã³ã§åãäžãããèªè ã¯ãã«ãŒã«ã»ãããçå®ããéã« çŽæ¥ãã®ææžã調ã¹ãããæšå¥šããã 110 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.8.1 Domain Name System (DNS) Domain Name System (DNS) is primarily used to translate between domain names and IP addresses. For example, a DNS could map a domain name such as control.com to an IP address such as 192.168.1.1. Most Internet services rely heavily on DNS, but its use on the control network is relatively rare at this time. In most cases there is little reason to allow DNS requests out of the control network to the corporate network and no reason to allow DNS requests into the control network. DNS requests from the control network to DMZ should be addressed on a case-by-case basis. Local DNS or the use of host files is recommended. 5.8.2 Hypertext Transfer Protocol (HTTP) HTTP is the protocol underlying Web browsing services on the Internet. Like DNS, it is critical to most Internet services. It is seeing increasing use on the plant floor as well as an all-purpose query tool. Unfortunately, it has little inherent security, and many HTTP applications have vulnerabilities that can be exploited. HTTP can be a transport mechanism for many manually performed attacks and automated worms. In general, HTTP should not be allowed to cross from the public/corporate to the control network. If web-based technologies are absolutely required, the following best practices should be applied: ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ Control access to web-based services on the physical or network layer using white-listing; Apply access control to both source and destination; Implement authorization to access the service on the application layer (instead of physical or networklayer checks); Implement service using only the necessary technologies (e.g., scripts are used only if they are required); Check service according to known application security practices; Log all attempts of service usage ; and Use HTTPS rather than HTTP, and only for specific authorized devices. 5.8.3 FTP and Trivial File Transfer Protocol (TFTP) FTP and Trivial File Transfer Protocol (TFTP) are used for transferring files between devices. They are implemented on almost every platform including many SCADA systems, DCS, PLCs, and RTUs, because they are very well known and use minimum processing power. Unfortunately, neither protocol was created with security in mind; for FTP, the login password is not encrypted, and for TFTP, no login is required at all. Furthermore, some FTP implementations have a history of buffer overflow vulnerabilities. As a result, all TFTP communications should be blocked, while FTP communications should be allowed for outbound sessions only or if secured with additional token-based multi-factor authentication and an encrypted tunnel. More secure protocols, such as Secure FTP (SFTP) or Secure Copy (SCP), should be employed whenever possible. 5.8.4 Telnet The telnet protocol defines an interactive, text-based communications session between a client and a host. It is used mainly for remote login and simple control services to systems with limited resources or to systems with limited needs for security. It is a severe security risk because all telnet traffic, including passwords, is unencrypted, and it can allow a remote individual considerable control over a device. It is recommended to use the Secure Shell (SSH) protocol [5.8.6] for remote administration. Inbound telnet 111 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.8.1 é ååã·ã¹ãã ïŒDNSïŒ é ååã·ã¹ãã ïŒDNSïŒã¯ãäž»ãšããŠé ååãš IP ã¢ãã¬ã¹éã®ç¿»èš³ã«äœ¿çšãããäŸãã°ãDNS 㯠control.com ãšããé ååã 192.168.1.1 ãšãã IP ã¢ãã¬ã¹ãšããŠãããããã 倧æµã®ã€ã³ã¿ãŒããããµãŒãã¹ã¯ DNS ã«å€§ããäŸåããŠããããå¶åŸ¡ãããã¯ãŒã¯ã§ã®äœ¿çšã¯ ä»ã®ãšããæ¯èŒçå°ãªããã»ãšãã©ã®å Žåãå¶åŸ¡ãããã¯ãŒã¯ããäŒæ¥ãããã¯ãŒã¯ãžã® DNS èŠæ±ãèš±å¯ããçç±ã¯ãªããå¶åŸ¡ãããã¯ãŒã¯ãžã® DNS èŠæ±ãèš±å¯ããçç±ããªããå¶åŸ¡ãã ãã¯ãŒã¯ãã DMZ ãžã® DNS èŠæ±ã¯ãã±ãŒã¹ãã€ã±ãŒã¹ã§æ±ãã¹ãã§ãããããŒã«ã« DNS ãã ã¹ããã¡ã€ã«ã®äœ¿çšãæšå¥šãããã 5.8.2 ãã€ããŒããã¹ã転éãããã³ã«ïŒHTTPïŒ HTTP ã¯ã€ã³ã¿ãŒãããäžã® Web é²èŠ§ãµãŒãã¹ãããã³ã«ã§ãããDNS ãšåæ§ãã»ãšãã©ã®ã€ã³ ã¿ãŒããããµãŒãã¹ã«ãšã£ãŠéèŠã§ããããã©ã³ãã®çŸå Žãæ±çšã¯ãšãªããŒã«ã§ã®äœ¿çšãå¢ã ãŠããã æ®å¿µãªããã»ãã¥ãªãã£ããã£ããããŠããããHTTP ã¢ããªã±ãŒã·ã§ã³ã®å€ãã«ã¯æªçšããã è匱æ§ããããHTTP ã¯ãæåæ»æãèªåã¯ãŒã ã®å€ãã§éä¿¡ã¡ã«ããºã ã«ãªãã ç·ã㊠HTTP ã¯ãå ¬é/äŒæ¥ãããã¯ãŒã¯ããå¶åŸ¡ãããã¯ãŒã¯ãžå ¥ããã¹ãã§ãªãã㊠ã§ãããŒã¹æè¡ãã©ãããŠãå¿ èŠãšãªãå Žåã次ã®ãããªæè¯èŠç¯ãé©çšãã¹ãã§ããã ïŒ ãã¯ã€ããªã¹ãã䜿çšããç©ççåã¯ãããã¯ãŒã¯ã¬ã€ã€ãŒäžã®ãŠã§ãããŒã¹ãµãŒãã¹ãžã® å¶åŸ¡ã¢ã¯ã»ã¹ ïŒ ãœãŒã¹åã³å®å ã®åæ¹ã«ã¢ã¯ã»ã¹å¶åŸ¡ãé©çš ïŒ ã¢ããªã±ãŒã·ã§ã³å±€ã®ãµãŒãã¹ãžã®ã¢ã¯ã»ã¹ãèš±å¯ïŒç©ççåã¯ãããã¯ãŒã¯ã¬ã€ã€ãŒã㧠ãã¯ã§ãªãïŒ ïŒ å¿ é æè¡ã®ã¿ã䜿çšããŠãµãŒãã¹ãå®è£ ïŒã¹ã¯ãªããã¯å¿ èŠãªå Žåã®ã¿äœ¿çšïŒ ïŒ æ¢ç¥ã®ã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£èŠç¯ã«åŸã£ãŠãµãŒãã¹ããã§ãã¯ ïŒ ãµãŒãã¹ãå©çšããããšããè©Šã¿ãå šãŠèšé² ïŒ HTTP ã®ä»£ããã« HTTPS ã䜿çšããèš±å¯ãããç¹å®ããã€ã¹ã®ã¿ãšãã 5.8.3 FTP åã³ããªãã¢ã«ãã¡ã€ã«è»¢éãããã³ã«ïŒTFTPïŒ FTP ãš TFTP ã¯ããã€ã¹éã§ã®ãã¡ã€ã«ã®ããåãã«äœ¿ããããç¥å床ãé«ããåŠçãã¯ãŒãæ å°ã§æžããããSCADA ã·ã¹ãã ãDCSãPLCsãRTUs çã»ãšãã©å šãŠã®ãã©ããããŒã ã«å®è£ ãããŠãããæ®å¿µãªãããã©ããã»ãã¥ãªãã£ãèããŠäœãããŠã¯ããªããFTP ã®ãã°ã€ã³ãã¹ ã¯ãŒãã¯æå·åãããŠããããTFTP ã§ã¯ãã°ã€ã³ã®å¿ èŠãããªããæŽã«å®è£ ããã FTP ã«ã㣠ãŠã¯ããããã¡ããªãŒããŒãããŒãããšããè匱æ§ããã£ãããã®çµæãTFTP éä¿¡ã¯å šãŠãã ãã¯ãã¹ãã§ãFTP éä¿¡ã«ã€ããŠã¯éä¿¡ã»ãã·ã§ã³ã®ã¿ãåã¯ä»å çãªããŒã¯ã³ããŒã¹ã®å€èŠçŽ èªèšŒåã³æå·åãã³ãã«ã§ã»ãã¥ãªãã£ã確ä¿ãããã®ã®ã¿èš±å¯ãã¹ãã§ãããå¯èœã§ããã°åžž ã«ãã»ãã¥ã¢ FTPïŒSFTPïŒãã»ãã¥ã¢ã³ããŒãšãã£ãããã»ãã¥ãªãã£ã®é«ããããã³ã«ãæ¡ çšãã¹ãã§ããã 5.8.4 ãã«ãããïŒTelnetïŒ ãã«ããããããã³ã«ã¯ãã¯ã©ã€ã¢ã³ããšãã¹ãéã®ã€ã³ã¿ã©ã¯ãã£ããªããã¹ãããŒã¹ã®éä¿¡ ã»ãã·ã§ã³ãå®çŸ©ãããäž»ã«ãªãœãŒã¹ã®éãããã·ã¹ãã ãã»ãã¥ãªãã£éèŠã®äœãã·ã¹ãã ãž ã®é éãã°ã€ã³åã³åçŽãªç®¡çãµãŒãã¹çšã«äœ¿çšããããå šãŠã®ãã«ããããã©ãã£ãã¯ã¯ãã¹ ã¯ãŒããå«ããŠæå·åãããŠããªããããã»ãã¥ãªãã£ãªã¹ã¯ã¯é倧ã§ãé éå°ã«ããå人ãã ãã€ã¹ãããªãã®çšåºŠå¶åŸ¡ã§ããŠããŸãã 112 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY sessions from the corporate to the control network should be prohibited unless secured with token-based multi-factor authentication and an encrypted tunnel. Outbound telnet sessions should be allowed only over encrypted tunnels (e.g., VPN) to specific authorized devices. 5.8.5 Dynamic Host Configuration Protocol (DHCP) DHCP is used on IP networks for dynamically distributing network configuration parameters, such as IP addresses for interfaces and services. The base DHCP includes no mechanism for authenticating servers and clients. Rogue DHCP servers can provide incorrect information to clients. Unauthorized clients can gain access to server and cause exhaustion of available resources (e.g., IP addresses). To prevent this, it is recommended to use static configuration instead of dynamic address allocation, which should be the typical configuration for ICS devices. If dynamic allocation is necessary, it is recommended to enable DHCP snooping to defend against rogue DHCP servers, Address Resolution Protocol (ARP) and IP spoofing. The DHCP servers should be placed in the same network segment as configured equipment (e.g., on the router). DHCP relaying is not recommended. 5.8.6 Secure Shell (SSH) SSH allows remote access to a device. It provides secure authentication and authorization based on cryptography. If remote access is required to the control network, SSH is recommended as the alternative to telnet, rlogin, rsh, rcp and other insecure remote access tools. 5.8.7 Simple Object Access Protocol (SOAP) SOAP is an XML-based format syntax to exchange messages. Traffic flows related to SOAP-based services should be controlled at the firewall between corporate and ICS network segments. If these services are necessary, deep-packet inspection and/or application layer firewalls should be used to restrict the contents of messages. 5.8.8 Simple Mail Transfer Protocol (SMTP) SMTP is the primary email transfer protocol on the Internet. Email messages often contain malware, so inbound email should not be allowed to any control network device. Outbound SMTP mail messages from the control network to the corporate network are acceptable to send alert messages. 5.8.9 Simple Network Management Protocol (SNMP) SNMP is used to provide network management services between a central management console and network devices such as routers, printers, and PLCs. Although SNMP is an extremely useful service for maintaining a network, it is very weak in security. Versions 1 and 2 of SNMP use unencrypted passwords to both read and configure devices (including devices such as PLCs), and in many cases the passwords are well known and cannot be changed. Version 3 is considerably more secure but is still limited in use. SNMP V1 & V2 commands both to and from the control network should be prohibited unless they are over a separate, secured management network, whereas SNMP V3 commands may be able to be sent to the ICS using the security features inherent to V3. 113 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã é é管çã«ã¯ã»ãã¥ã¢ã·ã§ã«ïŒSSHïŒãããã³ã«[5.8.6]ã䜿çšããããæšå¥šãããäŒæ¥ããã㯠ãŒã¯ããå¶åŸ¡ãããã¯ãŒã¯ãžã®çä¿¡ãã«ãããã»ãã·ã§ã³ã¯ãããŒã¯ã³ããŒã¹ã®å€èŠçŽ èªèšŒåã³ æå·åãã³ãã«ã§ã»ãã¥ãªãã£ã確ä¿ãããŠããªããã°ãçŠæ¢ãã¹ãã§ãããéä¿¡ãã«ãããã¯ã èš±å¯ãããç¹å®ã®ããã€ã¹ã«å¯ŸããŠãæå·åãã³ãã«ïŒVPN çïŒã§ã®ã¿èš±å¯ãã¹ãã§ããã 5.8.5 åçãã¹ãæ§æãããã³ã«ïŒDHCPïŒ DHCP ã¯ãäŸãã° IP ã¢ãã¬ã¹ãã€ã³ã¿ãã§ãŒã¹ããµãŒãã¹ãžå²ãåœãŠããªã©ãIP ãããã¯ãŒã¯ äžã§ãããã¯ãŒã¯æ§æãã©ã¡ãŒã¿ãåçã«å²ãåœãŠããšãã«äœ¿çšãããåºæ¬ç㪠DHCP ã«ã¯ãµãŒ ããšã¯ã©ã€ã¢ã³ãã®èªèšŒã¡ã«ããºã ããªããããŒã° DHCP ãµãŒãã¯äžæ£ç¢ºãªæ å ±ãã¯ã©ã€ã¢ã³ã ã«æäŸãããæªèš±å¯ã®ã¯ã©ã€ã¢ã³ãããµãŒãã«ã¢ã¯ã»ã¹ããŠãå©çšå¯èœãªãªãœãŒã¹ïŒIP ã¢ãã¬ã¹ çïŒãæ¯æžãããããšãããããããé²ãã«ã¯ãåçãªã¢ãã¬ã¹å²åœã§ã¯ãªãéçæ§æã«ããã ãšãæšå¥šãããICS ããã€ã¹ã§ã¯ãããäžè¬çãªæ§æãšãªãã¹ãã§ãããåçå²åœãå¿ èŠãªå Žåã DHCP ã¹ããŒãã³ã°ã䜿çšå¯èœã«ããããŒã° DHCPãã¢ãã¬ã¹è§£æ±ºãããã³ã«ïŒARPïŒåã³ IP è© ç§°ãé²æ¢ããããšãæšå¥šããããDHCP ãµãŒãã¯ãæ§æè£ ååãšåããããã¯ãŒã¯ã»ã°ã¡ã³ã ïŒã«ãŒã¿äžçïŒå ã«é 眮ãã¹ãã§ãããDHCP ãªã¬ãŒã¯æšå¥šã§ããªãã 5.8.6 ã»ãã¥ã¢ã·ã§ã«ïŒSSH) SSH ã¯ããã€ã¹ãžã®ãªã¢ãŒãã¢ã¯ã»ã¹ãå¯èœã«ãããã»ãã¥ã¢ãªèªèšŒãè¡ããæå·æ³ã«åºã¥ã㊠蚱å¯ãäžãããå¶åŸ¡ãããã¯ãŒã¯ãžã®ãªã¢ãŒãã¢ã¯ã»ã¹ãå¿ èŠãªå Žåããã«ããããr ãã°ã€ã³ã rshãrcp ãã®ä»ã®ã»ãã¥ã¢ã§ãªããªã¢ãŒãã¢ã¯ã»ã¹ããŒã«ã«ä»£ã㊠SSH ã®äœ¿çšãæšå¥šãããã 5.8.7 ã·ã³ãã«ãªããžã§ã¯ãã¢ã¯ã»ã¹ãããã³ã«ïŒSOAPïŒ SOAP ã¯ãã¡ãã»ãŒãžäº€æçšã® XML ããŒã¹åœ¢åŒã®ã·ã³ã¿ãã¯ã¹ã§ãããSOAP ããŒã¹ãµãŒãã¹ã« é¢é£ãããã©ãã£ãã¯ãããŒã¯ãäŒæ¥åã³ ICS ãããã¯ãŒã¯ã»ã°ã¡ã³ãéã®ãã¡ã€ã¢ãŠã©ãŒã«ã§ å¶åŸ¡ãã¹ãã§ããããã®ãããªãµãŒãã¹ãå¿ èŠãªå Žåããã£ãŒããã±ããã€ã³ã¹ãã¯ã·ã§ã³å㯠ã¢ããªã±ãŒã·ã§ã³å±€ãã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããŠãã¡ãã»ãŒãžå 容ãå¶éãã¹ãã§ããã 5.8.8 ã·ã³ãã«ã¡ãŒã«è»¢éãããã³ã«ïŒSMTPïŒ SMTP ã¯ã€ã³ã¿ãŒãããã§ã®äž»èŠãªé»åã¡ãŒã«è»¢éãããã³ã«ã§ãããé»åã¡ãŒã«ã¡ãã»ãŒãžã« ã¯ãã«ãŠãšã¢ãå«ãŸããŠããããšãå€ããããçä¿¡é»åã¡ãŒã«ã¯ããããªãå¶åŸ¡ãããã¯ãŒã¯ã ãã€ã¹ã«ãéããã¹ãã§ãªããå¶åŸ¡ãããã¯ãŒã¯ããäŒæ¥ãããã¯ãŒã¯ãžã®éä¿¡ SMTP ã¡ãŒã«ã¡ ãã»ãŒãžã¯ãã¢ã©ãŒãã¡ãã»ãŒãžã®éä¿¡æã«èš±å¯ãããã 5.8.9 ã·ã³ãã«ãããã¯ãŒã¯ç®¡çãããã³ã«ïŒSNMPïŒ SNMP ã¯ãäžå€®ç®¡çã³ã³ãœãŒã«ãšãããã¯ãŒã¯ããã€ã¹ïŒã«ãŒã¿ãããªã³ã¿ãPLCs çïŒéã®ãã ãã¯ãŒã¯ç®¡çãµãŒãã¹ãæäŸããããã«äœ¿çšãããSNMP ã¯ãããã¯ãŒã¯ã®ä¿å®ã«ã¯æ¥µããŠäŸ¿å© ãªãµãŒãã¹ã§ããããã»ãã¥ãªãã£ã極ããŠåŒ±ããSNMP ã®ããŒãžã§ã³ 1 ãš 2 ã§ã¯ãèªåããã ãã€ã¹ïŒPLCs çïŒèšå®ãæå·åãããŠããªããã¹ã¯ãŒãã䜿çšããŠãããå€ãã®å Žåãã¹ã¯ãŒ ããããç¥ãããŠãããå€æŽãã§ããªããããŒãžã§ã³ 3 ã§ã¯ããªãã»ãã¥ã¢ã«ãªã£ãŠãããã 䜿çšãããŠããæ°ã¯å°ãªãã å¶åŸ¡ãããã¯ãŒã¯ãšã® SNMP ããŒãžã§ã³ 1 ãš 2 ã®ã³ãã³ãã¯ãå¥åã®ã»ãã¥ã¢ãªç®¡çãããã¯ãŒ ã¯ä»¥å€ã§ã¯çŠæ¢ãšãã¹ãã§ãããŒãžã§ã³ 3 ã®ã³ãã³ãã¯åºæã®ã»ãã¥ãªãã£æ©èœã䜿çšã㊠ICS ã«éä¿¡ã§ããã 114 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.8.10 Distributed Component Object Model (DCOM) DCOM is the underlying protocol for OLE for Process Control (OPC). It utilizes Microsoftâs Remote Procedure Call (RPC) service which, when not patched, has many vulnerabilities. These vulnerabilities were the basis for the Blaster worm 27 exploits. In addition, OPC, which utilizes DCOM, dynamically opens a wide range of ports (1024 to 65535) that can be extremely difficult to filter at the firewall. This protocol should only be allowed between control network and DMZ networks and explicitly blocked between the DMZ and corporate network. Also, users are advised to restrict the port ranges used by making registry modifications on devices using DCOM. 5.8.11 SCADA and Industrial Protocols SCADA and industrial protocols, such as Modbus/TCP, EtherNet/IP, IEC 61850, ICCP and DNP3 28, are critical for communications to most control devices. Unfortunately, many of these protocols were designed without security built in and do not typically require any authentication to remotely execute commands on a control device. These protocols should only be allowed within the control network and not allowed to cross into the corporate network. 5.9 Network Address Translation (NAT) Network address translation (NAT) is a service where IP addresses used on one side of a network device can be mapped to a different set on the other side on an as-needed basis. It was originally designed for IP address reduction purposes so that an organization with a large number of devices that occasionally needed Internet access could get by with a smaller set of assigned Internet addresses. To do this, most NAT implementations rely on the premise that not every internal device is actively communicating with external hosts at a given moment. The firewall is configured to have a limited number of outwardly visible IP addresses. When an internal host seeks to communicate with an external host, the firewall remaps the internal IP address and port to one of the currently unused, more limited, public IP addresses, effectively concentrating outgoing traffic into fewer IP addresses. The firewall must track the state of each connection and how each private internal IP address and source port was remapped onto an outwardly visible IP address/port pair. When returning traffic reaches the firewall, the mapping is reversed and the packets forwarded to the proper internal host. For example, a control network device may need to establish a connection with an external, non-control network host (for instance, to send a critical alert email). NAT allows the internal IP address of the initiating control network host to be replaced by the firewall; subsequent return traffic packets are remapped back to the internal IP address and sent to the appropriate control network device. More specifically, if the control network is assigned the private subnet 192.168.1.xxx and the Internet network expects the device to use the corporate assigned addresses in the range 192.6.yyy.zzz, then a NAT firewall will substitute (and track) a 192.6.yyy.zzz source address into every outbound IP packet generated by a control network device. Producer-consumer protocols, such as EtherNet/IP and Foundation Fieldbus, are particularly troublesome because NAT does not support the multicast-based traffic that these protocols need to offer their full services. 27 http://en.wikipedia.org/wiki/Blaster_%28computer_worm%29 28 15 IEEE 1815-2012, IEEE Standard for Electric Power Systems CommunicationsâDistributed Network Protocol (DNP3),) incorporates DNP3 Secure Authentication version 5 (DNP3-SAv5) which provides strong application layer authentication with remote security credential management. See https://standards.ieee.org/findstds/standard/1815-2012.html. 115 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.8.10 åæ£ã³ã³ããŒãã³ããªããžã§ã¯ãã¢ãã«ïŒDCOMïŒ DCOM ã¯ããã»ã¹å¶åŸ¡çš OLEïŒOPCïŒã®åºæ¬ãããã³ã«ã§ããããã€ã¯ããœããã®é éæç¶ã åŒã³åºãïŒRPCïŒãµãŒãã¹ã䜿çšããããããã¯ããããåœãŠãªããšè匱æ§ãå€ãããã®ãã㪠è匱æ§ã¯ããã©ã¹ã¿ãŒã¯ãŒã 29ã®æšçãšãªã£ãããŸã DCOM ãå©çšãã OPC ã¯ãå€æ§ãªããŒã ãåçã«éãããïŒ1024ïœ65535)ããã¡ã€ã¢ãŠã©ãŒã«ã§ã®ãã£ã«ã¿ãªã³ã°ã極ããŠå°é£ãšãªãã ãã®ãããã³ã«ã¯ãå¶åŸ¡ãããã¯ãŒã¯ãš DMZ éã§ã®ã¿èš±å¯ãã¹ãã§ãDMZ ãšäŒæ¥ãããã¯ãŒã¯ éã§ã¯æ瀺çã«ãããã¯ãã¹ãã§ããããŸããŠãŒã¶ã¯ãDCOM 䜿çšããã€ã¹ã®ã¬ãžã¹ããªå€æŽ æã«äœ¿çšããããŒãã®ç¯å²ãéå®ããã®ãããã 5.8.11 SCADA åã³ç£æ¥çšãããã³ã« Modbus/TCPãEtherNet/IPãIEC 61850ãICCPãDNP3 30çã® SCADA åã³ç£æ¥çšãããã³ã«ã¯ãã» ãšãã©ã®å¶åŸ¡ããã€ã¹ãžã®éä¿¡ã«ãšã£ãŠèèŠã§ãããæ®å¿µãªãããããã®ãããã³ã«ã®å€ãã¯ã ã»ãã¥ãªãã£ãèæ ®ã«å ¥ããã«èšèšãããŠãããå¶åŸ¡ããã€ã¹äžã§ã³ãã³ããé éå®è¡ããéã«ã éåžžèªèšŒãå¿ èŠãšããªãããã®ãããªãããã³ã«ã¯å¶åŸ¡ãããã¯ãŒã¯å ã§ã®ã¿èš±å¯ããäŒæ¥ãã ãã¯ãŒã¯ãžã®é²å ¥ã¯èš±å¯ãã¹ãã§ãªãã 5.9 ãããã¯ãŒã¯ã¢ãã¬ã¹å€æïŒNATïŒ ãããã¯ãŒã¯ã¢ãã¬ã¹å€æïŒNATïŒãµãŒãã¹ã¯ããããã¯ãŒã¯ããã€ã¹ã®äžæ¹ã®åŽã§äœ¿çšããŠã ã IP ã¢ãã¬ã¹ããå¿ èŠã®éœåºŠãä»æ¹ã®åŽã«ããããããå ã ã®èšèšç®çã¯ãæã ã€ã³ã¿ãŒãã ãã¢ã¯ã»ã¹ãå¿ èŠãšãªãå€éã®ããã€ã¹ãæããçµç¹ããå°æ°ã®å²åœã€ã³ã¿ãŒãããã¢ãã¬ã¹ã§ æžãããã« IP ã¢ãã¬ã¹ãæžããããšã«ãã£ãã ãã®ããã»ãšãã©ã® NAT å®è£ ã§ã¯ãå šãŠã®ç€Ÿå ããã€ã¹ããããç¬éã«å€éšãã¹ããšæŽ»çºã«äº€ ä¿¡ããããã§ã¯ãªããšããåæã«ç«ã£ãŠããããã¡ã€ã¢ãŠã©ãŒã«ã®èšå®ã¯ãå€éšããèŠãã IP ã¢ãã¬ã¹ã®æ°ãéå®ãããããã«è¡ãã瀟å ãã¹ãã瀟å€ãã¹ããšäº€ä¿¡ããéããã¡ã€ã¢ãŠã©ãŒ ã«ã¯ãå éš IP ã¢ãã¬ã¹ãšããŒããçŸåšäœ¿çšããŠããªãæŽã«éå®ããããããªã㯠IP ã¢ãã¬ã¹ã« ãªãããããéä¿¡ãã©ãã£ãã¯ãããå°æ°ã® IP ã¢ãã¬ã¹ã«å¹æçã«éçµãããããã¡ã€ã¢ãŠã© ãŒã«ã¯ãããããã®æ¥ç¶ã®ç¶æ ãšãåãã©ã€ããŒãå éš IP ã¢ãã¬ã¹åã³ãœãŒã¹ããŒãããå€éš ããèŠãã IP ã¢ãã¬ã¹/ããŒãã®ãã¢ã«ã©ããªãããããããã远跡ããªããã°ãªããªããæ»ã ãã©ãã£ãã¯ããã¡ã€ã¢ãŠã©ãŒã«ã«éãããšããããã³ã°ãå転ãããã±ãããæ£ãã瀟å ãã¹ ãã«è»¢éãããã äŸãã°ãå¶åŸ¡ãããã¯ãŒã¯ããã€ã¹ã¯ãå€éšã®éå¶åŸ¡ãããã¯ãŒã¯ãã¹ããšæ¥ç¶ã確ç«ããå¿ èŠ ãçããããšãããïŒéèŠã¢ã©ãŒãé»åã¡ãŒã«ã®éä¿¡ãªã©ïŒãNAT ã¯ãéå§å¶åŸ¡ãããã¯ãŒã¯ ãã¹ãã®å éš IP ã¢ãã¬ã¹ããã¡ã€ã¢ãŠã©ãŒã«ã«ãã眮æãããããã«ãããã®åŸã®æ»ããã©ã ã£ãã¯ãã±ããã¯ãå éš IP ã¢ãã¬ã¹ã«ãªããããããæ£ããå¶åŸ¡ãããã¯ãŒã¯ããã€ã¹ã«éã ãããå ·äœçã«èšããšãå¶åŸ¡ãããã¯ãŒã¯ã«ãã©ã€ããŒããµãããã 192.168.1.xxx ãå²ãåœãŠ ãããã€ã³ã¿ãŒããããããã¯ãŒã¯ã¯ããã€ã¹ã 192.6.yyy.zzz ã®ç¯å²ã®äŒæ¥å²åœã¢ãã¬ã¹ãäœ¿çš ããããã«äºæ³ããŠãããšããããã®å ŽåãNAT ãã¡ã€ã¢ãŠã©ãŒã«ã¯ã192.6.yyy.zzz ãœãŒã¹ã¢ã ã¬ã¹ããå¶åŸ¡ãããã¯ãŒã¯ããã€ã¹ãçæããå šãŠã®çºä¿¡ IP ãã±ããã«çœ®æïŒããŠè¿œè·¡ïŒããã EtherNet/IP ã Foundation Fieldbus ãšãã£ãçç£è ã»æ¶è²»è ãããã³ã«ã¯ããšãããåé¡ãå€ãã ãšããã®ã¯ããããã®ãããã³ã«ãååãªãµãŒãã¹ãæäŸããããã«å¿ èŠãšãããã«ããã£ã¹ã ããŒã¹ã®ãã©ãã£ãã¯ã« NAT ã察å¿ããŠããªãããã§ããã 29 http://en.wikipedia.org/wiki/Blaster_%28computer_worm%29 30 IEEE 1815-2012ãé»åã·ã¹ãã éä¿¡çš IEEE èŠæ Œ-åæ£ãããã¯ãŒã¯ãããã³ã«ïŒDNP3ïŒãã¯ãDNP3 ã»ãã¥ã¢èªèšŒããŒãž ã§ã³ 5ïŒDNP3-SAv5ïŒãçµã¿èŸŒãã§ãããé éã»ãã¥ãªãã£ä¿¡é Œæ§ç®¡çã«åŒ·åãªã¢ããªã±ãŒã·ã§ã³å±€èªèšŒãä»äžããã次 ã® URL ãåç §ã®ããšãhttps://standards.ieee.org/findstds/standard/1815-2012.html. 116 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY In general, while NAT offers some distinct advantages, its impact on the actual industrial protocols and configuration should be assessed carefully before it is deployed. Furthermore, certain protocols are specifically broken by NAT because of the lack of direct addressing. For example, OPC requires special third-party tunneling software to work with NAT. 5.10 Specific ICS Firewall Issues In addition to the issues with firewalls and ICS already discussed, there are some additional problems that need to be examined in more detail. The rest of this section discusses three specific areas of concern: the placement of data historians, remote access for ICS support, and multicast traffic. 5.10.1 Data Historians The existence of shared control network/corporate network servers such as data historians and asset management servers can have a significant impact on firewall design and configuration. In three-zone systems the placement of these servers in a DMZ is relatively straightforward, but in two-zone designs the issues become complex. Placing the historian on the corporate side of the firewall means that a number of insecure protocols, such as Modbus/TCP or DCOM, must be allowed through the firewall and that every control device reporting to the historian is exposed to the corporate side of the network. On the other hand, putting the historian on the control network side means other equally questionable protocols, such as HTTP or SQL, must be allowed through the firewall, and there is now a server accessible to nearly everyone in the organization sitting on the control network. In general, the best solution is to avoid two-zone systems (no DMZ) and use a three-zone design, placing the data collector in the control network and the historian component in the DMZ. 5.10.2 Remote Support Access Another issue for ICS firewall design is user and/or vendor remote access into the control network. Any users accessing the control network from remote networks should be required to authenticate using an appropriately strong mechanism such as token-based authentication. While it is possible for the controls group to set up their own remote access system with multi-factor authentication on the DMZ, in most organizations it is typically more efficient to use existing systems set up by the IT department. In this case a connection through the firewall from the IT remote access server is needed. Remote support personnel connecting over the Internet or via dialup modems should use an encrypted protocol, such as running a corporate VPN connection client, application server, or secure HTTP access, and authenticate using a strong mechanism, such as a token based multi-factor authentication scheme, in order to connect to the general corporate network. Once connected, they should be required to authenticate a second time at the control network firewall using a strong mechanism, such as a token based multi-factor authentication scheme, to gain access to the control network. Proxy servers can also provide additional capabilities for securing remote support access. 5.10.3 Multicast Traffic Most industrial producer-consumer (or publisher-subscriber) protocols operating over Ethernet, such as EtherNet/IP and Foundation Fieldbus HSE, are IP multicast-based. The first advantage of IP multicasting is network efficiency; by not repeating the data transmission to the multiple destinations, a significant reduction in network load can occur. The second advantage is that the sending host need not be concerned with knowing every IP address of every destination host listening for the broadcast information. The third, and perhaps most important for industrial control purposes, is that a single multicast message offers 117 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å šäœãšããŠãNAT ã«ã¯ããã€ãæ確ãªå©ç¹ãããããå±éããã«å ç«ã£ãŠãå®éã®ç£æ¥çšãã ãã³ã«åã³æ§æã«äžãã圱é¿ãæ éã«è©äŸ¡ãã¹ãã§ãããæŽã«ç¹å®ã®ãããã³ã«ã¯ãçŽæ¥ã®ã¢ã ã¬ãã·ã³ã°ããªããããNAT ã«ããç Žå£ããããäŸãã° OPC ã¯ãNAT ãšå ±çšããããã«ã¯ãµãŒ ãããŒãã£ã®ç¹æ®ãã³ããªã³ã°ãœãããŠãšã¢ãå¿ é ãšãªãã 5.10 ICS ãã¡ã€ã¢ãŠã©ãŒã«åºæã®åé¡ ãããŸã§èŠãŠãããã¡ã€ã¢ãŠã©ãŒã«ãš ICS ã«é¢ããåé¡ã«å ããŠãæŽã«è©³ããèå¯ãã¹ãåé¡ã ããããã®ã»ã¯ã·ã§ã³ã®æ®ãã®éšåã§ã¯ãããŒã¿ãã¹ããªã¢ã³ã®é 眮ãICS ãµããŒãã®ããã®ãª ã¢ãŒãã¢ã¯ã»ã¹ããã«ããã£ã¹ããã©ãã£ãã¯ãšãã 3 ã€ã®ç¹å®åéã«ã€ããŠèå¯ããã 5.10.1 ããŒã¿ãã¹ããªã¢ã³ ããŒã¿ãã¹ããªã¢ã³ãè³ç£ç®¡çãµãŒããšãã£ãå ±æå¶åŸ¡/äŒæ¥ãããã¯ãŒã¯ãµãŒãã®ååšã¯ãã ã¡ã€ã¢ãŠã©ãŒã«ã®èšèšãæ§æã«å€§ããªåœ±é¿ãåãŒãããšãããã3 ãŸãŒã³ã·ã¹ãã ã§ã¯ãããã ãµãŒãã DMZ ã«é 眮ããã®ã¯æ¯èŒçåçŽæå¿«ã ãã2 ãŸãŒã³èšèšã§ã¯åé¡ãè€éã«ãªãããã¹ ããªã¢ã³ããã¡ã€ã¢ãŠã©ãŒã«ã®äŒæ¥åŽã«çœ®ããšããããšã¯ãModbus/TCP ã DCOM ãšãã£ãã»ã ã¥ã¢ã§ãªãå€æ°ã®ãããã³ã«ããã¡ã€ã¢ãŠã©ãŒã«ã«å ¥ãã®ãèš±ãããšã«ãªãããã¹ããªã¢ã³ã®äž ã«ããå šãŠã®å¶åŸ¡ããã€ã¹ããããã¯ãŒã¯ã®äŒæ¥åŽã«ãããããããšã«ãªããå察ã«ããã¹ã㪠ã¢ã³ãå¶åŸ¡ãããã¯ãŒã¯åŽã«çœ®ãã°ãHTTP ã SQL ãšãã£ãåæ§ã«åé¡ã®å€ããããã³ã«ããã¡ ã€ã¢ãŠã©ãŒã«ã«å ¥ãã®ãèš±ãããšã«ãªããå¶åŸ¡ãããã¯ãŒã¯äžã«ãããµãŒãã«ãçµç¹ã®ã»ãŒå šå¡ ãã¢ã¯ã»ã¹ã§ããããšã«ãªã£ãŠããŸãã ç·ããŠæåã®ãœãªã¥ãŒã·ã§ã³ã¯ã2 ãŸãŒã³ã·ã¹ãã ïŒDMZ ãªãïŒãé¿ã㊠3 ãŸãŒã³ã·ã¹ãã ã䜿 çšããããŒã¿ã³ã¬ã¯ã¿ã¯å¶åŸ¡ãããã¯ãŒã¯å ã«ããã¹ããªã¢ã³ã³ã³ããŒãã³ã㯠DMZ å ã«é 眮 ããããšã§ããã 5.10.2 é éãµããŒãã·ã¹ãã ICS ãã¡ã€ã¢ãŠã©ãŒã«èšèšã®å¥ã®åé¡ã¯ããŠãŒã¶åã¯ãã³ããŒãå¶åŸ¡ãããã¯ãŒã¯ã«ãªã¢ãŒã㢠ã¯ã»ã¹ããããšã§ãããé éãããã¯ãŒã¯ããå¶åŸ¡ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ãããŠãŒã¶ã¯ãã㌠ã¯ã³ããŒã¹èªèšŒçã®åŒ·åãªã¡ã«ããºã ã䜿çšããŠãèªèšŒã矩åã¥ããã¹ãã§ãããå¶åŸ¡ã°ã«ãŒã ã DMZ ã«å€èŠçŽ èªèšŒæ©èœã®ä»ããç¬èªã®ãªã¢ãŒãã¢ã¯ã»ã¹ã·ã¹ãã ãèšçœ®ããã®ã¯å¯èœã§ãã ããã»ãšãã©ã®çµç¹ã§ã¯ãIT éšéãèšçœ®ããæ¢åã·ã¹ãã ãå©çšããæ¹ãå¹ççã§ããããã®å Ž åãIT ãªã¢ãŒãã¢ã¯ã»ã¹ãµãŒããããã¡ã€ã¢ãŠã©ãŒã«ãçµç±ããæ¥ç¶ãå¿ èŠãšãªãã ã€ã³ã¿ãŒãããåã¯ãã€ã¢ã«ã¢ããã¢ãã çµç±ã§æ¥ç¶ããé éãµããŒãèŠå¡ã¯ãäŒæ¥ VPN æ¥ç¶ ã¯ã©ã€ã¢ã³ããã¢ããªã±ãŒã·ã§ã³ãµãŒããã»ãã¥ã¢ HTTP ã¢ã¯ã»ã¹çãå®è¡ããæå·ãããã³ã« ã䜿çšããæ±çšäŒæ¥ãããã¯ãŒã¯ã«ã¢ã¯ã»ã¹ãããããããŒã¯ã³ããŒã¹å€èŠçŽ èªèšŒçã®åŒ·åãªã¡ ã«ããºã ã䜿çšããŠèªèšŒãè¡ãã¹ãã§ãããæ¥ç¶ãããªããå¶åŸ¡ãããã¯ãŒã¯ãã¡ã€ã¢ãŠã©ãŒã« ã«ãããŠãããŒã¯ã³ããŒã¹å€èŠçŽ èªèšŒçã®åŒ·åãªã¡ã«ããºã ã䜿çšããŠå床èªèšŒãæ±ããŠããã å¶åŸ¡ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãèš±å¯ãã¹ãã§ããããããã·ãµãŒããé éãµããŒãã¢ã¯ã»ã¹ã® ã»ãã¥ãªãã£ãæŽã«åäžãããã 5.10.3 ãã«ããã£ã¹ããã©ãã£ã㯠EtherNet/IP ã Foundation Fieldbus HSE ãªã©ã€ãŒãµãããäžã§æ©èœããã»ãšãã©ã®çç£è ã»æ¶è²»è ïŒåã¯çºè¡è ã»è³Œèªè ïŒãããã³ã«ã¯ IP ãã«ããã£ã¹ãããŒã¹ã§ãããIP ãã«ããã£ã¹ãã£ã³ ã°ã®æ倧ã®å©ç¹ã¯ãããã¯ãŒã¯å¹çã«ãããããŒã¿éä¿¡ãè€æ°ã®å®å ã«ç¹°ãè¿ãå¿ èŠããªãããã ãããã¯ãŒã¯è² è·ãèããæžãã2 ã€ç®ã®å©ç¹ã¯ãéä¿¡ãã¹ããããããŒããã£ã¹ãæ å ±ããªã¹ ãã³ã°ããŠããå šãŠã®å®å ãã¹ãã® IP ã¢ãã¬ã¹ãç¥ãå¿ èŠããªãããšã§ããã 118 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY far better capabilities for time synchronization between multiple control devices than multiple unicast messages. If the source and destinations of a multicast packet are connected with no intervening routers or firewalls between them, the multicast transmission is relatively seamless. However, if the source and destinations are not on the same LAN, forwarding the multicast messages to a destination becomes more complicated. To solve the problem of multicast message routing, hosts need to join (or leave) a group by informing the multicast router on their network of the relevant group ID through the use of the Internet Group Management Protocol (IGMP). Multicast routers subsequently know of the members of multicast groups on their network and can decide whether or not to forward a received multicast message onto their network. A multicast routing protocol is also required. From a firewall administration perspective, monitoring and filtering IGMP traffic becomes another series of rule sets to manage, adding to the complexity of the firewall. Another firewall issue related to multicasting is the use of NAT. A firewall performing NAT that receives a multicast packet from an external host has no reverse mapping for which internal group ID should receive the data. If IGMP-aware, it could broadcast it to every group ID it knows about, because one of them will be correct, but this could cause serious issues if an unintended control packet were broadcast to a critical node. The safest action for the firewall to take is to drop the packet. Thus, multicasting is generally considered NAT-unfriendly. 5.11 Unidirectional Gateways Hardware-enforced unidirectional gateways (e.g., data diodes) are increasingly deployed at the boundary between ICS and IT networks, as well as between Safety Instrumented System networks and control networks. Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from one network to another, but is physically unable to send any information at all back into the source network. The software replicates databases and emulates protocol servers and devices. 5.12 Single Points of Failure Single points of failure can exist at any level of the ANSI/ISO stack. An example is PLC control of safety interlocks. Because security is usually being added to the ICS environment, an evaluation should be done to identify potential failure points and a risk assessment done to evaluate each pointâs exposure. Remediation methods can then be postulated and evaluated and a ârisk versus rewardâ determination made and design and implementation done. 5.13 Redundancy and Fault Tolerance ICS components or networks that are classified as critical to the organization have high availability requirements. One method of achieving high availability is through the use of redundancy. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS, or does not cause another problem elsewhere, such as a cascading event. The control system should have the ability to execute an appropriate fail-safe process upon the loss of communications with the ICS or the loss of the ICS itself. The organization should define what "loss of communications" means (e.g., 500 milliseconds, 5 seconds, 5 minutes, etc. without communications). The organization should then, based on potential consequences, define the appropriate fail-safe process for their industry. 119 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 3 ã€ç®ã¯ãããããç£æ¥çšå¶åŸ¡ç®çã§ã¯æãéèŠãšæãããããè€æ°å¶åŸ¡ããã€ã¹éã®æéåæã« ãšã£ãŠã1 ã€ã®ãã«ããã£ã¹ãã¡ãã»ãŒãžã®æ¹ãè€æ°ã®ãŠããã£ã¹ãã¡ãã»ãŒãžãããã¯ããã«åª ããŠããããšã§ããã ãã«ããã£ã¹ããã±ããã®ãœãŒã¹ãšå®å ã仲ä»ã«ãŒã¿ããã¡ã€ã¢ãŠã©ãŒã«ãªãã§æ¥ç¶ãããŠããå Ž åããã«ããã£ã¹ãéä¿¡ã¯çžå¯Ÿçã«ã·ãŒã ã¬ã¹ã§ããããã ãããœãŒã¹ãšå®å ãåã LAN äžã«ãª ãå Žåããã«ããã£ã¹ãã¡ãã»ãŒãžã®å®å 転éã¯è€éã«ãªãããã«ããã£ã¹ãã¡ãã»ãŒãžã«ãŒã㣠ã³ã°ã®åé¡ã解決ããã«ã¯ãåãã¹ãã 1 ã€ã®ã°ã«ãŒãã«å å ¥ïŒåã¯é¢è±ïŒããããšã§ããããã ãè¡ãã«åãã¹ãã®ãããã¯ãŒã¯äžã®ãã«ããã£ã¹ãã«ãŒã¿ã«ãã€ã³ã¿ãŒãããã°ã«ãŒã管çãã ãã³ã«ïŒIGMPïŒãä»ããŠãåœè©²ã°ã«ãŒã ID ãéç¥ãããåãã«ããã£ã¹ãã«ãŒã¿ã¯ãããããã® ãããã¯ãŒã¯äžã®ãã«ããã£ã¹ãã°ã«ãŒãã¡ã³ããŒã«ã€ããŠç¥ããåä¿¡ãããã«ããã£ã¹ãã¡ãã» ãŒãžããããã¯ãŒã¯ã«è»¢éãããã©ããã決å®ããããã«ããã£ã¹ãã«ãŒãã£ã³ã°ãããã³ã«ãå¿ èŠãšãªãããã¡ã€ã¢ãŠã©ãŒã«ç®¡çã®èŠ³ç¹ããããã°ãIGMP ãã©ãã£ãã¯ã®ç£èŠåã³ãã£ã«ã¿ãªã³ ã°ã¯ã管çãã¹ãå¥ã®ã«ãŒã«ã»ãããšãªãããã¡ã€ã¢ãŠã©ãŒã«ããã£ããè€éã«ããã ãã«ããã£ã¹ãã£ã³ã°ã«é¢é£ããå¥ã®ãã¡ã€ã¢ãŠã©ãŒã«ã®åé¡ã¯ NAT ã®äœ¿çšã§ãããNAT ãå®è¡ ãããã¡ã€ã¢ãŠã©ãŒã«ã§ãå€éšãã¹ãããã®ãã«ããã£ã¹ããã±ãããåä¿¡ãããã®ã«ã¯ãªããŒã¹ ãããã³ã°ããªããããã«ã€ããŠã¯å éšã°ã«ãŒã ID ãããŒã¿ãåä¿¡ãã¹ãã§ãããIGMP ãèªèã ãŠããã°ãæ¢ç¥ã®ã°ã«ãŒã ID å šãŠã«ãããŒããã£ã¹ãããããã®çç±ã¯ããã®ãã¡ã® 1 ã€ãæ£ãã ãŠããæå³ããªãå¶åŸ¡ãã±ãããéèŠããŒãã«ãããŒããã£ã¹ãããããšã倧ããªåé¡ã«ãªãå¯èœ æ§ãããããã§ããããã¡ã€ã¢ãŠã©ãŒã«ãåãåŸãæãå®å šãªçã¯ããã±ãããããããããããš ã§ããããã£ãŠããã«ããã£ã¹ãã£ã³ã°ã¯ç·ã㊠NAT ãšçžæ§ãæªããšã¿ãªãããã 5.11 åæ¹åæ§ã²ãŒããŠã§ã€ ããŒããŠãšã¢ã§åŒ·å¶ããåæ¹åæ§ã²ãŒããŠã§ã€ïŒããŒã¿ãã€ãªãŒãçïŒã¯ãICS ãããã¯ãŒã¯ãš IT ãããã¯ãŒã¯éããå®å šèšè£ ã·ã¹ãã ãããã¯ãŒã¯ãšå¶åŸ¡ãããã¯ãŒã¯éã®å¢çã«ãŸããŸãå± éãããããã«ãªã£ãŠãããåæ¹åæ§ã²ãŒããŠã§ã€ã¯ããŒããŠãšã¢ãšãœãããŠãšã¢ãçµã¿åãã ããã®ã§ãããããŒããŠãšã¢ã¯ããŒã¿ãäžæ¹ã®ãããã¯ãŒã¯ããä»æ¹ã®ãããã¯ãŒã¯ãžæµããã® ãèš±å¯ãããããœãŒã¹ãããã¯ãŒã¯ã«æ å ±ãè¿ãããšã¯ç©ççã«äžå¯èœã§ããããœãããŠãšã¢ã¯ ããŒã¿ããŒã¹ãè€è£œããŠããããã³ã«ãµãŒãåã³ããã€ã¹ããšãã¥ã¬ãŒãããã 5.12 åäžéå®³ç¹ åäžé害ç¹ã¯ãANSI/ISO ã¹ã¿ãã¯ã®ã©ã®ã¬ãã«ã«ããããäžäŸã¯å®å šã€ã³ã¿ãŒããã¯ã® PLC å¶ åŸ¡ã§ãããã»ãã¥ãªãã£ã¯éåžž ICS ç°å¢ã«è¿œå ãããŠãããã®ãªã®ã§ãè©äŸ¡ãè¡ã£ãŠé害ãšãªã åŸãç¹ãæããã«ãããªã¹ã¯è©äŸ¡ãè¡ã£ãŠåç¹ã®ãšã¯ã¹ããŒãžã£ãæ»å®ããã 次ãã§å¯ŸåŠæ¹æ³ãæ³å®ããŠè©äŸ¡ããããªã¹ã¯å¯Ÿå ±é ¬ããå€å®ããèšèšã»å®è£ ãè¡ãã 5.13 åé·æ§ãšãã©ãŒã«ããã¬ã©ã³ã¹ çµç¹ã«ãšã£ãŠéèŠãšåé¡ããã ICS ã³ã³ããŒãã³ãããããã¯ãŒã¯ã«ã¯ãé«ãå¯çšæ§èŠä»¶ã課ã ãããé«ãå¯çšæ§ãå®çŸãã 1 ã€ã®æ¹æ³ã¯ãåé·æ§ã®å©çšã§ããããŸããããã³ã³ããŒãã³ãã« é害ãåºãå Žåã§ããICS ã«äžèŠã®ãã©ãã£ãã¯ãçãããããé£éã€ãã³ããªã©å¥ã®åé¡ã掟 çãããŠã¯ãªããªãã å¶åŸ¡ã·ã¹ãã ã¯ãICS ãšã®éä¿¡åªå€±æå㯠ICS ãã®ãã®ã®åªå€±æã«ãé©åãªãã§ãŒã«ã»ãŒããã ã»ã¹ãå®è¡ã§ããèœåãåããŠããã¹ãã§ãããçµç¹ã¯ãéä¿¡åªå€±ãã®æå³ãæããã«ãã¹ã㧠ããïŒéä¿¡é絶㧠500 ããªç§ã5 ç§ã5 åçïŒã次ãã§çãåŸãçµæãåºã«ãç£æ¥çšã®é©æ£ãªã ã§ãŒã«ã»ãŒãããã»ã¹ãæããã«ãã¹ãã§ããã 120 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Backups should be performed using the âbackup-in-depthâ approach, with layers of backups (e.g., local, facility, disaster) that are time-sequenced such that rapid recent local backups are available for immediate use and secure backups are available to recover from a massive security incident. A mixture of backup/restore approaches and storage methods should be used to ensure that backups are rigorously produced, securely stored, and appropriately accessible for restoration. 5.14 Preventing Man-in-the-Middle Attacks A man-in-the-middle attack requires knowledge of the protocol being manipulated. The Address Resolution Protocol (ARP) man-in-the-middle attack is a popular method for an adversary to gain access to the network flow of information on a target system. This is performed by attacking the network ARP cache tables of the controller and the workstation machines. Using the compromised computer on the control network, the adversary poisons the ARP tables on each host and informs them that they must route all their traffic through a specific IP and hardware address (i.e., the adversaryâs machine). By manipulating the ARP tables, the adversary can insert their machine between the two target machines and/or devices. The ARP man-in-the-middle attack works by initiating gratuitous ARP commands to confuse each host (i.e., ARP poisoning). These ARP commands cause each of the two target hosts to use the MAC address of the adversary as the address for the other target host. When a successful man-in-the-middle attack is performed, the hosts on each side of the attack are unaware that their network data is taking a different route through the adversaryâs computer. Once an adversary has successfully inserted their machine into the information stream, they now have full control over the data communications and could carry out several types of attacks. One possible attack method is the replay attack. In its simplest form, captured data from the control/HMI is modified to instantiate activity when received by the device controller. Captured data reflecting normal operations in the ICS could be played back to the operator as required. This would cause the operatorâs HMI to appear to be normal and the attack will go unobserved. During this replay attack the adversary could continue to send commands to the controller and/or field devices to cause an undesirable event while the operator is unaware of the true state of the system. Another attack that could be carried out with the man-in-the-middle attack is sending false messages to the operator, and could take the form of a false negative or a false positive. This may cause the operator to take an action, such as flipping a breaker, when it is not required, or it may cause the operator to think everything is fine and not take an action when an action is required. The adversary could send commands to the operatorâs console indicating a system change, and when the operator follows normal procedures and attempts to correct the problem, the operatorâs action could cause an undesirable event. There are variations of the modification and replay of control data which could impact the operations of the system. Protocol manipulation and the man-in-the-middle attack are among the most popular ways to manipulate insecure protocols, such as those found in control systems. However, there are mitigation techniques [38] that can be applied to secure the systems through MAC address locking, static tables, encryption, authentication, and monitoring. ïŒ MAC Address Locking - The ARP man-in-the-middle attack requires the adversary to be connected to the local network or have control of a local computer on the network. Port security, also called MAC address locking, is one method to secure the physical connection at the end of each port on a network switch. High-end corporate class network switches usually have some kind of option for MAC address locking. MAC address locking is very effective against a rogue individual looking to physically plug into the internal network. Without port security, any open network jack on the wall 121 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ããã¯ã¢ããã¯ãå€å±€ããã¯ã¢ãããã¢ãããŒãã«ãããæç³»åé ã«ãªã£ãããã¯ã¢ããå±€ïŒã ãŒã«ã«ãæœèšãçœå®³çïŒã«å¯ŸããŠå®æœããæ¥éã«è¡ãããæè¿ã®ããŒã«ã«ããã¯ã¢ããããã㫠䜿çšã§ããããã«ããã»ãã¥ã¢ãªããã¯ã¢ããã倧èŠæš¡ãªã»ãã¥ãªãã£ã€ã³ã·ãã³ããã埩垰ã ãéã«å©çšã§ããããã«ãããããã¯ã¢ãã/埩å ãšã¹ãã¬ãŒãžæ³ãšã䜵çšããŠãããã¯ã¢ãã ãå³æ Œã«äœæãããå®å šã«ä¿ç®¡ãããé©åã«åŸ©å ã§ããããã«ããã 5.14 人ãä»åšããæ»æã®é²æ¢ 人ãä»åšããæ»æã¯ãæäœ äžã®ãããã³ã«ã«å¯Ÿããç¥èãå¿ é ãšãªããå®å 解決ãããã³ã« ïŒARPïŒã®äººãä»åšããæ»æã¯ãæ»æåŽãæšçã·ã¹ãã äžã®æ å ±ã®æµãã«ã¢ã¯ã»ã¹ããããã® ããããæ¹æ³ã§ããããããè¡ãã«ã¯ãã³ã³ãããŒã©åã³ã¯ãŒã¯ã¹ããŒã·ã§ã³ãã·ã³ã®ãã ãã¯ãŒã¯ ARP ãã£ãã·ã¥ããŒãã«ãæ»æãããå¶åŸ¡ãããã¯ãŒã¯äžã®æ§èœãäœäžããã³ã³ã ã¥ãŒã¿ãå©çšããŠãæ»æåŽã¯åãã¹ãäžã® ARP ããŒãã«ãæ»ããå šãŠã®ãã©ãã£ãã¯ãç¹å® ã® IP åã³ããŒããŠãšã¢ã¢ãã¬ã¹ïŒæ»æåŽã®ãã·ã³ïŒã«éãããæ瀺ãããæ»æåŽã¯ ARP ã㌠ãã«ãæäœããŠã2 å°ã®æšçãã·ã³éåã¯ããã€ã¹éã«èªãã®ãã·ã³ãæ¿å ¥ããã ARP ã®äººãä»åšããæ»æã¯ãäœèšãª ARP ã³ãã³ããçºè¡ããŠãåãã¹ããæ··ä¹±ãããããšã§æ© èœããïŒARP ãã€ãºãã³ã°ïŒããã®ãã㪠ARP ã³ãã³ãã¯ã2 å°ã®æšçãã¹ãã®ãã®ãã®ã«ã æ»æåŽã® MAC ã¢ãã¬ã¹ãä»ã®æšçãã¹ãçšã®ã¢ãã¬ã¹ãšããŠäœ¿çšããããã«ä»åããã人ãä» åšããæ»æãæåãããšãæ»æã®äž¡åŽã®ãã¹ããæ°ã¥ããªããã¡ã«ããããã¯ãŒã¯ããŒã¿ãå¥ çµè·¯ããã©ã£ãŠæ»æåŽã®ã³ã³ãã¥ãŒã¿ã«æµããã æ»æåŽãèªãã®ãã·ã³ãéŠå°Ÿããæ å ±çµè·¯ã«æ¿å ¥ãããšãããŒã¿éä¿¡ãå šé¢çã«å¶åŸ¡ã§ãã çš®ã ã®æ»æãä»æããããããã«ãªãããã® 1 ã€ããªãã¬ãŒæ»æã§ãããæãåçŽãªåœ¢æ ã¯ã å¶åŸ¡/HMI ããææããããŒã¿ãæ¹å€ããŠãããã€ã¹ã³ã³ãããŒã©ããããåä¿¡ãããšãã«è¡å ãèµ·ããããã«ãããã®ã§ãããICS ã«ãããæ£åžžãªæ¥åãåæ ããææããŒã¿ã¯ãå¿ èŠã«å¿ ããŠæäœå¡ã«ãã¬ã€ããã¯ããããããã«ããæäœå¡ã® HMI ã¯èŠããäžæ£åžžã«èŠããæ»æã¯çº èŠããªãããã®ãªãã¬ãŒæ»æäžã«ãæ»æåŽã¯ã³ã³ãããŒã©åã¯ãã£ãŒã«ãããã€ã¹ã«ã³ãã³ã ãéãç¶ããæ害äºè±¡ãçããããããšãã§ããããæäœå¡ã¯ã·ã¹ãã ã®å®æ ã«æ°ã¥ããªãã 人ãä»åšããæ»æã®å¥ã®ãã®ãšããŠãåœã®ã¡ãã»ãŒãžãæäœå¡ã«éããæ¬äŒŒé°æ§åã¯æ¬äŒŒéœæ§ ã®åœ¢æ ãåããã®ãããããã®ããæäœå¡ã¯ããã¬ãŒã«ãŒãèœãšããšãã£ãäžèŠãªå¯Ÿå¿ãå㣠ãããéã«å¿ èŠãªå¯Ÿå¿ãåããªããã°ãªããªãã®ã«ãå šãŠè¯å¥œãšæã蟌ãã§äœãããªããšã㣠ãããšãçãããæ»æåŽã¯æäœå¡ã®ã³ã³ãœãŒã«ã«ãã·ã¹ãã ã®å€æŽã瀺ãã³ãã³ããéããæ äœå¡ãéåžžæé ã«åŸã£ãŠåé¡ãä¿®æ£ããããšãããšããããå ã§æ害äºè±¡ãçºçãããã·ã¹ã ã ã®åäœã«åœ±é¿ããå¶åŸ¡ããŒã¿ã®å€æŽåã³ãªãã¬ãŒã«ã¯çš®ã ã®ããªãšãŒã·ã§ã³ãããã ãããã³ã«æäœãšäººãä»åšããæ»æã¯ãå¶åŸ¡ã·ã¹ãã ã§èŠããããã®ã®ãã¡ãã»ãã¥ã¢ã§ãªãã ããã³ã«ãæäœããæ¹æ³ãšããŠæããã䜿çšãããæ¹æ³ã® 1 ã€ã§ãããããã MAC ã¢ãã¬ã¹ã ãã¯ãã¹ã¿ãã£ãã¯ããŒãã«ãæå·åãèªèšŒåã³ç£èŠãéããŠãã·ã¹ãã ãã»ãã¥ã¢ã«ãããã ã®ç·©åæè¡ããã[38]ã ïŒ MAC ã¢ãã¬ã¹ãã㯠- ARP ã®äººãä»åšããæ»æã§ã¯ãæ»æåŽãããŒã«ã«ãããã¯ãŒã¯ã«æ¥ ç¶ãããããã¯ãŒã¯äžã®ããŒã«ã«ã³ã³ãã¥ãŒã¿ãå¶åŸ¡ããããšãå¿ èŠãšãªããMAC ã¢ã㬠ã¹ããã¯ãšãåŒã°ããããŒãã»ãã¥ãªãã£ã¯ããããã¯ãŒã¯ã¹ã€ããäžã®åããŒã端ã«ãã ãç©ççæ¥ç¶ãã»ãã¥ã¢ã«ããæ¹æ³ã§ããããã€ãšã³ãäŒæ¥ã¯ã©ã¹ãããã¯ãŒã¯ã¹ã€ããã« ã¯ãéåžž MAC ã¢ãã¬ã¹ããã¯çšã®ãªãã·ã§ã³ãããã€ãçšæãããŠãããMAC ã¢ãã¬ã¹ ããã¯ã¯ãå éšãããã¯ãŒã¯ãžã®ç©ççãã©ã°ã€ã³ãç®è«ãå人ã«å¯ŸããŠæ¥µããŠæå¹ã§ããã ããŒãã»ãã¥ãªãã£ããªãå Žåãå£é¢ã®ãªãŒãã³ãããã¯ãŒã¯ãžã£ãã¯ãå©çšããŠã 122 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY could be used as an avenue onto the corporate network. Port security locks a specific MAC address to a specific port on a managed switch. If the MAC address does not match, the communication link is disabled and the intruder will not be able to achieve their goal. Some of the more advanced switches have an auto resetting option, which will reset the security measure if the original MAC is returned to the port. Although port security is not attacker proof, it does add a layer of added security to the physical network. It also protects the local network from employees plugging un-patched and out-of-date systems onto the protected network. This reduces the number of target computers a remote adversary can access. These security measures not only protect against attacks from external networks but provide added physical protection as well. ïŒ Static Tables â An ICS network that stays relatively static could attempt to implement statically coded ARP tables. Most operating systems have the capability to statically code all of the MAC addresses into the ARP table on each computer. Statically coding the ARP tables on each computer prevents the adversary from changing them by sending ARP reply packets to the victim computer. While this technique is not feasible on a large and/or dynamic corporate network, the limited number of hosts on an ICS network could be effectively protected this way. ïŒ Encryption - As a longer-term solution, systems should be designed to include encryption between devices in order to make it very difficult to reverse engineer protocols and forge packets on control system networks. Encrypting the communications between devices would make it nearly impossible to perform this attack. Protocols that provide strong authentication also provide resilience to man-in-themiddle attacks. The impact of encryption on network and operational performance needs to be considered. ïŒ Authentication - Protocols with strong authentication provide resilience to man-in-the-middle attacks. ïŒ Monitoring - Monitoring for ARP poisoning provides an added layer of defense. There are several programs available (e.g., ARPwatch) that can monitor for changing MAC addresses through the ARP packets. 123 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã äŒæ¥ãããã¯ãŒã¯ãžäŸµå ¥ããããšãã§ãããããŒãã»ãã¥ãªãã£ã¯ã管çãããã¹ã€ãã äžã®ç¹å®ããŒãã«ç¹å® MAC ã¢ãã¬ã¹ãããã¯ãããMAC ã¢ãã¬ã¹ãåããªããšãéä¿¡ãªã³ ã¯ã䜿çšäžèœã«ãªããäŸµå ¥è ã¯ç®çãéããããšãã§ããªããããé²åããã¹ã€ããã§ã¯ã èªåãªã»ãããªãã·ã§ã³ããããå ã® MAC ãããŒãã«æ»ããšãã»ãã¥ãªãã£å¯Ÿçããªã»ã ããããããã«ãªã£ãŠããã ããŒãã»ãã¥ãªãã£ã¯ãæ»æãå¯ãä»ããªãããã§ã¯ãªãããç©çãããã¯ãŒã¯ã«ã»ã㥠ãªãã£ã®ã¬ã€ã€ãŒãè¿œå ãããã®ãšãªãããŸãåŸæ¥å¡ããããã®åœãã£ãŠããªãæ§åŒã·ã¹ ãã ã§ãä¿è·ããããããã¯ãŒã¯ã«æ¥ç¶ããå Žåã«ãããŒã«ã«ãããã¯ãŒã¯ãä¿è·ããã ããã«ããé éæ»æã§ã¢ã¯ã»ã¹ã§ããæšçã³ã³ãã¥ãŒã¿ã®æ°ãæžããããããã»ãã¥ãªã ã£å¯Ÿçã¯ãå€éšãããã¯ãŒã¯ããã®æ»æããä¿è·ããã ãã§ãªããç©ççä¿è·ãå¢ããã ãšã«ããªãã ïŒ ã¹ã¿ãã£ãã¯ããŒãã« - æ¯èŒçéç㪠ICS ãããã¯ãŒã¯ã¯ãéçã«ã³ãŒãã£ã³ã°ããã ARP ããŒãã«ãå®è£ ããããšãããã»ãšãã©ã® OS ã«ã¯ãå šãŠã® MAC ã¢ãã¬ã¹ãåã³ã³ãã¥ãŒ ã¿ã® ARP ããŒãã«ã«éçã«ã³ãŒãã£ã³ã°ããèœåãåãã£ãŠãããåã³ã³ãã¥ãŒã¿ã® ARP ããŒãã«ãžã®éçã³ãŒãã£ã³ã°ãè¡ãããšã«ãããæ»æåŽã¯ãARP ãªãã©ã€ãã±ãããæš çã³ã³ãã¥ãŒã¿ã«éä¿¡ããŠãããŒãã«ãå€æŽããããšãã§ããªããªãããã®æè¡ã¯ã倧èŠæš¡ ãªåã¯åçãªäŒæ¥ãããã¯ãŒã¯ã§ã¯å®çŸã§ããªãããICS ãããã¯ãŒã¯äžã®éå®çãªæ°ã®ã ã¹ããªãããã®æ¹æ³ã§æå¹ã«ä¿è·ã§ããã ïŒ æå·å - ããé·æçãªãœãªã¥ãŒã·ã§ã³ãšããŠããããã³ã«ã®ãªããŒã¹ãšã³ãžãã¢ãªã³ã°ãå¶ åŸ¡ã·ã¹ãã ãããã¯ãŒã¯äžã®ãã±ããã®åœé ãå°é£ã«ãããããããã€ã¹éã®æå·åãèšèš ã«å«ããã¹ãã§ãããããã€ã¹éã®éä¿¡ãæå·åããã°ããã®æ»æãã»ãŒäžå¯èœã«ãªãã匷 åãªèªèšŒãè¡ããããã³ã«ã¯ã人ãä»åšããæ»æã«å¯Ÿããæè»æ§ãä»äžãããæå·åã«ãã ãããã¯ãŒã¯ãæ¥åããã©ãŒãã³ã¹ãžã®åœ±é¿ãæ€èšããå¿ èŠãããã ïŒ èªèšŒ - 匷åãªèªèšŒã¡ã«ããºã ãæã€ãããã³ã«ã¯ã人ãä»åšããæ»æã«å¯Ÿããæè»æ§ãä»äž ããã ïŒ ç£èŠ - ARP ãã€ãºãã³ã°ã®ç£èŠã«ããé²åŸ¡å±€ãåããªããARP ãã±ããã®äžã§çµ¶ããå€åã ã MAC ã¢ãã¬ã¹ãç£èŠã§ããããã°ã©ã ãããã€ãããïŒARP ãŠã©ããçïŒã 124 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.15 Authentication and Authorization An ICS may contain a large number of systems, each of which must be accessed by a variety of users. Performing the authentication and authorization of these users presents a challenge to the ICS. Managing these userâs accounts can be problematic as employees are added, removed, and as their roles change. As the number of systems and users grow, the process of managing these accounts becomes more complicated. The authentication of a user or system is the process of verifying the claimed identity. Authorization, the process of granting the user access privileges, is determined by applying policy rules to the authenticated identity and other relevant information 31. Authorization is enforced by some access control mechanism. The authentication process can be used to control access to both systems (e.g. HMIs, field devices, SCADA servers) and networks (e.g., remote substations LANs). Authentication and authorization can be performed either in a distributed or centralized approach. With distributed authentication and authorization, every system performs these steps on their own. Each system is responsible for storing its own set of user accounts, credentials, and roles and performing the identification and authentication of the user. This approach typically does not require any additional infrastructure. However, this approach is problematic in that it does not scale well as the size of the system increases. For example, if a user leaves the organization, the corresponding user account must be removed from each system individually. In contrast to the distributed approach, centralized authentication and authorization systems are commonly used to manage larger number of users and accounts. A centralized approach utilizes some central authentication system (e.g., Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) to store all accounts and manage the authentication and authorization of all individuals and systems. An authentication protocol (e.g., Kerberos, RADIUS, TACACS+) is then used to communicate data between the authentication server and the system performing authentication. While a centralized approach provides substantially improved scalability, it also presents numerous additional concerns that may impact its use in ICS environments. The following considerations apply: ïŒ Authentication servers create a single system that is responsible for managing all system accounts and must be highly secured. ïŒ The authentications server system requires high availability because its failure may prevent users from authenticating to a system during an emergency. Redundancy may be required. ïŒ Some clients may cache user credentials locally to ensure that users can still be authenticated in the absence of the server. Caching may only be available for users that have recently authenticated. Caching also introduces complications for revocation. ïŒ Networks used to support the authentication protocol must be reliable and secure to ensure authentication attempts are not hindered. 31 In general, authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. For further information see NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, at http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf 125 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.15 èªèšŒãšæš©éä»äž ICS ã«ã¯å€æ°ã®ã·ã¹ãã ãå«ãŸããå Žåããããå€çš®å€æ§ãªãŠãŒã¶ãããããã«ã¢ã¯ã»ã¹ã§ã ãªããã°ãªããªããããããŠãŒã¶ã®èªèšŒãšèš±å¯ãè¡ãã®ã¯ ICS ã«ãšã£ãŠéè·ãšãªããåŸæ¥å¡ã® è¿œå ãåé€ãšåœ¹å²ã®å€åã«äŒŽãããŠãŒã¶ã¢ã«ãŠã³ãã®ç®¡çãç ©éã«ãªããã·ã¹ãã ãšãŠãŒã¶ã® æ°ãå¢ããã«ã€ããŠãã¢ã«ãŠã³ã管çã®ããã»ã¹ãã©ãã©ãè€éåããã ãŠãŒã¶åã¯ã·ã¹ãã ã®èš±å¯ã¯ãããããã䞻匵ãã ID ãæ€èšŒããããã»ã¹ã§ãããæš©éä»äž ã¯ããŠãŒã¶ã«ã¢ã¯ã»ã¹æš©ãäžããããã»ã¹ã§ãæš©éãåãã ID ãã®ä»é¢é£æ å ± 32ã«ããªã·ãŒ èŠåãé©çšããŠå€å®ããããæš©éä»äžã¯äœããã®ã¢ã¯ã»ã¹å¶åŸ¡ã¡ã«ããºã ã«ããå®è¡ãããã æš©éä»äžããã»ã¹ãå©çšããŠãã·ã¹ãã ïŒHMIsããã£ãŒã«ãããã€ã¹ãSCADA ãµãŒãçïŒãšã ããã¯ãŒã¯ïŒé éãµãã¹ããŒã·ã§ã³ LAN çïŒã®äž¡æ¹ãžã®ã¢ã¯ã»ã¹ãå¶åŸ¡ã§ããã èªèšŒãšæš©éä»äžã¯ãåæ£ã¢ãããŒãã§ãéäžã¢ãããŒãã§ãè¡ãããšãã§ãããåæ£èªèšŒã»æš© éä»äžãå©çšãããšãåã·ã¹ãã ããããã®æé ãç¬èªã«è¡ããåã·ã¹ãã ã¯ããããã®è²¬ä»» ã§ãŠãŒã¶ã¢ã«ãŠã³ããèªèšŒæ å ±åã³åœ¹å²ãä¿ç®¡ãããŠãŒã¶ã®èå¥ãšæš©éä»äžãè¡ããéåžžãã ã®ã¢ãããŒãã«ã¯ã»ãã®ã€ã³ãã©ãäžèŠã§ããããã ããã·ã¹ãã ã®å¢å€§ã«äŒŽãã¹ã±ãŒã©ã㪠ãã£ã«åé¡ããããäŸãã°ããããŠãŒã¶ãé瀟ããå ŽåããŠãŒã¶ã¢ã«ãŠã³ããããããã®ã·ã¹ ãã ããåé€ããªããã°ãªããªãã åæ£ã¢ãããŒããšã¯å¯Ÿç §çã«ãéäžèªèšŒã»æš©éä»äžã·ã¹ãã ã¯ãäžè¬ã«ãã倧èŠæš¡ãªãŠãŒã¶ åã³ã¢ã«ãŠã³ãã®ç®¡çã«äœ¿çšããããéäžã¢ãããŒãã¯ç¹å®ã®äžå€®èªèšŒã·ã¹ãã ïŒMicrosoft Active Directoryã Lightweight Directory Access Protocol[LDAP]çïŒã䜿çšããŠå šãŠã® ã¢ã«ãŠã³ããä¿ç®¡ããå šãŠãŒã¶ã»å šã·ã¹ãã ã®èªèšŒãšæš©éä»äžã管çããã次ãã§æš©éä»äž ãããã³ã«ïŒKerberosãRADIUSãTACACS+çïŒã䜿çšããŠèªèšŒãµãŒããšèªèšŒå®æœã·ã¹ãã é㧠ããŒã¿éä¿¡ãè¡ãã éäžã¢ãããŒãã§ã¯ã¹ã±ãŒã©ããªãã£ãããªãåäžããåé¢ãICS ç°å¢ã§äœ¿çšããå Žåã®åœ±é¿ ã«ã€ããŠã¯äžå®ãå€ãã次ã®ãããªèŠèæ ®äºé ãããã ïŒ èªèšŒãµãŒããåäžã·ã¹ãã ãåµåºãããããå šãŠã®ã·ã¹ãã ã¢ã«ãŠã³ãã管çããé«åºŠã«ã» ãã¥ã¢ã§ãªããã°ãªããªãã ïŒ èªèšŒãµãŒãã·ã¹ãã ã¯ãæ éãããšç·æ¥æã§ããŠãŒã¶ã¯ã·ã¹ãã èªèšŒãã§ããªããªãããã é«ãå¯çšæ§ãæ±ãããããåé·æ§ãå¿ èŠãšãªããã ïŒ ã¯ã©ã€ã¢ã³ãã«ãã£ãŠã¯ããŠãŒã¶ã®èªèšŒæ å ±ãããŒã«ã«ã§ãã£ãã·ã¥ãããµãŒãããªããŠã ãŠãŒã¶ãèªèšŒã§ããããã«ããŠããããã£ãã·ã³ã°ã¯ãæè¿èªèšŒãããŠãŒã¶ã«ããå©çšã§ã ãªãããã£ãã·ã³ã°ã¯åæ¶ãè€éã«ããã ïŒ èªèšŒãããã³ã«ããµããŒãããããã®ãããã¯ãŒã¯ã¯ä¿¡é Œæ§ãé«ãã»ãã¥ã¢ã§ãèªèšŒã®è©Šã¿ ã劚ããããªãããã«ããªããã°ãªããªãã 32 ç·ããŠäžé£ã®æäœãããããã®æš©éä»äžã¯ãäž»äœã察象ãæ±ããŠããæäœå 容ã«é¢ä¿ããå±æ§ãè©äŸ¡ããŠå€å®ããããå Ž åã«ãã£ãŠã¯ãç¹å®ã®å±æ§ã«é¢ããŠèš±å¯ããæäœå 容ãèŠå®ããããªã·ãŒãèŠååã¯é¢ä¿ã«ç §ãããŠãç°å¢æ¡ä»¶ãè©äŸ¡ã å€å®ããã詳现ã¯æ¬¡ã® URL ã«ãã NIST SP 800-162ãå±æ§ã«åºã¥ãã¢ã¯ã»ã¹å¶åŸ¡ïŒABACïŒå®çŸ©åã³èæ ®ããåç §ã®ããšã http://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf 126 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5.15.1 ICS Implementation Considerations While centralized authentication and authorization servers are commonly used in an IT environment, there are many challenges to integrating them into ICS. While authentication servers and protocols integrate with many commodity IT products (e.g., Microsoft Windows, Linux, Oracle), often ICS may utilize their own application-specific accounts and authentication mechanisms that were not designed to interface with third party servers and protocols. This limits the adoption of such mechanism in an ICS environment. Older network devices and most field devices do not support any mechanisms to integrated with a centralized authentication system. 5.16 Monitoring, Logging, and Auditing The security architecture of an ICS must also incorporate mechanisms to monitor, log, and audit activities occurring on various systems and networks. Monitoring, logging, and auditing activities are imperative to understanding the current state of the ICS, validating that the system is operating as intended, and that no policy violations or cyber incidents have hindered the operation of the system. Network security monitoring is valuable to characterize the normal state of the ICS, and can provide indications of compromised systems when signature-based technologies fail. Additionally, strong system monitoring, logging, and auditing is necessary to troubleshoot and perform any necessary forensic analysis of the system 33. 5.17 Incident Detection, Response, and System Recovery Incidents are inevitable and incident detection, response, and system recovery plans are essential. Major characteristics of a good security program are how soon after an incident has occurred that the incident can be detected and how quickly a system can be recovered after an incident has been detected. Incident response in ICS is closely aligned to disaster recovery, specifically to address the stringent uptime requirements of ICS. Incident Responders must be trained for ICS-specific scenarios, as normal methods of recovering IT systems may not apply to ICS. 33 For further information see NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS) [55]. 127 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 5.15.1 ICS å®è£ äžã®èæ ®äºé éäžèªèšŒãµãŒãåã³éäžæš©éä»äžãµãŒãã¯ãIT ç°å¢ã§ã¯æ®éã«å©çšãããŠããããICS ã«äž¡è ã çµã¿èŸŒãã®ã¯åé¡ãå€ããèªèšŒãµãŒãåã³ãããã³ã«ã¯å€ãã®åžè²© IT 補åïŒMicrosoft Windowsã LinuxãOracle çïŒãçµã¿èŸŒãããICS ã§ã¯ç¬èªã®ã¢ããªã±ãŒã·ã§ã³åºæã®ã¢ã«ãŠã³ããšèªèšŒã¡ã« ããºã ã䜿çšããããšãå€ãããããã¯ãµãŒãããŒãã£ã®ãµãŒãåã³ãããã³ã«ãšé£æºãããã ã«ã¯ã§ããŠããªãããã®ãã ICS ç°å¢ã§ã¯ããããã¡ã«ããºã ã®æ¡çšã«éçããããæ§åã®ãã ãã¯ãŒã¯ããã€ã¹ãã»ãšãã©ã®ãã£ãŒã«ãããã€ã¹ã¯ãéäžèªèšŒã·ã¹ãã ã«çµã¿èŸŒããã¡ã«ã㺠ã ã«å¯Ÿå¿ããŠããªãã 5.16 ç£èŠããã®ã³ã°åã³ç£æ» ICS ã®ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ã«ã¯ãçš®ã ã·ã¹ãã ããããã¯ãŒã¯ãç£èŠããã°åã³ç£æ»ã§ ããã¡ã«ããºã ãçµã¿èŸŒãŸããŠããªããã°ãªããªããç£èŠããã®ã³ã°åã³ç£æ»æŽ»å㯠ICS ã®çŸç¶ ãç解ããã·ã¹ãã ãäºå®ã©ãã皌åããŠãããæ€èšŒããã·ã¹ãã ã®åäœã劚害ãããããªã㪠ã·ãŒéåããµã€ããŒã€ã³ã·ãã³ãããªãããšãæ€èšŒããããã«äžå¯æ¬ ã§ããããããã¯ãŒã¯ã»ã ã¥ãªãã£ç£èŠã¯ãICS ã®æ£åžžç¶æ ã®ç¹åŸŽãæ確åããããã«è²Žéã§ã眲åããŒã¹ã®æè¡ã«é害ã åºããšãã«ãã·ã¹ãã æ§èœãäœäžããå åãæ瀺ã§ããããŸãããã©ãã«ã·ã¥ãŒãã£ã³ã°ãè¡ãã ã·ã¹ãã 34ã®å¿ èŠãªèª¿æ»åæãè¡ãã«ã¯ã匷åãªã·ã¹ãã ç£èŠããã®ã³ã°åã³ç£æ»ãå¿ èŠã§ããã 5.17 ã€ã³ã·ãã³ãæ€ç¥ã察å¿åã³ã·ã¹ãã åŸ©æ§ ã€ã³ã·ãã³ãã¯é¿ããããªãã®ã§ãã€ã³ã·ãã³ãæ€ç¥ã察å¿åã³ã·ã¹ãã 埩æ§èšç»ãäžå¯æ¬ ãšãª ããåªç§ãªã»ãã¥ãªãã£ããã°ã©ã ã®äž»ãªç¹åŸŽã¯ãã€ã³ã·ãã³ãçºçæã«ããã«çŽ æ©ãæ€ç¥ãã æ€ç¥åŸããã«è¿ éã«ã·ã¹ãã ã埩æ§ã§ãããã«ãããICS ã«ãããã€ã³ã·ãã³ã察å¿ã¯ãçœå®³åŸ© æ§ãšå¯æ¥ã«é£æºããç¹ã« ICS ã®å³æ Œãªã¢ããã¿ã€ã èŠä»¶ã«ã€ããŠæ€èšãããIT ã·ã¹ãã ã®é垞㮠埩æ§æ¹æ³ã¯ ICS ã«ã¯åœãŠã¯ãŸããªããããã€ã³ã·ãã³ã察å¿è ã®èšç·Žã¯ãICS åºæã®ã·ããªãªã« 沿ã£ãŠå®æœããªããã°ãªããªãã 34 詳现㯠NIST SP 800-94ãäŸµå ¥æ€ç¥é²æ¢ã·ã¹ãã ïŒIDPSïŒã[55]ãåç §ã®ããšã 128 SPECIAL PUBLICATION 800-82 REVISION 2 6. GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Applying Security Controls to ICS A single security product or technology cannot adequately protect an ICS. Securing an ICS is based on a combination of effective security policies and a properly configured set of security controls. The selection and implementation of security controls to apply to an ICS can have major implications on the operations, so it is critical to consider: ïŒ Which security controls are needed to adequately mitigate risk to an acceptable level that supports the organizational missions and business functions? ïŒ Have the selected security controls been implemented or is there a realistic implementation plan in place? ïŒ What is the required level of assurance that the selected security controls are implemented correctly, operating as intended, and producing a desired outcome? As identified in Section 3, the questions should be answered in the context of an effective, organizationwide risk management process and cybersecurity strategy that identifies, mitigates (as necessary), and continuously monitors risks to its ICS. An effective cybersecurity strategy for an ICS should apply defensein-depth, a technique of layering security mechanisms so that the impact of a failure in any one mechanism is minimized. Use of such a strategy is explored within the security control discussions and their applications to ICS that follow. 6.1 Executing the Risk Management Framework Tasks for Industrial Control Systems The following describes the process of applying the Risk Management Framework (RMF) to ICS. The process includes a brief description of each activity and identifies supporting NIST documents. The following steps, while shown sequentially, can be implemented in a different order to be consistent with established management and system development life cycle processes [21]. 129 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6. ICS ãžã®ã»ãã¥ãªãã£å¯Ÿçã®é©çš åäžã®ã»ãã¥ãªãã£è£œåãæè¡ã§ã¯ãICS ããã£ããä¿è·ããããšã¯ã§ããªããICS ã®ã»ãã¥ãª ãã£ç¢ºä¿ã¯ãæå¹ãªã»ãã¥ãªãã£ããªã·ãŒãšæ§æã®è¡ãå±ããã»ãã¥ãªãã£å¯Ÿçãåºèª¿ãšããã ICS ã«é©çšããã»ãã¥ãªãã£å¯Ÿçã®éžå®ãšå®è£ ã¯ãæ¥åãšå¯æ¥ãªé¢ä¿ãæã€ããã以äžã«ã€ã㊠è¯ãæ€èšããããšãèèŠã§ããã ïŒ ãªã¹ã¯ã蚱容ã§ããã¬ãã«ãŸã§ç·©åããçµç¹ã®ä»»åãšäºæ¥æ©èœãæ¯æŽã§ããããã«ããã«ã¯ ã©ã®ã»ãã¥ãªãã£å¯Ÿçãå¿ èŠãã ïŒ éžå®ããã»ãã¥ãªãã£å¯Ÿçã¯å®è¡ããããããããšãçŸå®çãªå®è¡èšç»ããããã ïŒ éžå®ããã»ãã¥ãªãã£å¯Ÿçãäºå®ã©ããæ£ããå®è¡ããææã®çµæãåŸãã«ã¯ã©ã®çšåºŠã®ä¿ 蚌ã¬ãã«ãå¿ èŠãã ã»ã¯ã·ã§ã³ 3 ã§æ確ã«ããããã«ãäžèšã®è³ªåã«å¯Ÿããçãã¯ãæå¹ãªçµç¹å šäœã®ãªã¹ã¯ç®¡çã ãã»ã¹ãšãçµç¹ã® ICS ãªã¹ã¯ãç¹å®ããå¿ èŠã«å¿ããŠç·©åããç¶ç¶çã«ç£èŠãããµã€ããŒã»ã㥠ãªãã£æŠç¥ã«ç §ãããŠæ瀺ãããã¹ãã§ãããICS ã®å¹æçãªãµã€ããŒã»ãã¥ãªãã£æŠç¥ã¯ãå€ å±€é²åŸ¡ãšããŠç¥ãããã¬ã€ã€ãªã³ã°ã»ãã¥ãªãã£ã¡ã«ããºã æè¡ãé©çšããããã¡ã«ããºã ã®é 害ã®åœ±é¿ãæå°éã«é£ãæ¢ããããããã«ãã¹ãã§ããããã®ãããªæŠç¥ã®äœ¿çšã¯ãã»ãã¥ãªã ã£ç®¡çã«é¢ããè°è«ãšãã®åŸã® ICS ãžã®é©çšã®äžã§çå®ãããã 6.1 ç£æ¥çšå¶åŸ¡ã·ã¹ãã çšãªã¹ã¯ç®¡çäœå¶ã®å®æœ ãªã¹ã¯ç®¡çäœå¶ïŒRMFïŒã ICS ã«é©çšããããã®ããã»ã¹ã以äžã«èšè¿°ãããããããã®æŽ»å㫠察ããæŠèŠãš NIST ã®æ ¹æ ææžã瀺ããæé ãé çªã«ç€ºãããçå®ããã管çã»ã·ã¹ãã éçºã© ã€ããµã€ã¯ã«ããã»ã¹[21]ã«åŸã£ãŠãé åºãå€ããŠå®æœããŠãããŸããªãã 130 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 6-1. Risk Management Framework Tasls 6.1.1 Step 1: Categorize Information System The first activity in the RMF is to categorize the information and information system according to potential impact of loss. For each information type and information system under consideration, the three FISMAdefined security objectivesâconfidentiality, integrity, and availabilityâare associated with one of three levels of potential impact should there be a breach of security. It is important to remember that for an ICS, availability is generally the greatest concern. The standards and guidance for this categorization process can be found in FIPS 199 [15] and NIST SP 800-60 [25], respectively. NIST is in the process of updating NIST SP 800-60 to provide additional guidance on the categorization of ICS. 131 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã¢ãŒããã¯ãã£ã®èª¬æ ã¢ãŒããã¯ãã£åºæºã¢ãã«ã»ã° ã¡ã³ãåã³ãœãªã¥ãŒã·ã§ã³ ã¢ãŒããã¯ãã£ä»»åã»äºæ¥ãã ã»ã¹æ å ±ã·ã¹ãã ã®å¢ç ããã»ã¹ã®æŠèŠ éå§ç¹ çµç¹ã®å ¥å æ³åŸãæ瀺æžãããªã·ãŒ ã¬ã€ãã³ã¹ã®æŠç¥çç®æšã»ç®æšåª å é äœåã³ãªãœãŒã¹å¯çšæ§ãµã㩠〠ãã§ãŒã³ã«å¯Ÿããèæ ®äºé å¿ èŠã«å¿ããŠç¹°ãè¿ã æé 1ïŒ æ å ±ã·ã¹ãã ã®åé¡ æé 6ïŒ æé 2ïŒ ã»ãã¥ãªãã£å¯Ÿçã®ç£èŠ ã»ãã¥ãªãã£å¯Ÿçã®éžå® ãªã¹ã¯ 管çäœå¶ æé 5ïŒ æé 3ïŒ æ å ±ã·ã¹ãã ã®èš±å¯ ã»ãã¥ãªãã£å¯Ÿçã®å®æœ æé 4ïŒ ã»ãã¥ãªãã£å¯Ÿçã®è©äŸ¡ å³ 6-1.ãªã¹ã¯ç®¡çäœå¶æ¥å 6.1.1 æé 1ïŒæ å ±ã·ã¹ãã ã®åé¡ RMF ã®ç¬¬ 1 æ©ã¯ãåªå€±æã®åœ±é¿ã«å¿ããŠãæ å ±ãšæ å ±ã·ã¹ãã ãåé¡ããããšã§ãããæ€èšäž ã®æ å ±ã®çš®é¡ãšæ å ±ã·ã¹ãã ããšã«ãFISMA ã®å®çŸ©ã«ããæ©å¯æ§ã»å®å šæ§ã»å¯çšæ§ãšãã 3 〠ã®ã»ãã¥ãªãã£ç®æšããã»ãã¥ãªãã£éåããã£ãå Žåã® 3 ã¬ãã«ã®ãã¡ã®ããããã«é¢é£ã¥ã ããããICS ã§ã¯ç·ããŠå¯çšæ§ãæ倧ã®é¢å¿äºãšãªãç¹ãéèšããã®ã¯èèŠã§ããã ãã®åé¡ããã»ã¹ã®åºæºãšã¬ã€ãã³ã¹ã¯ããããã FIPS 199[15]ãš NIST SP 800-60 [25]ã«ããã NIST ã§ã¯ NIST SP 800-60 ãæ¹èšäžã§ãICS ã®åé¡ã«é¢ããè£è¶³çãªã¬ã€ãã³ã¹ãæäŸããäºå® ã§ããã 132 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The following ICS example is taken from FIPS 199 [15]: ICS-specific Recommendations and Guidance A power plant contains a SCADA system controlling the distribution of electric power for a large military installation. The SCADA system contains both real-time sensor data and routine administrative information. The management at the power plant determines that: (i) for the sensor data being acquired by the SCADA system, there is no potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability; and (ii) for the administrative information being processed by the system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability. The resulting security categories, SC, of these information types are expressed as: SC sensor data = {(confidentiality, NA), (integrity, HIGH), (availability, HIGH)}, and SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}. The resulting security category of the information system is initially expressed as: SC SCADA system = {(confidentiality, LOW), (integrity, HIGH), (availability, HIGH)}, representing the high water mark or maximum potential impact values for each security objective from the information types resident on the SCADA system. The management at the power plant chooses to increase the potential impact from a loss of confidentiality from low to moderate, reflecting a more realistic view of the potential impact on the information system should there be a security breach due to the unauthorized disclosure of system-level information or processing functions. The final security category of the information system is expressed as: SC SCADA system = {(confidentiality, MODERATE), (integrity, HIGH), (availability, HIGH)}. FIPS 199 specifies that information systems be categorized as low-impact, moderate-impact, or highimpact for the security objectives of confidentiality, integrity, and availability. Possible definitions for low, moderate, and high levels of security based on impact for ICS based on ISA99 are provided in Table 6-1. Possible definitions for ICS impact levels based on product produced, industry and security concerns are provided in Table 6-2. Table 6-1. Possible Definitions for ICS Impact Levels Based on ISA99 Impact Category Injury Low-Impact Moderate-Impact High-Impact Requires hospitalization Loss of life or limb Financial Loss Cuts, bruises requiring first aid $1,000 $100,000 Millions Environmental Release Temporary damage Lasting damage Permanent damage, offsite damage Interruption of Production Public Image Minutes Days Weeks Temporary damage Lasting damage Permanent damage 133 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 以äžã® ICS ã®äŸã¯ãFIPS 199[15]ããæç²ãããã®ã§ããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ããçºé»æã«ã¯ã倧èŠæš¡è»äºæœèšãžã®é é»ãå¶åŸ¡ãã SCADA ã·ã¹ãã ãèšçœ®ãããŠããã SCADA ã·ã¹ãã ã«ã¯ãªã¢ã«ã¿ã€ã ã»ã³ãµããŒã¿ãšå®åžžã®ç®¡çæ å ±ãå«ãŸãããçºé»æã®çµå¶é£ ã¯ä»¥äžã®ãšããå€å®ããŠãããïŒ1ïŒSCADA ã·ã¹ãã ã§ååŸããã»ã³ãµããŒã¿ã«ã€ããŠã¯ãæ©å¯ æ§ã倱ãããŠã圱é¿ã¯ãªããå®å šæ§ã倱ããããšããªãã®åœ±é¿ããããå¯çšæ§ã倱ããããšã㪠ãã®åœ±é¿ããããïŒ2ïŒã·ã¹ãã ãåŠçãã管çæ å ±ã«ã€ããŠã¯ãæ©å¯æ§ã倱ãããŠã圱é¿ã¯å° ãªããå®å šæ§ã倱ãããŠã圱é¿ã¯å°ãªããå¯çšæ§ã倱ãããŠã圱é¿ã¯å°ãªãããã®ãããªæ å ±ã® çš®é¡ã«åºã¥ãçµæãã»ãã¥ãªãã£åé¡ïŒSCïŒã¯æ¬¡ã®åŒã§è¡šãããšãã§ããã SC ã»ã³ãµããŒã¿ = {(æ©å¯æ§ãNA), (å®å šæ§, HIGH), (å¯çšæ§, HIGH)}ããŸã SC 管çæ å ± = {(æ©å¯æ§ãLOW), (å®å šæ§, LOW), (å¯çšæ§, LOW)}ã æ å ±ã·ã¹ãã ã«åºã¥ãã»ãã¥ãªãã£åé¡ã¯åœå SC SCADA ã·ã¹ãã = {(æ©å¯æ§ãLOW), (å®å šæ§, HIGH), (å¯çšæ§, HIGH)}ã§ã SCADA ã·ã¹ãã ã«åžžé§ããæ å ±ã®çš®é¡ã«åºã¥ãã»ãã¥ãªãã£ç®æšããšã®åœ±é¿å€ã¯ã倧åã¯æ倧 圱é¿åºŠã瀺ããŠãããçºé»æã®çµå¶é£ã®éžæã¯ãæ©å¯æ§ã倱ããããšãã®åœ±é¿åºŠãäœããäžã«ãã äžäžã·ã¹ãã ã¬ãã«åã¯åŠçæ©èœã®æŒæŽ©ã«ããã»ãã¥ãªãã£éåãçããéã«ãæ å ±ã·ã¹ãã ãž ã®åœ±é¿ãããçŸå®çã«ãšãããããã«ãããæçµçãªæ å ±ã·ã¹ãã ã«åºã¥ãã»ãã¥ãªãã£åé¡ã¯ SC SCADA ã·ã¹ãã = {(ä¿¡é Œæ§ãMODERATE), (å®å šæ§, HIGH), (å¯çšæ§, HIGH)}ãšãªã£ãã FIPS 199 ã§ã¯ãæ©å¯æ§ã»å®å šæ§ã»å¯çšæ§ã®ã»ãã¥ãªãã£ç®æšã«é¢ããæ å ±ã·ã¹ãã ã®åé¡ãäœåœ± é¿åºŠãäžåœ±é¿åºŠãé«åœ±é¿åºŠãšå®ããŠããã ISA99 ã«åŸã£ã ICS ãžã®åœ±é¿ã«åºã¥ããã»ãã¥ãªã㣠ã¬ãã«äœã»äžã»é«ã®å®çŸ©ãè¡š 6-1 ã«ç€ºããçç£ç©ãç£æ¥åã³ã»ãã¥ãªãã£é¢å¿äºã«åºã¥ãã ICS ãžã®åœ±é¿ã¬ãã«ã®å®çŸ©ãè¡š 6-2 ã«ç€ºãã è¡š 6-1. ISA99 ã«åºã¥ã ICS 圱é¿ã¬ãã«ã®å®çŸ© 圱é¿åºŠåé¡ äœ äž é« è² å· å¿æ¥åŠçœ®ãèŠããåã å·ãææ² å ¥é¢ãå¿ èŠ çåœã»åè¢ã®åªå€± ééçåªå€± $1,000 $100,000 æ°çŸäž ç°å¢æŸåº äžæçãã¡ãŒãž é·æçãã¡ãŒãž æ°žç¶çãã¡ãŒãžãçŸ å Žå€ã®ãã¡ãŒãž çç£äžæ å æ¥ é± åœæ°ã®ã€ã¡ãŒãž äžæçãã¡ãŒãž é·æçãã¡ãŒãž æ°žç¶çãã¡ãŒãž 134 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Table 6-2. Possible Definitions for ICS Impact Levels Based on Product Produced, Industry and Security Concerns Impact Category Product Produced Low-Impact  Non-hazardous Moderate-Impact  Some hazardous High-Impact  Critical infrastructure (e.g., materials or products  Non-ingested products or steps during production  High amount of electricity)  Hazardous materials  Ingested products consumer products Industry Examples  Plastic injection industries  Pulp and paper  Semiconductors      Protection against  Protection against  Protection against major minor injuries  Ensuring uptime moderate injuries  Ensuring uptime  Capital investment molding  Warehouse applications Security Concerns proprietary information  Automotive metal      Utilities Petrochemical Food and beverage Pharmaceutical injuries/loss of life Ensuring uptime Capital investment Trade secrets Ensuring basic social services Regulatory compliance 6.1.2 Step 2: Select Security Controls This framework activity includes the initial selection of minimum security controls planned or in place to protect the information system based on a set of requirements. FIPS 200 documents a set of minimumsecurity requirements covering 18 security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems [16]. Additional information on each of the 18 security control families is in Section 6.2. The baseline controls are the starting point for the security control selection process and chosen based on the security category and associate impact level of information systems determined in Step 1. To address the need for developing community-wide and specialized sets of security controls for information systems and organizations, the concept of overlays is introduced. An overlay is a fully specified set of security controls, control enhancements, and supplemental guidance derived from the application of tailoring guidance to security control baselines described in NIST SP 800-53. In general, overlays are intended to reduce the need for ad hoc tailoring of baselines by organizations through the selection of a set of controls and control enhancements that more closely correspond to common circumstances, situations, and/or conditions. However, the use of overlays does not in any way preclude organizations from performing further tailoring (i.e., overlays can also be subject to tailoring) to reflect organization-specific needs, assumptions, or constraints. For further information on creating overlays, refer to SP 800-53, Section 3.3 and Appendix I. Appendix Gâ includes an ICS-specific overlay of applicable NIST SP 800-53 controls that provide tailored baselines for low-impact, moderate-impact, and high-impact ICS. These tailored baselines can be utilized as starting specifications and recommendations that can be applied to specific ICS by responsible personnel. As discussed in earlier sections, the use of an overlay does not in any way preclude organizations from performing further tailoring to add or remove controls and control enhancements (i.e., overlays can also be subject to tailoring) to reflect organization-specific needs, assumptions, or constraints. 135 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è¡š 6-2. çç£ç©ãç£æ¥åã³ã»ãã¥ãªãã£é¢å¿äºã«åºã¥ã ICS ãžã®åœ±é¿ã¬ãã«ã®å®çŸ© ã«ããŽãª çç£ç© äœ â¢ å±éºç©ã»ç£ç©ä»¥ ⢠ç£æ¥äŸ ⢠⢠ã»ãã¥ãªã㣠é¢å¿äº â¢ â¢ å€ éæååæ¶è²» 財 ãã©ã¹ãã ã¯å°åºæ圢 å庫㢠ã㪠軜å·äºé² 皌åç¢ºä¿ äž â¢ çç£æã«ããçšåºŠã®å± éºç£ç©ã»æé ⢠å€éã®å°ææ å ± é« â¢ éèŠã€ã³ãã©ïŒé»æ° çïŒ â¢ å±éºç© ⢠æååç£ç© ⢠è»äž¡éå±æ¥ç ⢠ãã«ãè£œçŽ â¢ åå°äœ ⢠⢠⢠⢠⢠äžçšåºŠã®è² å·äº â¢ â¢ â¢ â¢ â¢ é² â¢ çšŒåç¢ºä¿ â¢ è³æ¬æè³ å ¬å ±äºæ¥ ç³æ²¹ååŠ é£å飲æ è¬å€ éå·ã»æ»äº¡äºé² 皌åç¢ºä¿ è³æ¬æè³ ååŒäžã®ç§å¯ åºæ¬ç瀟äŒçŠç¥ã®ç¢º ä¿ â¢ æ³ä»€éµå® 6.1.2 æé 2ïŒã»ãã¥ãªãã£å¯Ÿçã®éžæ ãã®æ çµã§ã®æŽ»åã«ã¯ãäžé£ã®èŠä»¶ã«åºã¥ãæ å ±ã·ã¹ãã ãä¿è·ããããã®èšç»äžåã¯å®æœäž ã®æäœéã®ã»ãã¥ãªãã£å¯Ÿçã®åæéžæãè¡ãããšãå«ãŸãããFIPS200 ã«ã¯ã18 ã®ã»ãã¥ãª ãã£é¢é£åéãç¶²çŸ ããäžé£ã®æäœã»ãã¥ãªãã£èŠä»¶ãèšé²ãããŠãããé£éŠæ å ±ã·ã¹ãã ã® æ©å¯æ§ã»å®å šæ§ã»å¯çšæ§ã®ä¿è·ãããããã·ã¹ãã ãåŠçã»ä¿ç®¡ã»éä¿¡ããæ å ±ã«ã€ããŠåã äžããããŠãã[16]ã18 ã®ã»ãã¥ãªãã£å¯Ÿçåéã«é¢ããä»å çãªæ å ±ã¯ã»ã¯ã·ã§ã³ 6.2 ã§å ãäžããã ããŒã¹ã©ã€ã³å¶åŸ¡ã¯ãã»ãã¥ãªãã£å¯Ÿçéžå®ããã»ã¹ã®éå§ç¹ãšãªããã»ãã¥ãªãã£åé¡ãšæ é 1 ã§å€å®ãããæ å ±ã·ã¹ãã ã®åœ±é¿åºŠã«åºã¥ããŠéžæãããã æ å ±ã·ã¹ãã åã³çµç¹åãã«ãå ±åäœå šäœã®å°çšã»ãã¥ãªãã£å¯Ÿçãçå®ããå¿ èŠããã㪠ãŒããŒã¬ã€æŠå¿µãå°å ¥ãããŠããããªãŒããŒã¬ã€ã¯ãå®å šã«ç¹åããã»ãã¥ãªãã£å¯Ÿçã管 çæ¡åŒµåã³è£è¶³ã¬ã€ãã³ã¹ã§ãNIST SP 800-53 ã«èšèŒãããŠããã»ãã¥ãªãã£å¯ŸçããŒã¹ã© ã€ã³çšã¬ã€ãã³ã¹ããçãããã®ã§ããã äžè¬ã«ãªãŒããŒã¬ã€ã¯ãå ±éçãªç°å¢ãç¶æ³ã»ç¶æ ã«ç·å¯ã«å¯Ÿå¿ããäžé£ã®å¶åŸ¡ã»å¶åŸ¡æ¡åŒµã éžæããããšã§ãçµç¹ã«ãããã®å Žãã®ãã®ããŒã¹ã©ã€ã³èª¿æŽã®å¿ èŠæ§ãæžããããšãç®ç㧠ããããã ããªãŒããŒã¬ã€ãå©çšããŠããçµç¹åºæã®å¿ èŠã»åæã»å¶çŽã«å¯Ÿå¿ããããããã 以äžã®èª¿æŽãå šãäžèŠã«ãªãããã§ã¯ãªãïŒã€ãŸããªãŒããŒã¬ã€ã¯èª¿æŽå¯èœïŒããªãŒããŒã¬ã€ ã®äœæã«ã€ããŠã¯ãSP 800-53 ã®ã»ã¯ã·ã§ã³ 3.3 ãšä»é² I ãåç §ã®ããšã ä»é² G ã«ã¯ãä»é² G ã«ã¯ãäœã»äžã»é«åœ±é¿åºŠ ICS ã«èª¿æŽæžã¿ããŒã¹ã©ã€ã³ã瀺ããã該åœãã NIST SP 800-53 å¶åŸ¡ã®åºæãªãŒããŒã¬ã€ãå«ãŸããŠããã ããã調æŽæžã¿ããŒã¹ã©ã€ã³ã¯ã 責任è ãåºæã® ICS ã«é©çšå¯èœãªåœåã®ä»æ§æžåã³æšå¥šäºé ãšããŠå©çšã§ãããåè¿°ã®éãã ãªãŒããŒã¬ã€ãå©çšããŠããçµç¹åºæã®å¿ èŠã»åæã»å¶çŽã«å¯Ÿå¿ããããããã以äžã®èª¿æŽã å ããŠãå¶åŸ¡ã»å¶åŸ¡æ¡åŒµã®è¿œå ã»åé€ãè¡ããããªèª¿æŽãå šãäžèŠã«ãªãããã§ã¯ãªãïŒã€ãŸ ããªãŒããŒã¬ã€ã¯èª¿æŽå¯èœïŒã 136 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Additionally, ICS owners can take advantage of the ability to tailor the initial baselines presented in the Appendix Gâ Overlay when it is not possible or feasible to implement specific security controls contained in the baselines. However, all tailoring activity should, as its primary goal, focus on meeting the intent of the original security controls whenever possible or feasible. For example, in situations where the ICS cannot support, or the organization determines it is not advisable to implement particular security controls or control enhancements in an ICS (e.g., performance, safety, or reliability are adversely impacted), the organization provides a complete and convincing rationale for how the selected compensating controls provide an equivalent security capability or level of protection for the ICS and why the related baseline security controls could not be employed. If the ICS cannot support the use of automated mechanisms, the organization employs non-automated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance in Section 3.3 of NIST SP 800-53. Compensating controls are not exceptions or waivers to the baseline controls; rather, they are alternative safeguards and countermeasures employed within the ICS that accomplish the intent of the original security controls that could not be effectively employed. Organizational decisions on the use of compensating controls are documented in the security plan for the ICS. 6.1.3 Step 3: Implement Security Controls This activity involves the implementation of security controls in new or legacy information systems. The security control selection process described in this section can be applied to ICS from two different perspectives: (i) new development; and (ii) legacy. For new development systems, the security control selection process is applied from a requirements definition perspective since the systems do not yet exist and organizations are conducting initial security categorizations. The security controls included in the security plans for the information systems serve as a security specification and are expected to be incorporated into the systems during the development and implementation phases of the system development life cycle. In contrast, for legacy information systems, the security control selection process is applied from a gap analysis perspective when organizations are anticipating significant changes to the systems (e.g., during major upgrades, modifications, or outsourcing). Since the information systems already exist, organizations in all likelihood have completed the security categorization and security control selection processes resulting in the establishment of previously agreed-upon security controls in the respective security plans and the implementation of those controls within the information systems. 6.1.4 Step 4: Assess Security Controls This activity determines the extent to which the security controls in the information system are effective in their application. NIST SP 800-53A provides guidance for assessing security controls initially selected from NIST SP 800-53 to ensure that they are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements of the system. To accomplish this, NIST SP 800-53A provides expectations based on assurance requirements defined in NIST SP 800-53 for characterizing the expectations of security assessments by FIPS 199 impact level. 6.1.5 Step 5: Authorize Information System This activity results in a management decision to authorize the operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls. 137 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãŸã ICS ææè ã¯ãããŒã¹ã©ã€ã³ã«å«ãŸããç¹å®ã®ã»ãã¥ãªãã£å¯Ÿçã®å®æœãäžå¯èœã®å Žåãä» é² G ã®ãªãŒããŒã¬ã€ã«ç€ºãããåœåããŒã¹ã©ã€ã³ã®èª¿æŽæ©èœãå©çšããããšãã§ããããã ãå š ãŠã®èª¿æŽæŽ»åã¯ãã®äž»ããç®æšãšããŠãå¯èœãªå Žåã«ã¯å¿ ãå ã ã®ã»ãã¥ãªãã£å¯Ÿçã®æå³ã«åŸ ãããã«ãã¹ãã§ãããäŸãã°ãICS ã察å¿ããŠããªãå Žåãåã¯ç¹å®ã®ã»ãã¥ãªãã£å¯Ÿçã管 çæ¡åŒµã ICS ã§å®æœããã®ãåŸçã§ãªããšå€æããå ŽåïŒããã©ãŒãã³ã¹ãå®å šæ§ãä¿¡é Œæ§ãäœ äžãããªã©ïŒãçµç¹ã¯ã代ããã«éžãã 管ççãã©ã®ããã« ICS ã«åçã®ã»ãã¥ãªãã£èœåãä¿ è·ã¬ãã«ãçºæ®ãããããªãããŒã¹ã©ã€ã³ã»ãã¥ãªãã£å¯Ÿçãæ¡çšã§ããªããã«ã€ããŠãååçŽ åŸã®ããæ ¹æ ã瀺ããICS ãèªåã¡ã«ããºã ã®äœ¿çšã«å¯Ÿå¿ããŠããªãå ŽåãNIST SP 800-53 ã»ã¯ ã·ã§ã³ 3.3.ã®äžè¬ç調æŽã¬ã€ãã³ã¹ã«åŸããçµç¹ã¯éèªåã¡ã«ããºã ãæé ã代æ¿ç®¡çãšããŠæ¡ çšããã 代æ¿ç®¡çã¯ããŒã¹ã©ã€ã³ç®¡çã®äŸå€ãæŸæ£ã§ã¯ãªãã代æ¿ã®å®å šçåã³å¯Ÿçãšã㊠ICS å ã§æ¡ çšãããæå¹å©çšã§ããªãå ã ã®ã»ãã¥ãªãã£å¯Ÿçã®ç®çãæããã代æ¿ç®¡çãå©çšããçµç¹ ã®æ±ºå®ã¯ãICS ã®ã»ãã¥ãªãã£èšç»æžã«èšé²ããã 6.1.3 æé 3ïŒã»ãã¥ãªãã£å¯Ÿçã®å®è£ ãã®æŽ»åã¯ãã»ãã¥ãªãã£å¯Ÿçãæ°èŠåã¯ã¬ã¬ã·ãŒæ å ±ã·ã¹ãã ã«å®è£ ããããšãé¢ä¿ããã ãã®ã»ã¯ã·ã§ã³ã§èª¬æããã»ãã¥ãªãã£å¯Ÿçéžå®ããã»ã¹ã¯ãïŒ1ïŒæ°èŠéçºãïŒ2ïŒã¬ã¬ã·ãŒ ãšãã 2 ã€ã®èŠ³ç¹ãã ICS ã«é©çšããããšãã§ããã æ°èŠéçºã·ã¹ãã ã§ã¯ãã»ãã¥ãªãã£å¯Ÿçéžå®ããã»ã¹ã¯ãã·ã¹ãã ã¯ãŸã ååšããŠãããã çµç¹ã¯æåã®ã»ãã¥ãªãã£åé¡ãå®æœãã€ã€ãããããèŠä»¶å®çŸ©ã®èŠ³ç¹ããé©çšããããæ å ± ã·ã¹ãã ã®ã»ãã¥ãªãã£èšç»æžã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã¯ãã»ãã¥ãªãã£ä»æ§æžãšãªãã ã®ã§ãã·ã¹ãã éçºã©ã€ããµã€ã¯ã«æ®µéã§ãã·ã¹ãã ã«çµã¿èŸŒãŸããããšãæåŸ ãããã å¯Ÿç §çã«ã¬ã¬ã·ãŒæ å ±ã·ã¹ãã ã§ã¯ãã»ãã¥ãªãã£å¯Ÿçã®éžå®ããã»ã¹ã¯ãçµç¹ãããªãã® ã·ã¹ãã å€æŽãäºæããå ŽåïŒå€§ããããªæŽæ°ãå€æŽãå€æ³šçïŒãæ Œå·®åæã®èŠ³ç¹ããé©çš ããããæ å ±ã·ã¹ãã ã¯æ¢ã«ååšããŠããããçµç¹ã¯ããããèç¶æ§ã«ãããŠã»ãã¥ãªã㣠ã®åé¡ãšã»ãã¥ãªãã£å¯Ÿçéžå®ããã»ã¹ãå®æœæžã¿ã§ãããåã»ãã¥ãªãã£èšç»æžã®äžã§å ææžã¿ã®ã»ãã¥ãªãã£å¯Ÿçãçå®ãããããããæ å ±ã·ã¹ãã ã§å®è£ ãããŠããã 6.1.4 æé 4ïŒã»ãã¥ãªãã£å¯Ÿçã®è©äŸ¡ ãã®æŽ»åã¯ãæ å ±ã·ã¹ãã äžã®ã»ãã¥ãªãã£å¯Ÿçããããããã®çšéã«ãããŠã©ãã»ã©æå¹ã§ ããããå€å®ãããNIST SP 800-53A ã§ã¯ãã»ãã¥ãªãã£å¯Ÿçãé©æ£ã«å®è£ ããäºå®ã©ããã« åäœãããã·ã¹ãã ã®ã»ãã¥ãªãã£èŠä»¶ã«ããªã£ãææã®çµæãåŸããããNIST SP 800-53 ã ãéžãã ã»ãã¥ãªãã£å¯Ÿçãè©äŸ¡ããããã®ã¬ã€ãã³ã¹ã瀺ãããŠããããããå®çŸããããã NIST SP 800-53A ã«ã¯ãFIPS199 ã®åœ±é¿ã¬ãã«ã«åŸã£ãã»ãã¥ãªãã£è©äŸ¡äºæ³ãç¹åŸŽä»ããã NIST SP 800-53 ã§å®çŸ©ãããä¿èšŒèŠä»¶ã«åºã¥ããæåŸ ã«ã€ããŠèšè¿°ãããŠããã 6.1.5 æé 5ïŒæ å ±ã·ã¹ãã ã®èš±å¯ ãã®æŽ»åã®çµæãçµå¶é£ã®æ±ºå®ãšãªããæ å ±ã·ã¹ãã ã®çšŒåãèš±å¯ããåæãããã»ãã¥ãªã ã£å¯Ÿçã®å®è£ ãåºèª¿ãšããŠãçµç¹æ¥åã»è³ç£ã»äººå¡ãžã®ãªã¹ã¯ãæ瀺çã«åãå ¥ããããšã«ãª ãã 138 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.1.6 Step 6: Monitor Security Controls This activity continuously tracks changes to the information system that may affect security controls and assesses control effectiveness. NIST SP 800-137 provides guidance on information security continuous monitoring [21]. 6.2 Guidance on the Application of Security Controls to ICS Because todayâs ICS are often a combination of legacy systems, often with a planned life span of twenty to thirty years, or a hybrid of legacy systems augmented with newer hardware and software that are interconnected to other systems, it is often difficult or infeasible to apply some of the security controls contained in NIST SP 800-53. While many controls in Appendix F of NIST SP 800-53 are applicable to ICS as written, several controls did require ICS-specific interpretation and/or augmentation. Appendix I of NIST SP 800-53 provides an example overlay template and additional information on each section of the overlay. The NIST SP 800-53 controls are organized into 18 families; each family contains security controls related to the general security topic of the family. Security controls may involve aspects of policy, oversight, supervision, manual processes, actions by individuals, or automated mechanisms implemented by information systems/devices. The 18 security-related areas discussed in the following sections are: ïŒ Access Control (AC): the process of granting or denying specific requests for obtaining and using information and related information processing services for physical access to areas within the information system environment. ïŒ Awareness and Training (AT): policies and procedures to ensure that all information system users are given appropriate security training relative to their usage of the system and that accurate training records are maintained. ïŒ Audit and Accountability (AU): independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. ïŒ Security Assessment and Authorization (CA): assurance that the specified controls are implemented correctly, operating as intended, and producing the desired outcome. ïŒ Contingency Planning (CP): policies and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. ïŒ Configuration Management (CM): policies and procedures for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications prior to, during, and after system implementation. ïŒ Identification and Authentication (IA): the process of verifying the identity of a user, process, or device, through the use of specific credentials (e.g., passwords, tokens, biometrics), as a prerequisite for granting access to resources in an IT system. ïŒ Incident Response (IR): policies and procedures pertaining to incident response training, testing, handling, monitoring, reporting, and support services. ïŒ Maintenance (MA): policies and procedures to manage all maintenance aspects of an information system. 139 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.1.6 æé 6ïŒã»ãã¥ãªãã£å¯Ÿçã®ç£èŠ ãã®æŽ»åã¯ãã»ãã¥ãªãã£å¯Ÿçã«åœ±é¿ããæ å ±ã·ã¹ãã ã®å€æŽã远跡ãã管çã®å¹ææ§ãè© äŸ¡ãããNIST SP 800-137 ã«ãæ å ±ã»ãã¥ãªãã£ã®åžžç¶ç£èŠã«ä¿ãã¬ã€ãã³ã¹ããã[21]ã 6.2 ICS ãžã®ã»ãã¥ãªãã£å¯Ÿçã®é©çšã«ä¿ãã¬ã€ãã³ã¹ ä»æ¥ã® ICS ã¯ãäºæ³å¯¿åœã 20ïœ30 幎ã®ã¬ã¬ã·ãŒã·ã¹ãã ãä»ã®ã·ã¹ãã ãžé£æ¥ãããæ¯èŒç æ°ããããŒããŠãšã¢/ãœãããŠãšã¢ã§åŒ·åãããã¬ã¬ã·ãŒã·ã¹ãã ã䜵çšããŠãããããNIST SP 800-53 ã®ã»ãã¥ãªãã£å¯Ÿçãé©çšããã®ã¯å°é£åã¯äžå¯èœãªå Žåãå€ããNIST SP 800-53 ã®ä»é² F ã«èšèŒããã管ççã®å€ãã¯ãèšè¿°ã©ãã ICS ã«é©çšå¯èœã§ã¯ããããICS ç¹æã®è§£ éãè£åŒ·ãå¿ èŠãªãã®ãå°ãªããªããNIST SP 800-53 ã®ä»é² I ã«ã¯ããªãŒããŒã¬ã€ãã³ã㬠ãŒãã®äŸãããªãŒããŒã¬ã€ã®åã»ã¯ã·ã§ã³ã«é¢ããè£è¶³æ å ±ãããã NIST SP 800-53 ã®ç®¡çç㯠18 ã®åéã«ãŸãšããããååéã¯ããããã®å šè¬çã»ãã¥ãªã㣠ããŒãã«é¢ä¿ããã»ãã¥ãªãã£å¯Ÿçã«ã€ããŠåãäžããŠãããã»ãã¥ãªãã£å¯Ÿçã«ã¯ããªã·ãŒã æå°ãç£ç£ãæåããã»ã¹ãå人ã®è¡åãæ å ±ã·ã¹ãã /ããã€ã¹ãå®è£ ããèªåã¡ã«ããºã ã®æ§çžãå«ãŸããããç¶ãã»ã¯ã·ã§ã³ã§èª¬æãã 18 ã®ã»ãã¥ãªãã£é¢é£åéã¯ä»¥äžã®ãšããã ïŒ ã¢ã¯ã»ã¹å¶åŸ¡ïŒACïŒïŒæ å ±ã·ã¹ãã ç°å¢äžã®ãšãªã¢ã«ç©ççã«ã¢ã¯ã»ã¹ããŠãæ å ±åã³é¢ é£æ å ±åŠçãµãŒãã¹ãååŸã»å©çšããããã®æ瀺çèŠæ±ãèš±å¯ãããæ絶ããããšãããã ã»ã¹ã ïŒ æèåã³èšç·ŽïŒATïŒïŒå šãŠã®æ å ±ã·ã¹ãã ãŠãŒã¶ãã·ã¹ãã å©çšã«é¢ããé©æ£ãªã»ãã¥ãª ãã£èšç·Žãåããæ£ç¢ºãªèšç·Žèšé²ãä¿æããããã®ããªã·ãŒåã³æé ã ïŒ ç£æ»åã³èª¬æ責任ïŒAUïŒïŒã·ã¹ãã å¶åŸ¡ã®åŠ¥åœæ§ãè©äŸ¡ããèŠå®ã®ããªã·ãŒåã³æ¥åæé ãéµå®ãããå¶åŸ¡ã»ããªã·ãŒã»æé ã«å¿ èŠãªå€æŽãæšå¥šããããã®èšé²åã³æŽ»åã«å¯Ÿããç¬ ç«ã®å¯©æ»ã»æ€èšŒã ïŒ ã»ãã¥ãªãã£è©äŸ¡åã³æš©éä»äžïŒCAïŒïŒæå®ã®å¶åŸ¡ãäºå®ã©ããæ£ããå®è¡ããææã®çµ æãåŸãããã®ä¿èšŒã ïŒ äžæž¬äºæ èšç»ïŒCPïŒïŒç·æ¥æã»ã·ã¹ãã é害æã»çœå®³æã«ä»£æ¿å°ãªã©ã§ã³ã³ãã¥ãŒã¿ãæ äœãããªã©ãæ¥åãç¶æã»åŸ©æ§ããããã®ããªã·ãŒåã³æé ã ïŒ æ§æ管çïŒCMïŒïŒããŒããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»ãœãããŠãšã¢ã»ææžãžã®å€æŽã管çãã ã·ã¹ãã å®è£ åã»äžã»åŸã®äžé©åãªæ¹å€ããæ å ±ã·ã¹ãã ãä¿è·ããããã®ããªã·ãŒåã³æ é ã ïŒ èå¥åã³èªèšŒïŒIAïŒïŒIT ã·ã¹ãã äžã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹èš±å¯ã®åæãšããŠãç¹å®ã®èª 蚌æ å ±ïŒãã¹ã¯ãŒããããŒã¯ã³ããã€ãªã¡ããªã¯ã¹çïŒã«ãããŠãŒã¶ã»ããã»ã¹ã»ããã€ã¹ ã® ID ãæ€èšŒããããã»ã¹ã ïŒ ã€ã³ã·ãã³ã察å¿ïŒIRïŒïŒã€ã³ã·ãã³ã察å¿èšç·Žã»è©Šéšã»åŠçã»ç£èŠã»å ±åã»æ¯æŽãµãŒãã¹ ã«ä¿ãããªã·ãŒåã³æé ã ïŒ ä¿å®ïŒMAïŒïŒæ å ±ã·ã¹ãã ã®ããããä¿å®é¢ã管çããããã®ããªã·ãŒåã³æé ã 140 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Media Protection (MP): policies and procedures to ensure secure handling of media. Controls cover access, labeling, storage, transport, sanitization, destruction, and disposal. ïŒ Physical and Environmental Protection (PE): policies and procedures addressing physical, transmission, and display access control as well as environmental controls for conditioning (e.g., temperature, humidity) and emergency provisions (e.g., shutdown, power, lighting, fire protection). ïŒ Planning (PL): development and maintenance of a plan to address information system security by performing assessments, specifying and implementing security controls, assigning security levels, and responding to incidents. ïŒ Personnel Security (PS): policies and procedures for personnel position categorization, screening, transfer, penalty, and termination; also addresses third-party personnel security. ïŒ Risk Assessment (RA): the process of identifying risks to operations, assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. ïŒ System and Services Acquisition (SA): allocation of resources for information system security to be maintained throughout the systems life cycle and the development of acquisition policies based on risk assessment results including requirements, design criteria, test procedures, and associated documentation. ïŒ System and Communications Protection (SC): mechanisms for protecting both system and data transmission components. ïŒ System and Information Integrity (SI): policies and procedures to protect information systems and their data from design flaws and data modification using functionality verification, data integrity checking, intrusion detection, malicious code detection, and security alert and advisory controls. ïŒ Program Management (PM): provides security controls at the organizational rather than the information-system level. Additionally, Appendix J of NIST SP 800-53 Rev. 4 includes a catalog of Privacy Controls. Privacy controls are the administrative, technical, and physical safeguards employed within organizations to protect and ensure the proper handling of personally identifiable information (PII). 35 The 8 privacy control families are each aligned with the Fair Information Practice Principles (FIPPS), 36 which are designed to build public trust in an organizationâs privacy practices and to help organizations avoid tangible costs and intangible damages stemming from privacy incidents. 35 36 OMB Memorandum 07-16 defines PII as âinformation which can be used to distinguish or trace an individualâs identity such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, motherâs maiden name, etc.â [86]. OMB Memorandum 10-22 reaffirmed this definition [87]. NIST Special Publication 800-122 defines PII as âany information about an individual [that is] maintained by an agency, including: (i) any information that can be used to distinguish or trace an individualâs identity, such as name, social security number, date and place of birth, motherâs maiden name, or biometric records; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment informationâ [88]. The FIPPs are widely accepted in the United States and internationally as a general framework for privacy and are reflected in other federal and international laws and policies. In a number of organizations, FIPPs serve as the basis for analyzing privacy risks and determining appropriate mitigation strategies. The Federal Enterprise Architecture Security and Privacy Profile (FEA-SPP) also provided information and materials in development of the privacy controls [89]. 141 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ã¡ãã€ã¢ä¿è·ïŒMPïŒïŒã¡ãã€ã¢ã®ã»ãã¥ã¢ãªåæ±ããè¡ãããã®ããªã·ãŒåã³æé ã管ç çã¯ãã¢ã¯ã»ã¹ã»ã©ãã«ã»ã¹ãã¬ãŒãžã»èŒžéã»ãµãã¿ã€ãºã»ç Žæ£ã»å»æ£ã察象ãšããã ïŒ ç©çç°å¢äžã®ä¿è·ïŒPEïŒïŒèª¿ç¯ïŒæž©åºŠã湿床çïŒåã³ç·æ¥è£ 眮ïŒåæãé»åãç §æãé²ç« çïŒã®ç©ççãéä¿¡ã衚瀺ã¢ã¯ã»ã¹å¶åŸ¡åã³ç°å¢å¶åŸ¡ã«é¢ããããªã·ãŒåã³æé ã ïŒ ãã©ã³ãã³ã°ïŒPLïŒãè©äŸ¡ã®å®æœãã»ãã¥ãªãã£ç®¡çã®æå®ã»å®æœãã»ãã¥ãªãã£ã¬ãã« ã®å²åœåã³ã€ã³ã·ãã³ã察å¿ã«ãããæ å ±ã·ã¹ãã ã»ãã¥ãªãã£ã«é¢ããèšç»æžã®äœæã»ç¶ æã ïŒ äººå¡ã®ã»ãã¥ãªãã£ïŒPSïŒïŒäººå¡ã®é 眮åé¡ãéžæã転å±ã眰ååã³çµäºã«é¢ããããªã·ãŒ åã³æé ã§ããµãŒãããŒãã£è·å¡ã®ã»ãã¥ãªãã£ãå«ããã ïŒ ãªã¹ã¯è©äŸ¡ïŒRAïŒïŒçºç確çããã®åœ±é¿ã圱é¿ãç·©åããããã®ä»å çã»ãã¥ãªãã£å¯Ÿç ã®å€å®ãéããæ¥åã»è³ç£ã»äººå¡ã«å¯Ÿãããªã¹ã¯èå¥ããã»ã¹ã ïŒ ã·ã¹ãã åã³ãµãŒãã¹ã®ååŸïŒSAïŒïŒã·ã¹ãã ã®ã©ã€ããµã€ã¯ã«æéãéããŠç¶æãã¹ã æ å ±ã·ã¹ãã ã»ãã¥ãªãã£ã«å¯ŸãããªãœãŒã¹å²åœãšãèŠä»¶ã»èšèšåºæºã»è©Šéšæé ã»é¢é£ææž ãå«ãããªã¹ã¯è©äŸ¡çµæã«åºã¥ãååŸããªã·ãŒçå®ã ïŒ ã·ã¹ãã åã³éä¿¡ä¿è·ïŒSCïŒïŒã·ã¹ãã ãšããŒã¿éä¿¡ã³ã³ããŒãã³ããšãä¿è·ããããã® ã¡ã«ããºã ã ïŒ ã·ã¹ãã åã³æ å ±ã®ä¿å šïŒSIïŒïŒæ©èœæ€èšŒã»ããŒã¿ä¿å šãã§ãã¯ã»äŸµå ¥æ€ç¥ã»æªè³ªã³ãŒãæ€ ç¥ã»ã»ãã¥ãªãã£ã¢ã©ãŒãå§å管çã䜿çšããèšèšã®æ¬ é¥ãããŒã¿æ¹å€ããæ å ±ã·ã¹ãã ã ããŒã¿ãä¿è·ããããã®ããªã·ãŒåã³æé ã ïŒ ããã°ã©ã 管çïŒPMïŒïŒæ å ±ã·ã¹ãã ã¬ãã«ã§ã¯ãªãçµç¹ã¬ãã«ã§ã®ã»ãã¥ãªãã£å¯Ÿçã è¡ãã 以äžã«å ããŠãNIST SP 800-53 æ¹èšç¬¬ 4 çã®ä»é² J ã«ã¯ãã©ã€ãã·ãŒç®¡ççã®ã«ã¿ãã°ãæ²èŒã ããŠããããã©ã€ãã·ãŒç®¡ççã¯ãå人ãç¹å®å¯èœãªæ å ±ïŒPIIïŒã«å¯Ÿããä¿è·ãšé©æ£ãªåæ±ã 確ä¿ããããã«çµç¹å ã§æ¡çšããã管çäžã®æè¡çã»ç©ççå®å šå¯Ÿçã§ããã 37ãã©ã€ãã·ãŒç®¡ çã® 8 åéãããããå ¬æ£æ å ±èŠç¯ååïŒFIPPSïŒã«æŽåããŠããã 38çµç¹ã®ãã©ã€ãã·ãŒèŠç¯ ã«å¯Ÿããåœæ°ã®ä¿¡é Œãéžæãããã©ã€ãã·ãŒã€ã³ã·ãã³ãããçããæ圢ã®çµè²»ãç¡åœ¢ã®æ害㮠åé¿ãç®æããŠããã 37 38 OMB èŠæž 07-16 㯠PII ããæ°åã瀟äŒä¿éçªå·ããã€ãªã¡ããªãã¯èšé²çãåç¬ã§ãåã¯èªçæ¥ãåºçå°ã æ¯èŠªã®æ§å§çç¹å®ã®å人ã«çµã³ã€ããçµã³ã€ãããããã®ä»ã®å人è¥ããã¯ã¯èº«åæ å ±ãšçµã¿åãããŠãå 人ã®èº«åãå€å¥åã¯è¿œè·¡ã§ããæ å ±ããšå®çŸ©ããŠãã[86]ãOMB èŠæž 10-22 ã¯ãã®å®çŸ©ãè¿œèªããŠãã[87]ã NIST SP800-122 㯠PII ããããæ©é¢ãä¿æããŠããå人ã«é¢ããæ å ±ã§ãïŒ1ïŒæ°åã瀟äŒä¿éçªå·ãèª çæ¥ãåºçå°ãæ¯èŠªã®æ§å§ããã€ãªã¡ããªãã¯èšé²çãå人ã®èº«åãå€å¥åã¯è¿œè·¡ã§ããæ å ±åã³ïŒ2ïŒå» çãæè²ã財æ¿ãå°±æ¥æ å ±çãå人ã«çµã³ã€ããçµã³ã€ãããããã®ä»ã®æ å ±ããšå®çŸ©ããŠãã[88]ã FIPPs ã¯ãäžè¬çãªãã©ã€ãã·ãŒåºç€ãšããŠãç±³åœã§ãäžççã«ãåºãåãå ¥ããããŠãããä»ã®é£éŠåã³ äžççæ³åŸãããªã·ãŒã«åæ ãããŠãããFIPPs ã¯ãå€ãã®çµç¹ã§ãã©ã€ãã·ãŒãªã¹ã¯ã®åæãé©åãªç·©å çå€å®æã®æ ¹æ ãšãªã£ãŠãããé£éŠäŒæ¥ã¢ãŒããã¯ãã£ã»ãã¥ãªãã£ãã©ã€ãã·ãŒãããã¡ã€ã«ïŒFEASPPïŒã«ããã©ã€ãã·ãŒç®¡çãçå®ããããã®æ å ±ãè³æã瀺ãããŠãã[89]ã 142 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Sections 6.2.1 through 6.2.19 introduce each of the SP 800-53 control families and privacy controls, provide background information on the control family, as well as any ICS guidance and implementation considerations for ICS owners. ICS-specific recommendations and guidance, if available, is provided in an outlined box for each section. Much of the ICS-specific guidance was derived from ISA-62443 [34] and the EPRI report: Supervisory Control and Data Acquisition (SCADA) Systems Security Guide [62]. 6.2.1 Access Control The security controls that fall within the NIST SP 800-53 Access Control (AC) family provide policies and procedures for specifying the use of system resources by only authorized users, programs, processes, or other systems. This family specifies controls for managing information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. Controls cover access and flow enforcement issues such as separation of duties, least privilege, unsuccessful login attempts, system use notification, previous logon notification, concurrent session control, session lock, and session termination. There are also controls to address the use of portable and remote devices and personally owned information systems to access the information system as well as the use of remote access capabilities and the implementation of wireless technologies. Access can take several forms, including viewing, using, and altering specific data or device functions. Supplemental guidance for the AC controls can be found in the following documents: ïŒ NIST SP 800-63 provides guidance on remote electronic authentication [53]. ïŒ NIST SP 800-48 provides guidance on wireless network security with particular emphasis on the IEEE 802.11b and Bluetooth standards 0. ïŒ NIST SP 800-97 provides guidance on IEEE 802.11i wireless network security [64]. ïŒ FIPS 201 provides requirements for the personal identity verification of federal employees and contractors [65]. ïŒ NIST SP 800-96 provides guidance on PIV card to reader interoperability [66]. ïŒ NIST SP 800-73 provides guidance on interfaces for personal identity verification [49]. ïŒ NIST SP 800-76 provides guidance on biometrics for personal identity verification [50]. ïŒ NIST SP 800-78 provides guidance on cryptographic algorithms and key sizes for personal identity verification [67]. If the new federal Personal Identity Verification (PIV) is used as an identification token, the access control system should conform to the requirements of FIPS 201 and NIST SP 800-73 and employ either cryptographic verification or biometric verification. When token-based access control employs cryptographic verification, the access control system should conform to the requirements of NIST SP 80078. When token-based access control employs biometric verification, the access control system should conform to the requirements of NIST SP 800-76. Access control technologies are filter and blocking technologies designed to direct and regulate the flow of information between devices or systems once authorization has been determined. The following sections present several access control technologies and their use with ICS. 143 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã»ã¯ã·ã§ã³ 6.2.1ïœ6.2.19 ã§ã¯ãSP 800-53 ã®ããããã®ç®¡çåéãšãã©ã€ãã·ãŒç®¡çã瀺ããã å¶åŸ¡åéã®èæ¯æ å ±ã®ã»ããICS ææè åãã® ICS ã¬ã€ãã³ã¹ãšå®è£ äžã®èæ ®äºé ã説æãã㊠ãããICS åºæã®æšå¥šäºé ãšã¬ã€ãã³ã¹ãå©çšå¯èœãªå Žåã¯ãåã»ã¯ã·ã§ã³ã®å²ã¿ã«ç€ºãããã ICS åºæã®ã¬ã€ãã³ã¹ã¯å€§åã ISA-62443 [34]ãš EPRI å ±åæžãSCADA ã·ã¹ãã ã»ãã¥ãªãã£ã¬ ã€ãã[62]ãåºã«ããŠããã 6.2.1 ã¢ã¯ã»ã¹å¶åŸ¡ NIST SP 800-53 ã®ã¢ã¯ã»ã¹å¶åŸ¡ïŒACïŒãã¡ããªã«é¢ããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãèš±å¯ããã㊠ãŒã¶ãããã°ã©ã ãããã»ã¹ãã®ä»ã·ã¹ãã ã®ã¿ã«ããã·ã¹ãã ãªãœãŒã¹ã®å©çšã«ã€ããŠèŠå® ããããã®ããªã·ãŒåã³æé ã瀺ãããŠããããã®ãã¡ããªã¯ãã¢ã«ãŠã³ãã®èšå®ã»äœ¿çšé å§ã»å€æŽã»èŠçŽãã»äœ¿çšçŠæ¢ã»åé€çãæ å ±ã·ã¹ãã ã®ã¢ã«ãŠã³ãã管çããããã®æ¹æ³ãèŠ å®ããã管ççã¯ãä»»åã®åãåããæäœç¹æš©ããã°ã€ã³ã®å€±æãã·ã¹ãã å©çšéç¥ã以åã® ãã°ãªã³éç¥ã䞊è¡ã»ãã·ã§ã³ç®¡çãã»ãã·ã§ã³ããã¯ãã»ãã·ã§ã³çµäºçãã¢ã¯ã»ã¹ãšãã ãŒã®å®è¡åé¡ãç¶²çŸ ããŠããããŸãããŒã¿ãã«ããã€ã¹ãé éããã€ã¹åã³å人ä¿æã®æ å ±ã· ã¹ãã ã«ããæ å ±ã·ã¹ãã ãžã®ã¢ã¯ã»ã¹ã®ã»ãããªã¢ãŒãã¢ã¯ã»ã¹æ©èœãã¯ã€ã€ã¬ã¹æè¡ã®å® è£ ã«é¢ãã管ççãåãäžããŠãããã¢ã¯ã»ã¹ã«ã¯é²èŠ§ã䜿çšãç¹å®ããŒã¿ãããã€ã¹æ©èœã® å€æŽãšãã£ãããã€ãã®åœ¢æ ãããã AC 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-63ïŒé éé»åèªèšŒã«ä¿ãã¬ã€ãã³ã¹[53] ïŒ NIST SP 800-48ïŒIEEE 802.11b åã³ Bluetooth èŠæ Œ 0 ãéç¹ãšããã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯ã» ãã¥ãªãã£ã«ä¿ãã¬ã€ãã³ã¹ ïŒ NIST SP 800-97ïŒIEEE 802.11i ã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯ã»ãã¥ãªãã£ã«ä¿ãã¬ã€ãã³ã¹[64] ïŒ FIPS 201ïŒé£éŠè·å¡åã³å¥çŽåŸæ¥å¡ã®å人身å 確èªã«ä¿ãèŠä»¶[65] ïŒ NIST SP 800-96ïŒPIV ã«ãŒããšãªãŒããŒã®çžäºéçšã«ä¿ãã¬ã€ãã³ã¹[66] ïŒ NIST SP 800-73ïŒå人身å 確èªã€ã³ã¿ãã§ãŒã¹ã«ä¿ãã¬ã€ãã³ã¹[49] ïŒ NIST SP 800-76ïŒå人身å 確èªãã€ãªã¡ããªã¯ã¹ã«ä¿ãã¬ã€ãã³ã¹[50] ïŒ NIST SP 800-78ïŒå人身å 確èªã®æå·ã¢ã«ãŽãªãºã åã³ããŒãµã€ãºã«ä¿ãã¬ã€ãã³ã¹[67] æ°ããé£éŠå人身å 確èªïŒPIVïŒãèå¥ããŒã¯ã³ãšããŠäœ¿çšããŠããå Žåãã¢ã¯ã»ã¹å¶åŸ¡ã·ã¹ ãã 㯠FIPS 201 åã³ NIST SP 800-73 ã®èŠä»¶ã«åŸããæå·ç¢ºèªåã¯ãã€ãªã¡ããªãã¯ç¢ºèªã æ¡çšãã¹ãã§ãããããŒã¯ã³ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ãæå·ç¢ºèªãæ¡çšããŠããå Žåãã¢ã¯ã» ã¹å¶åŸ¡ã·ã¹ãã 㯠NIST SP 800-78 ã®èŠä»¶ã«åŸãã¹ãã§ãããããŒã¯ã³ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ ããã€ãªã¡ããªãã¯ç¢ºèªãæ¡çšããŠããå Žåãã¢ã¯ã»ã¹å¶åŸ¡ã·ã¹ãã 㯠NIST SP 800-76 ã®èŠ 件ã«åŸãã¹ãã§ããã ã¢ã¯ã»ã¹å¶åŸ¡æè¡ã¯ãæš©éä»äžã®ç¢ºå®åŸã«ãããã€ã¹éåã¯ã·ã¹ãã éã§ã®æ å ±ã®æµããèŠ å¶ããããã®ãã£ã«ã¿ãšãããã¯æè¡ã§ãããç¶ãã»ã¯ã·ã§ã³ã§ã¯ãããã€ãã®ã¢ã¯ã»ã¹å¶ 埡æè¡ãš ICS ã§ã®äœ¿çšã«ã€ããŠç€ºãã 144 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.1.1 Role-based Access Control (RBAC) RBAC is a technology that has the potential to reduce the complexity and cost of security administration in networks with large numbers of intelligent devices. Under RBAC, security administration is simplified through the use of roles, hierarchies, and constraints to organize user access levels. RBAC reduces costs within an organization because it accepts that employees change roles and responsibilities more frequently than the duties within roles and responsibilities. ICS-specific Recommendations and Guidance RBAC can be used to provide a uniform means to manage access to ICS devices while reducing the cost of maintaining individual device access levels and minimizing errors. RBAC should be used to restrict ICS user privileges to only those that are required to perform each personâs job (i.e., configuring each role based on the principle of least privilege). The level of access can take several forms, including viewing, using, and altering specific ICS data or device functions. RBAC tools can set, modify, or remove authorizations in applications, but they do not replace the authorization mechanism; they do not check and authenticate users every time a user wants to access an application. RBAC tools offer interfaces to authorization mechanisms for most current platforms in the IT arena. However, legacy ICS systems or specialized ICS equipment may require development of specialized interface software. This issue is a large problem for ICS that use a number of proprietary operating systems or customized operating system implementations and interfaces. 145 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.1.1 圹å²ã«åºã¥ãã¢ã¯ã»ã¹å¶åŸ¡ïŒRBACïŒ RBAC ã¯ãå€æ°ã®ã€ã³ããªãžã§ã³ã¹ããã€ã¹ã䜿çšãããããã¯ãŒã¯ã®è€éããšã»ãã¥ãªã㣠察çã³ã¹ããæžãããæè¡ã§ãããRBAC ã®äžã§ã¯ã圹å²ãéå±€åã³ãŠãŒã¶ã¢ã¯ã»ã¹ã¬ãã«ç®¡ çã®å¶çŽãå©çšããŠãã»ãã¥ãªãã£å¯Ÿçãç°¡çŽ åããããRBAC ã§ã¯ãåŸæ¥å¡ã®åœ¹å²ã»è²¬ä»»å ã§ã®ä»»åå€æŽãããã圹å²ã»è²¬ä»»ã®å€æŽãããé »ç¹ã«åãå ¥ããã®ã§ãçµç¹å ã®ã³ã¹ããæž ãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ RBAC ãå©çšããã°ãåã ã®ããã€ã¹ã¢ã¯ã»ã¹ã¬ãã«ã®ç¶æã«èŠããã³ã¹ããæžããããšã©ãŒã æå°éã«æãã€ã€ãICS ããã€ã¹ãžã®äžæ§ã®ã¢ã¯ã»ã¹ç®¡çæ段ãæäŸã§ãããICS ãŠãŒã¶æš©éã® ä»äžãæ¥åäžå¿ èŠãšãã人å¡ã«éå®ããããã« RBAC ãå©çšãã¹ãã§ããïŒæå°æš©éååã«åºã¥ ã圹å²æ§æïŒãã¢ã¯ã»ã¹ã¬ãã«ã«ã¯é²èŠ§ã䜿çšãç¹å® ICS ããŒã¿ãããã€ã¹æ©èœã®å€æŽãšãã£ã ããã€ãã®åœ¢æ ãããã RBAC ããŒã«ã¯ãã¢ããªã±ãŒã·ã§ã³ã«ãããæš©éä»äžãèšå®ã»å€æŽã»åé€ã§ããããæš©éä»äžã¡ ã«ããºã ã®ä»£è¡ã¯ããªããã€ãŸãããŠãŒã¶ãã¢ããªã±ãŒã·ã§ã³ãžã®ã¢ã¯ã»ã¹ãæ±ãããã³ã«ãã ã§ãã¯ãèªèšŒãè¡ãããšã¯ãªããRBAC ããŒã«ã¯ãIT åéã«ãããã»ãšãã©ã®çŸè¡ãã©ããã㌠ã åãã«ãæš©éä»äžã¡ã«ããºã ã®ã€ã³ã¿ãã§ãŒã¹ãæäŸããŠããããã ãã¬ã¬ã·ãŒICS ã·ã¹ãã ãç¹æ® ICS è£ ååã«ã¯ãç¹æ®ã€ã³ã¿ãã§ãŒã¹ãœãããŠãšã¢ã®éçºãå¿ èŠãšãªãå Žåãããããã® åé¡ã¯ãå€æ°ã®ç¬èª OS ãã«ã¹ã¿ã OS ã®å®è£ åã³ã€ã³ã¿ãã§ãŒã¹ãå©çšããŠãã ICS ã§å€§ã㪠åé¡ãšãªãã 146 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.1.2 Web Servers Web and Internet technologies are being added to a wide variety of ICS products because they make information more accessible and products more user-friendly and easier to configure remotely. However, they may also add cyber risks and create new security vulnerabilities that need to be addressed. ICS-specific Recommendations and Guidance SCADA and historian software vendors typically provide Web servers as a product option so that users outside the control room can access ICS information. In many cases, software components such as ActiveX controls or Java applets must be installed or downloaded onto each client machine accessing the Web server. Some products, such as PLCs and other control devices, are available with embedded Web, FTP, and email servers to make them easier to configure remotely and allow them to generate email notifications and reports when certain conditions occur. When feasible, use HTTPS rather than HTTP, use SFTP or SCP rather than FTP, block inbound FTP and email traffic, etc. Security appliances (or gateways) are beginning to appear with application proxies able to examine Web, FTP, and email traffic to block attacks and prevent downloading of ActiveX® controls or Java® applets. Unless there is substantial benefit to connecting ICSs to the Internet, the systems are best left not connected. 6.2.1.3 Virtual Local Area Network (VLAN) VLANs divide physical networks into smaller logical networks to increase performance, improve manageability, and simplify network design. VLANs are achieved through configuration of Ethernet switches. Each VLAN consists of a single broadcast domain that isolates traffic from other VLANs. Just as replacing hubs with switches reduces collisions, using VLANs limits the broadcast traffic, as well as allowing logical subnets to span multiple physical locations. There are two categories of VLANs: ïŒ Static, often referred to as port-based, where switch ports are assigned to a VLAN so that it is transparent to the end user. ïŒ Dynamic, where an end device negotiates VLAN characteristics with the switch or determines the VLAN based on the IP or hardware addresses. Although more than one IP subnet may coexist on the same VLAN, the general recommendation is to use a one-to-one relationship between subnets and VLANs. This practice requires the use of a router or multilayer switch to join multiple VLANs. Many routers and firewalls support tagged frames so that a single physical interface can be used to route between multiple logical networks. VLANs are not typically deployed to address host or network vulnerabilities in the way that firewalls or IDS are deployed. However, when properly configured, VLANs do allow switches to enforce security policies and segregate traffic at the Ethernet layer. Properly segmented networks can also mitigate the risks of broadcast storms that may result from port scanning or worm activity. Switches have been susceptible to attacks such as MAC spoofing, table overflows, and attacks against the spanning tree protocols, depending on the device and its configuration. VLAN hopping, the ability for an attack to inject frames to unauthorized ports, has been demonstrated using switch spoofing or doubleencapsulated frames. These attacks cannot be conducted remotely and require local physical access to the switch. A variety of features such as MAC address filtering, port-based authentication using IEEE 802.1x, 147 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.1.2 ãŠã§ããµãŒã ãŠã§ãæè¡åã³ã€ã³ã¿ãŒãããæè¡ã¯ãæ å ±ãžã®ã¢ã¯ã»ã¹ã䟿å©ã«ãªãããŠãŒã¶ã«ãšã£ãŠè£œå ã䜿ãããããªããé éèšå®ã容æã«ãªããããå€çš®å€æ§ãª ICS 補åã«è¿œå ãããããã«ãªã£ ãŠãããããããµã€ããŒãªã¹ã¯ãé«ãŸããæ°ããªã»ãã¥ãªãã£äžã®è匱æ§ãçãã察å¿ãå¿ èŠ ãšãªãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ SCADA ããã¹ããªã¢ã³ãœãããŠãšã¢ã®ãã³ããŒã¯ãéåžžããŠã§ããµãŒãã補åãªãã·ã§ã³ã® 1 ã€ãšããŠæ äŸããå¶åŸ¡å®€ã®å€ã«ãããŠãŒã¶ã ICS æ å ±ã«ã¢ã¯ã»ã¹ã§ããããã«ããŠãããå€ãã®å ŽåãActiveX ã³ã³ã ããŒã«ã Java ã¢ãã¬ãããšãã£ããœãããŠãšã¢ã³ã³ããŒãã³ããããŠã§ããµãŒãã«ã¢ã¯ã»ã¹ããã¯ã©ã€ã¢ã³ ããã·ã³ã«ã€ã³ã¹ããŒã«åã¯ããŠã³ããŒãããªããã°ãªããªããPLC ãã®ä»ã®å¶åŸ¡ããã€ã¹çã®è£œåã«ã¯ã ãŠã§ããµãŒããFTP ãµãŒãåã³é»åã¡ãŒã«ãµãŒããçµã¿èŸŒãŸããŠãããé éèšå®ã容æã§ãç¹å®ã®äºæ ãç ããå Žåã«ã¯ãé»åã¡ãŒã«éç¥ãã¬ããŒããçæã§ããããã«ãªã£ãŠãããå¯èœã§ããã° HTTP ã§ã¯ãªã HTTPS ããFTP ã§ã¯ãªã SFTP å㯠SCP ã䜿çšããçä¿¡ FTP ãé»åã¡ãŒã«ãã©ãã£ãã¯çã¯ãããã¯ããã ãŠã§ããFTP åã³é»åã¡ãŒã«ãã©ãã£ãã¯ãæ€æ»ããŠãæ»æããããã¯ããActiveX®ã³ã³ãããŒã«ã Java® ã¢ãã¬ããã®ããŠã³ããŒããé²æ¢ã§ããã»ãã¥ãªãã£è£ 眮ïŒåã¯ã²ãŒããŠã§ã€ïŒã®ä»ããã¢ããªã±ãŒã·ã§ã³ ãããã·ãåºå§ããŠããã ICS ãã€ã³ã¿ãŒãããæ¥ç¶ããããšã®çžåœã®å©çããªãããããã·ã¹ãã ãéæ¥ç¶ãšããã®ãæåã§ããã 6.2.1.3 ä»®æ³ LANïŒVLANïŒ VLAN ã¯ãç©çãããã¯ãŒã¯ãããå°ããªè«çãããã¯ãŒã¯ã«åå²ããããã©ãŒãã³ã¹ãšç®¡ç æ§ãæ¹åãããããã¯ãŒã¯èšèšãç°¡çŽ åãããVLAN 㯠Ethernet ã¹ã€ããã®èšå®ã«ããå®çŸã ããå VLAN ã¯ããã©ãã£ãã¯ãä»ã® VLAN ããéé¢ããåäžã®ãããŒããã£ã¹ãé åã§æ§æã ããããããã¹ã€ããã«ä»£ãããšç«¶åãæžãããã«ãVLAN ã䜿çšããã°ãããŒããã£ã¹ãã ã©ãã£ãã¯ãå¶éãããè«çãµãããããè€æ°ã®ç©ççãªå Žæã«ãŸãããããã«ã§ãããVLAN ã«ã¯æ¬¡ã® 2 çš®é¡ãããã ïŒ éç VLANïŒããŒãããŒã¹ãšåŒã°ããããšãå€ããã¹ã€ããããŒãã VLAN ã«å²ãåœãŠã ãããšã³ããŠãŒã¶ã«ééã§ããã ïŒ åç VLANïŒãšã³ãããã€ã¹ãã¹ã€ãããš VLAN ç¹æ§ã«ã€ããŠããŽã·ãšãŒãããããIP 㢠ãã¬ã¹åã¯ããŒããŠãšã¢ã¢ãã¬ã¹ã«åºã¥ã㊠VLAN ãå€å®ããã è€æ°ã® IP ãµãããããåã VLAN äžã«å ±åãããããµãããããš VLAN éã§äžå¯Ÿäžã®é¢ä¿ãå© çšããããšãäžè¬çã«æšå¥šãããããã®èŠç¯ã«ã¯ãè€æ° VLAN ã«è·æ ããããã®ã«ãŒã¿åã¯ã ã«ãã¬ã€ã€ãŒã¹ã€ãããå¿ é ãšãªããã«ãŒã¿ããã¡ã€ã¢ãŠã©ãŒã«ã®å€ãã¯ãã¿ã°ä»ããã¬ãŒã ã«å¯Ÿå¿ããŠããã1 ã€ã®ç©çã€ã³ã¿ãã§ãŒã¹ãå©çšããŠãè€æ°ã®è«çãããã¯ãŒã¯éã§çµè·¯æ å®ããããšãã§ããã VLAN ã¯ããã¡ã€ã¢ãŠã©ãŒã«ã IDS ãšåããããªå±éæ¹æ³ã§ããã¹ãããããã¯ãŒã¯ã®èåŒ±æ§ ã«å¯ŸåŠããããã«å±éãããããšã¯ããŸããªãããããæ£ããèšå®ãããšãVLAN ã¯ã¹ã€ãã ãæ¥ç¶ããªã·ãŒãæœè¡ãããã©ãã£ãã¯ã Ethernet å±€ã§åé¢ããããšãã§ããããã£ããå é¢ããããããã¯ãŒã¯ã¯ãããŒãã¹ãã£ãã³ã°ãã¯ãŒã ã«ããçãããããŒããã£ã¹ãã¹ã㌠ã ã®ãªã¹ã¯ãç·©åã§ããã ã¹ã€ããã¯ãããã€ã¹ãšãã®èšå®ã«å¿ããŠãMAC åœè£ ãããŒãã«ãªãŒããŒãããŒãã¹ããã³ã° ããªãŒãããã³ã«æ»æçã®æ»æã«åŒ±ããæ»æåŽããã¬ãŒã ãæªèš±å¯ããŒãã«æ³šå ¥ãã VLAN ãã ãã³ã°ã¯ãã¹ã€ããåœè£ ãäºéã«ãã»ã«ãã¬ãŒã ã䜿çšããããšãåãã£ãŠããããã®ãã㪠æ»æã¯é éæäœãã§ãããã¹ã€ãããžã®ããŒã«ã«ã®ç©çã¢ã¯ã»ã¹ãå¿ èŠãšãªããMAC ã¢ãã¬ã¹ ãã£ã«ã¿ãªã³ã°ãIEEE 802.1x ãå©çšããããŒãããŒã¹ã®èªèšŒçã®å€æ§ãªæ©èœãã 148 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY and specific vendor recommended practices can be used to mitigate these attacks, depending on the device and implementation. ICS-specific Recommendations and Guidance VLANs have been effectively deployed in ICS networks, with each automation cell assigned to a single VLAN to limit unnecessary traffic flooding and allow network devices on the same VLAN to span multiple switches [34]. 6.2.1.4 Dial-up Modems ICS systems have stringent reliability and availability requirements. When there is a need to troubleshoot and repair, the technical resources may not be physically located at the control room or facility. Therefore, ICS often use modems to enable vendors, system integrators, or control engineers maintaining the system to dial in and diagnose, repair, configure, and perform maintenance on the network or component. While this allows easy access for authorized personnel, if the dial-up modems are not properly secured, they can also provide backdoor entries for unauthorized use. Dial-up often uses remote control software that gives the remote user powerful (administrative or root) access to the target system. Such software usually has security options that should be carefully reviewed and configured. ICS-specific Recommendations and Guidance ïŒ Consider using callback systems when dial-up modems are installed in an ICS. This ensures that a dialer is an authorized user by having the modem establish the working connection based on the dialerâs information and a callback number stored in the ICS approved authorized user list. ïŒ Ensure that default passwords have been changed and strong passwords are in place for each modem. ïŒ Physically identify modems in use to the control room operators. ïŒ Configure remote control software to use unique user names and passwords, strong authentication, encryption if determined appropriate, and audit logs. Use of this software by remote users should be monitored on an almost real-time frequency. ïŒ If feasible, disconnect modems when not in use or consider automating this disconnection process by having modems disconnect after being on for a given amount of time. It should be noted that sometimes modem connections are part of the legal support service agreement with the vendor (e.g., 24x7 support with 15 minute response time). Personnel should be aware that disconnecting/removing the modems may require that contracts be renegotiated. 149 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãã³ããŒãæšå¥šããç¹å®ã®èŠç¯ãå©çšããŠãããã€ã¹ãå®è£ ã«å¿ããŠãããããæ»æãç·©åã§ã ãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ VLAN 㯠ICS ãããã¯ãŒã¯ã«æå¹ã«å±éãããŠãããåãªãŒãã¡ãŒã·ã§ã³ã»ã«ã 1 ã€ã® VLAN ã« å²ãåœãŠãŠäžèŠãªãã©ãã£ãã¯ã®æŽªæ°Žãå¶éããåã VLAN äžã®ãããã¯ãŒã¯ããã€ã¹ãè€æ° ã¹ã€ããã«ãŸãããããã«ããŠãã[34]ã 6.2.1.4 ãã€ã¢ã«ã¢ããã¢ãã ICS ã·ã¹ãã ã®ä¿¡é Œæ§åã³å¯çšæ§ã«ã¯å³æ ŒãªèŠä»¶ã課ãããããã©ãã«ã·ã¥ãŒãã£ã³ã°ãä¿®ç ãå¿ èŠãšãªãå Žåãå¶åŸ¡å®€ãå¶åŸ¡æœèšã«æè¡ãªãœãŒã¹ãç©ççã«ååšããªãããšãããã ãã£ãŠ ICS ã§ã¯ãã·ã¹ãã ä¿å®ãæ åœãããã³ããŒãã·ã¹ãã ã€ã³ãã°ã¬ãŒã¿åã¯å¶åŸ¡ãšã³ ãžãã¢ãã¢ãã ã䜿çšããŠãã€ã¢ã«ã€ã³ãããããã¯ãŒã¯ãæ§æã®èšºæãä¿®çãèšå®åã³ä¿ å®ãè¡ããããã«ããããšãå€ããããããããšã§æš©éãäžããããè·å¡ã®ã¢ã¯ã»ã¹ã容æ ã«ãªãåé¢ããã€ã¢ã«ã¢ããã¢ãã ã®ã»ãã¥ãªãã£ããã£ãã確ä¿ãããŠããªããšãäžæ£äœ¿ çšãããããããã¯ãã¢äŸµå ¥ãèš±ãããšã«ããªããããªãã ãã€ã¢ã«ã¢ããã§ã¯ãé éãŠãŒã¶ã«ç®æšã·ã¹ãã ãžã®äžäœïŒç®¡çè å㯠rootïŒã¢ã¯ã»ã¹æš©ãäž ããé éå¶åŸ¡ãœãããŠãšã¢ã䜿çšããããšãå€ããéåžžãã®ãããªãœãããŠãšã¢ã«ã¯ãæ é㫠粟æ»ããŠèšå®ãã¹ãã»ãã¥ãªãã£ãªãã·ã§ã³ãä»ããŠããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ïŒ ICS ã«ãã€ã¢ã«ã¢ããã¢ãã ãèšçœ®ãããŠããå Žåãã³ãŒã«ããã¯ã·ã¹ãã ã®å©çšãæ€èšã ãããããå©çšãããšãã¢ãã 㯠ICS ãèªå¯ããèªå®ãŠãŒã¶ãªã¹ãã«ä¿åãããŠããçºåŒ è æ å ±ãšã³ãŒã«ããã¯çªå·ãåºã«æå¹ãªæ¥ç¶ã確ç«ãããããçºåŒè ã¯ç¢ºå®ã«èªå®ãŠãŒã¶ãš ãªãã ïŒ ã¢ãã ããšã«å¿ ãããã©ã«ãã®ãã¹ã¯ãŒããå€æŽãã匷åãªãã¹ã¯ãŒããèšå®ããã ïŒ äœ¿çšäžã®åã¢ãã ãå¶åŸ¡å®€ãªãã¬ãŒã¿ã«ç©ççã«èå¥ã§ããããã«ããã ïŒ é éå¶åŸ¡ãœãããŠãšã¢ãèšå®ããäžæã®ãŠãŒã¶åãšãã¹ã¯ãŒãã匷åãªèªèšŒãå¿ èŠã§ããã° æå·åãç£æ»ãã°ã䜿çšã§ããããã«ãããé éãŠãŒã¶ã«ããæ¬ãœãããŠãšã¢ã®äœ¿çšããã» ãŒãªã¢ã«ã¿ã€ã ã§ç£èŠãã¹ãã§ããã ïŒ å¯èœã§ããã°äžäœ¿çšæã«ã¯ã¢ãã ãåæããããäžå®æéãªã³ã«ãªã£ãŠããå Žåã«ã¯ãªãã« ãããããªåæããã»ã¹ã®èªååãæ€èšãããã¢ãã æ¥ç¶ã¯ããã³ããŒãšã®æ³çãªãµããŒã ãµãŒãã¹å¥çŽã®äžéšã«å«ãŸããŠããå Žåãããç¹ãéèšãã¹ãã§ããïŒ15 å察å¿ã§ã®å¹Žäž ç¡äŒãµããŒããªã©ïŒãè·å¡ã¯ãã¢ãã ã®åæãæ€å»ãè¡ãã«ã¯ãå¥çŽäžåè°ãå¿ èŠãšãªãã ãšãèªèãã¹ãã§ããã 150 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.1.5 Wireless The use of wireless within an ICS is a risk-based decision that has to be determined by the organization. Generally, wireless LANs should only be deployed where health, safety, environmental, and financial implications are low. NIST SP 800-48 and SP 800-97 provide guidance on wireless network security. ICS-specific Recommendations and Guidance Wireless LANs ïŒ Prior to installation, a wireless survey should be performed to determine antenna location and strength to minimize exposure of the wireless network. The survey should take into account the fact that attackers can use powerful directional antennas, which extend the effective range of a wireless LAN beyond the expected standard range. Faraday cages and other methods are also available to minimize exposure of the wireless network outside of the designated areas. ïŒ Wireless usersâ access should utilize IEEE 802.1x authentication using a secure authentication protocol (e.g., Extensible Authentication Protocol [EAP] with TLS [EAP-TLS]) that authenticates users via a user certificates or a Remote Authentication Dial In User Service (RADIUS) server. ïŒ The wireless access points and data servers for wireless worker devices should be located on an isolated network with documented and minimal (single if possible) connections to the ICS network. ïŒ Wireless access points should be configured to have a unique service set identifier (SSID), disable SSID broadcast, and enable MAC filtering at a minimum. ïŒ Wireless devices, if being utilized in a Microsoft Windows ICS network, should be configured into a separate organizational unit of the Windows domain. ïŒ Wireless device communications should be encrypted and integrity-protected. The encryption must not degrade the operational performance of the end device. Encryption at OSI Layer 2 should be considered, rather than at Layer 3 to reduce encryption latency. The use of hardware accelerators to perform cryptographic functions should also be considered. For mesh networks, consider the use of broadcast key versus public key management implemented at OSI Layer 2 to maximize performance. Asymmetric cryptography should be used to perform administrative functions, and symmetric encryption should be used to secure each data stream as well as network control traffic. An adaptive routing protocol should be considered if the devices are to be used for wireless mobility. The convergence time of the network should be as fast as possible supporting rapid network recovery in the event of a failure or power loss. The use of a mesh network may provide fault tolerance thru alternate route selection and pre-emptive fail-over of the network. Wireless field networks The ISA100 39 Committee is working to establish standards, recommended practices, technical reports, and related information that will define procedures for implementing wireless systems in the automation and control environment with a focus on the field level (e.g., IEEE 802.15.4). Guidance is directed towards those responsible for the complete life cycle including the designing, implementing, on-going maintenance, scalability or managing industrial automation and control systems, and applies to users, system integrators, practitioners, and control systems manufacturers and vendors. 39 Additional information on ISA100 at: http://www.isa.org/isa100. 151 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.1.5 ã¯ã€ã€ã¬ã¹ ICS å ã§ã®ã¯ã€ã€ã¬ã¹ã®å©çšã¯ããªã¹ã¯ã«åºã¥ã決å®äºé ã§ãããçµç¹ã決å®ããªããã°ãªã㪠ããäžè¬ã«ã¯ã€ã€ã¬ã¹ LAN ã¯ãå¥åº·ã»å®å šã»ç°å¢ã»è²¡æ¿äžã®å¶çŽãå°ãªãå Žåã«ã®ã¿å±éãã¹ ãã§ãããNIST SP 800-48 åã³ SP 800-97 ã«ã¯ãã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯æ¥ç¶ã«ä¿ãã¬ã€ãã³ã¹ ãããã ã¯ã€ã€ã¬ã¹ LAN ã«ä¿ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ïŒ èšçœ®åã«ç¡ç·ç¶æ ã調æ»ããã¢ã³ããäœçœ®ãšåŒ·åºŠãå€å®ããã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯ã®é²åº 床ãæå°éã«ãããæ»æåŽãå©çšãã匷åæåæ§ã¢ã³ããã¯ãã¯ã€ã€ã¬ã¹ LAN ã®æå¹è·é¢ ããæšæºçãªäºæ³è·é¢ãè¶ ããŠå»¶äŒžã§ããããšã念é ã«çœ®ããŠèª¿æ»ãè¡ãã¹ãã§ããããã¡ ã©ããŒç®±ãã®ä»ã®æ段ãå©çšããŠãææã®ãšãªã¢å€ã«ã¯ã¿åºãã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯ã®é² åºåºŠãæå°ã«æããã ïŒ ã¯ã€ã€ã¬ã¹ãŠãŒã¶ã®ã¢ã¯ã»ã¹ã¯ããŠãŒã¶èšŒææžåã¯é éèªèšŒãã€ã¢ã«ã€ã³ãŠãŒã¶ãµãŒãã¹ ïŒRADIUSïŒãµãŒããä»ããŠãŠãŒã¶èªèšŒãè¡ããã»ãã¥ã¢ãªãããã³ã«ïŒTLS ä»ãæ¡åŒµèªèšŒ ãããã³ã«[EAP-TLS]çïŒã䜿çšãã IEEE802.1x èªèšŒãå©çšãã¹ãã§ããã ïŒ ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ãã€ã³ãåã³ã¯ã€ã€ã¬ã¹ã¯ãŒã«ããã€ã¹çšããŒã¿ãµãŒãã¯ãICS ããã ã¯ãŒã¯æ¥ç¶ãæå°éã«ãïŒã§ããã° 1 ã€ã®ã¿ïŒãææžåãããé絶ãããã¯ãŒã¯äžã«çœ®ãã¹ ãã§ããã ïŒ ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ãã€ã³ãã¯ããµãŒãã¹ã»ããèå¥åïŒSSIDïŒãäžæã«ããSSID ãã㌠ããã£ã¹ãã䜿çšçŠæ¢ãæå°éã® MAC ãã£ã«ã¿ãªã³ã°ã䜿çšå¯èœã«èšå®ãã¹ãã§ããã ïŒ ã¯ã€ã€ã¬ã¹ããã€ã¹ã Microsoft Windows ICS ãããã¯ãŒã¯ã§äœ¿çšããå ŽåãWindows é å ã®å¥ã®çµç¹ãŠãããã«èšå®ãã¹ãã§ããã ïŒ ã¯ã€ã€ã¬ã¹ããã€ã¹éä¿¡ã¯ãæå·åããŠä¿å šãã¹ãã§ãããæå·åã«ããããšã³ãããã€ã¹ ã®åäœããã©ãŒãã³ã¹ãäœäžããŠã¯ãªããªããæå·åã®åŸ ã¡æéãççž®ãããããOSI ã¬ã€ ã€ãŒ3 ã§ã¯ãªãã¬ã€ã€ãŒ2 ã§ã®æå·åãèæ ®ãã¹ãã§ããããŸãæå·é¢æ°ãå®è¡ããããŒã ãŠãšã¢å éåšã®å©çšãèæ ®ãã¹ãã§ããã ã¡ãã·ã¥ãããã¯ãŒã¯ã§ã¯ãããã©ãŒãã³ã¹ãæ倧ã«äžãããããOSI ã¬ã€ã€ãŒ2 ã«å®è£ ã ãããããŒããã£ã¹ãããŒå¯Ÿå ¬ééµç®¡çã®äœ¿çšãæ€èšãããé察称æå·ãå©çšããŠç®¡çæ©èœ ãå®æœãã察称æå·ãå©çšããŠåããŒã¿ã¹ããªãŒã ãšãããã¯ãŒã¯å¶åŸ¡ãã©ãã£ãã¯ã®ã»ã ã¥ãªãã£ã確ä¿ãã¹ãã§ãããããã€ã¹ãã¯ã€ã€ã¬ã¹ç§»åç®çã§äœ¿çšããå Žåã¯ãæé©çµè·¯ æå®ãããã³ã«ã®å©çšãèæ ®ãã¹ãã§ãããé害æãé»ååªå€±æã®ãããã¯ãŒã¯å埩ãæ©ã ãããããããã¯ãŒã¯ã®åææéã¯ã§ããã ãçããã¹ãã§ãããã¡ãã·ã¥ãããã¯ãŒã¯ã 䜿çšããããšã§ã代æ¿çµè·¯éžå®ãšå è¡çãã§ã€ã«ãªãŒããŒãéããŠããã©ãŒã«ããã¬ã©ã³ã¹ ãåŸããããã ã¯ã€ã€ã¬ã¹ãã£ãŒã«ããããã¯ãŒã¯ ãã£ãŒã«ãã¬ãã«ïŒIEEE 802.15.4 çïŒã«ç¹åãããªãŒãã¡ãŒã·ã§ã³åã³å¶åŸ¡ç°å¢ã«ãããã¯ã€ã€ ã¬ã¹ã·ã¹ãã ã®æé ãå®ãããããISA 100 40å§å¡äŒã¯èŠæ Œãæšå¥šèŠç¯ãæè¡ã¬ããŒãåã³é¢é£æ å ±ã®çå®ã«åããŠäœæ¥äžã§ãããç£æ¥ãªãŒãã¡ãŒã·ã§ã³åã³å¶åŸ¡ã·ã¹ãã ã®èšèšãå®è£ ãä¿å®ã ã¹ã±ãŒã©ããªãã£ã管ççã®ã©ã€ããµã€ã¯ã«æ åœè åãã«ã¬ã€ãã³ã¹ãæ瀺ãããŠããããŠãŒ ã¶ãã·ã¹ãã ã€ã³ãã°ã¬ãŒã¿ãå®æœæ åœè åã³å¶åŸ¡ã·ã¹ãã ã®ã¡ãŒã«ãŒ/ãã³ããŒã«é©çšãã ãã 40 ISA100 ã«é¢ããè¿œå æ å ±ã次㮠URL ã«ãããhttp://www.isa.org/isa100. 152 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.2 Awareness and Training The security controls that fall within the NIST SP 800-53 Awareness and Training (AT) family provide policy and procedures for ensuring that all users of an information system are provided basic information system security awareness and training materials before authorization to access the system is granted. Personnel training must be monitored and documented. Supplemental guidance for the AT controls can be found in the following documents: ïŒ NIST SP 800-50 provides guidance on security awareness training [61]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance For the ICS environment, this must include control system-specific information security awareness and training for specific ICS applications. In addition, an organization must identify, document, and train all personnel having significant ICS roles and responsibilities. Awareness and training must cover the physical process being controlled as well as the ICS. Security awareness is a critical part of ICS incident prevention, particularly when it comes to social engineering threats. Social engineering is a technique used to manipulate individuals into giving away private information, such as passwords. This information can then be used to compromise otherwise secure systems. Implementing an ICS security program may bring changes to the way in which personnel access computer programs, applications, and the computer desktop itself. Organizations should design effective training programs and communication vehicles to help employees understand why new access and control methods are required, ideas they can use to reduce risks, and the impact on the organization if control methods are not incorporated. Training programs also demonstrate managementâs commitment to, and the value of, a cybersecurity program. Feedback from staff exposed to this type of training can be a valuable source of input for refining the charter and scope of the security program. 6.2.3 Audit and Accountability An audit is an independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. The security controls that fall within the NIST SP 800-53 Audit and Accountability (AU) family provide policies and procedures for generating audit records, their content, capacity, and retention requirements. The controls also provide safeguards to react to problems such as an audit failure or audit log capacity being reached. Audit data should be protected from modification and be designed with non-repudiation capability. Supplemental guidance for the AU controls can be found in the following documents: ïŒ NIST SP 800-61 provides guidance on computer security incident handling and audit log retention [59]. 153 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.2 æèåã³èšç·Ž NIST SP 800-53 ã®æèåã³èšç·ŽïŒATïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãã·ã¹ãã ãž ã®ã¢ã¯ã»ã¹æš©éãä»äžããåã«ãæ å ±ã·ã¹ãã ã®å šãŠãŒã¶ã«åºæ¬çãªã·ã¹ãã ã»ãã¥ãªãã£ã« 察ããæèã»èšç·Žè³æãè¡ãæž¡ãããã«ããããã®ããªã·ãŒåã³æé ãå®ããããŠããã èšç·Žã¯ç£èŠãšææžåãæ±ããããã AT 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-50ïŒã»ãã¥ãªãã£æèèšç·Žã«ä¿ãã¬ã€ãã³ã¹[61] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS ç°å¢ã§ã¯ãç¹å®ã® ICS çšéã«é¢ããå¶åŸ¡ã·ã¹ãã åºæã®æ å ±ã»ãã¥ãªãã£æèã»èšç·Žãå«ã ãªããã°ãªããªãããŸãçµç¹ã¯ãICS ã«å€§ããªåœ¹å²ãšè²¬ä»»ãæããŠããè·å¡å šãŠãç¹å®ããèšé² ããèšç·Žããªããã°ãªããªããæèã»èšç·Žã¯ãå¶åŸ¡ãããç©ççããã»ã¹ãš ICS ã«ã€ããŠåãäž ããªããã°ãªããªãã ã»ãã¥ãªãã£æèã¯ãICS ã€ã³ã·ãã³ãã®äºé²ãç¹ã«ãœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ã°è åšã«é¢ã ãŠãICS ã®èèŠãªäžéšã§ããããœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ã°ãšã¯ãå人ãæäœããŠãã¹ã¯ãŒãç ã®å人æ å ±ãåŒãåºãæè¡ã®ããšã§ãããåŒãåºããæ å ±ãå©çšããŠãã·ã¹ãã ã®ã»ãã¥ãªã㣠ãäœäžãããããšãã§ããã ICS ã»ãã¥ãªãã£ããã°ã©ã ãå®æœããããšã§ãè·å¡ã«ããã³ã³ãã¥ãŒã¿ããã°ã©ã ãã¢ããªã± ãŒã·ã§ã³åã³ã³ã³ãã¥ãŒã¿ãã¹ã¯ããããã®ãã®ã®å©çšæ¹æ³ãå€ããããšãã§ãããçµç¹ã¯å¹æ çãªèšç·Žããã°ã©ã ãšäŒéæ段ãèæ¡ããŠãæ°ããªã¢ã¯ã»ã¹ã»ç®¡çèŠé ãå¿ èŠãªçç±ããªã¹ã¯ã æžããããã®ã¢ã€ãã£ã¢ã管çèŠé ãå®ãããªãå Žåã®çµç¹ãžã®åœ±é¿ã«ã€ããŠåŸæ¥å¡ãç解ã§ã ãããã«ãã¹ãã§ããããŸãèšç·Žããã°ã©ã ã§ã¯ããµã€ããŒã»ãã¥ãªãã£ããã°ã©ã ã«å¯Ÿããçµ å¶é£ã®åŒ·ãé¢å¿ãšãããã°ã©ã ã®äŸ¡å€ãå®èšŒããã被èšç·Žè ããã®ãã£ãŒãããã¯ã¯ãã»ãã¥ãª ãã£ããã°ã©ã ã®æ²ç« åã³é©çšç¯å²ãæ¹åããããã®è²Žéãªè³ãšãªãã 6.2.3 ç£æ»åã³èª¬æ責任 ç£æ»ã¯ã·ã¹ãã å¶åŸ¡ã®åŠ¥åœæ§ãè©äŸ¡ããèŠå®ã®ããªã·ãŒåã³æ¥åæé ãéµå®ãããå¶åŸ¡ã»ã ãªã·ãŒã»æé ã«å¿ èŠãªå€æŽãæšå¥šããããã®èšé²åã³æŽ»åã«å¯Ÿããç¬ç«ã®å¯©æ»ã»æ€èšŒã§ããã NIST SP 800-53 ã®ç£æ»åã³èª¬æ責任ïŒAUïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã§ã¯ãç£æ» èšé²ãå 容ãèœååã³ä¿æèŠä»¶ã«ä¿ãããªã·ãŒåã³æé ãå®ããŠããããŸãç£æ»ã®äžåãç£ æ»èšé²èœåãéçã«éããéã®åé¡ã«å¯ŸåŠããããã®å¯Ÿçãå®ããããŠããããç£æ»ããŒã¿ ã¯æ¹å€ã§ããªãããã«ä¿è·ããåŠèªäžèœã®ãã®ãšããŠçå®ãã¹ãã§ããã AU 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-61ïŒã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ã€ã³ã·ãã³ãã®åŠçåã³ç£æ»èšé²ã®ä¿æã«ä¿ã ã¬ã€ãã³ã¹[59] 154 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ NIST SP 800-92 provides guidance on log management (including audit logs) [68]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance It is necessary to determine that the system is performing as intended. Periodic audits of the ICS should be performed to validate the following items: ïŒ The security controls present during system validation testing (e.g., factory acceptance testing and site acceptance testing) are still installed and operating correctly in the production system. ïŒ The production system is free from security compromises and provides information on the nature and extent of compromises as feasible, should they occur. ïŒ The management of change program is being rigorously followed with an audit trail of reviews and approvals for all changes. The results from each periodic audit should be expressed in the form of performance against a set of predefined and appropriate metrics to display security performance and security trends. Security performance metrics should be sent to the appropriate stakeholders, along with a view of security performance trends. Traditionally, the primary basis for audit in IT systems has been recordkeeping. Using appropriate tools within an ICS environment requires extensive knowledge from an IT professional familiar with the ICS, critical production and safety implications for the facility. Many of the process control devices that are integrated into the ICS have been installed for many years and do not have the capability to provide the audit records described in this section. Therefore, the applicability of these more modern tools for auditing system and network activity is dependent upon the capabilities of the components in the ICS. The critical tasks in managing a network in an ICS environment are ensuring reliability and availability to support safe and efficient operation. In regulated industries, regulatory compliance can add complexity to security and authentication management, registry and installation integrity management, and all functions that can augment an installation and operational qualification exercise. Diligent use of auditing and log management tools can provide valuable assistance in maintaining and proving the integrity of the ICS from installation through the system life cycle. The value of these tools in this environment can be calculated by the effort required to re-qualify or otherwise retest the ICS where the integrity due to attack, accident, or error is in question. The system should provide reliable, synchronized time stamps in support of the audit tools. Monitoring of sensors, logs, Intrusion Detection Systems (IDS), antivirus, patch management, policy management software, and other security mechanisms should be done on a real-time basis where feasible. A first-line monitoring service would receive alarms, do rapid initial problem determination and take action to alert appropriate facility personnel to intervene. System auditing utilities should be incorporated into new and existing ICS projects. These auditing utilities should be tested (e.g., off-line on a comparable ICS) before being deployed on an operational ICS. These tools can provide tangible records of evidence and system integrity. Additionally, active log management utilities may actually flag an attack or event in progress and provide location and tracing information to help respond to the incident [34]. 155 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ NIST SP 800-92ïŒèšé²ç®¡çïŒç£æ»èšé²ãå«ãïŒã«ä¿ãã¬ã€ãã³ã¹[68] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ã·ã¹ãã ãäºå®ã©ããã«çšŒåããŠãããå€å®ããå¿ èŠããããICS ã®å®æçç£æ»ãè¡ãã次㮠ç¹ãæ€èšŒãã¹ãã§ããã ïŒ ã·ã¹ãã ã®åŠ¥åœæ§æ€èšŒïŒå·¥å Žã®æ€ååã³çŸå Žã§ã®æ€åçïŒæã«ãã£ãã»ãã¥ãªãã£å¯Ÿçãã ã®ãŸãŸèšçœ®ãããçç£ã·ã¹ãã ã§æ£åžžã«çšŒåããŠããã ïŒ çç£ã·ã¹ãã ã«ã»ãã¥ãªãã£äžã®æ§èœäœäžããªããæ§èœäœäžãçããå Žåã«ã¯ãå¯èœã§ãã ã°ãã®æ§è³ªãçšåºŠã«ã€ããŠæ å ±ãæäŸããã ïŒ ããã°ã©ã å€æŽã®ç®¡çã¯ãå šãŠã®å€æŽå 容ã®å¯©æ»ã»æ¿èªç£æ»èšŒè·¡ã«åŸã£ãŠéµå®ãããŠããã åå®æç£æ»ã®çµæã¯ãäºåã«å®ããããé©æ£ãªè©äŸ¡åºæºã«ç §ãããŠæ瞟ã®åœ¢ã§èšèŒããã»ã ã¥ãªãã£ããã©ãŒãã³ã¹ãšã»ãã¥ãªãã£ååãšã瀺ãã¹ãã§ãããã»ãã¥ãªãã£ããã©ãŒã ã³ã¹è©äŸ¡åºæºã¯ãã»ãã¥ãªãã£ååã«é¢ããæèŠãšãšãã«ãé¢ä¿è ã«éèŽãã¹ãã§ããã äŒçµ±çã« IT ã·ã¹ãã ã«ãããç£æ»ã®åºæ¬ã¯ãèšé²ç®¡çã«ãã£ããICS ç°å¢ã§é©æ£ãªããŒã«ã 䜿çšããã«ã¯ãICS ã«éããæœèšã«é¢ããéèŠçç£ã»å®å šæ§ã®å¶çŽãç解ãã IT å°éå¡ã®åº ç¯ãªç¥èŠãå¿ èŠãšãªããICS ã«çµã¿èŸŒãŸããããã»ã¹å¶åŸ¡ããã€ã¹ã®å€ãã¯ãäœå¹Žãåã«èšçœ® ããããã®ã»ã¯ã·ã§ã³ã§è¿°ã¹ãç£æ»èšé²ã®æäŸèœåããªãããããã£ãŠãç£æ»ã·ã¹ãã åã³ã ããã¯ãŒã¯æŽ»åçšã®ãããææ°ããŒã«ã®é©çšã¯ãICS ã³ã³ããŒãã³ãã®èœåã«å·Šå³ãããã ICS ç°å¢ã«ããããããã¯ãŒã¯ç®¡çã®éèŠã¿ã¹ã¯ã¯ãä¿¡é Œæ§ãšå¯çšæ§ã確ä¿ããŠãå®å šã§å¹ç çãªæ¥åãæ¯ããããšã«ãããèŠå¶ãåããæ¥çã§ã¯ãèŠå¶ãéµå®ããããšã§ã»ãã¥ãªã㣠ãšèªèšŒç®¡çã垳簿åã³æœèšã®å®å šæ§ç®¡çãæœèšåã³æ¥åé©æ Œæ§æŒç¿ã匷åããããã®ããã ãæ©èœãè€éã«ãªããç£æ»ã»èšé²ç®¡çããŒã«ãå©æŽ»çšããããšã§ãã€ã³ã¹ããŒã«ããã©ã€ã ãµã€ã¯ã«å šè¬ãéããŠãICS ãä¿å®ãå®å šæ§ãå®èšŒããäžã§ã貎éãªå©ããåŸããããICS ç° å¢ã«ããããããããŒã«ã®äŸ¡å€ã¯ãæ»æã»å®è¡ã»é誀çã«ããå®å šæ§ãçåèŠãããå Žåã« å¿ èŠãšãªããé©æ Œæ§ã®åååŸã ICS ã®åæ€æ»ãšãã£ãåŽåã«ç §ãããŠèšç®ã§ããããã·ã¹ã ã ã¯ç£æ»ããŒã«ã«å¯Ÿå¿ããŠãä¿¡é Œæ§ã®é«ãåæã¿ã€ã ã¹ã¿ã³ããåããŠããã¹ãã§ããã ã»ã³ãµããã°ãäŸµå ¥æ€ç¥ã·ã¹ãã ïŒIDSïŒãã¢ã³ããŠã€ã«ã¹ãããã管çãããªã·ãŒç®¡ç㜠ãããŠãšã¢ãã®ä»ã®ã»ãã¥ãªãã£ã¡ã«ããºã ã¯ãå¯èœã§ããã°ãªã¢ã«ã¿ã€ã ã§å®è¡ã§ããã¹ ãã§ãããæåç·ã®ç£èŠãµãŒãã¹ã¯ã¢ã©ãŒã ãåé ããåæã®åé¡å€å¥ãè¿ éã«è¡ããè©²åœ æœèšè·å¡ã察åŠããããã«ã¢ã¯ã·ã§ã³ãèµ·ããã ã·ã¹ãã ç£æ»ãŠãŒãã£ãªãã£ãæ°èŠåã³æ¢å ICS ãããžã§ã¯ãã«çµã¿èŸŒãã¹ãã§ããããŠãŒã㣠ãªãã£ã¯ã皌åäžã® ICS ã«å±éããåã«ãè©Šéšãè¡ãã¹ãã§ããïŒåçã® ICS ã§ã®ãªãã©ã€ã³è©Š éšïŒããããããŒã«ã¯ã蚌æ åã³ã·ã¹ãã ã®å®å šæ§ã«é¢ããæ圢ã®èšé²ãæäŸã§ããããŸãã¢ã¯ ãã£ããã°ç®¡çãŠãŒãã£ãªãã£ã¯ãé²è¡äžã®æ»æãäºè±¡ã«ãã©ã°ãç«ãŠãäœçœ®ãšè¿œè·¡æ å ±ãæäŸ ããŠãã€ã³ã·ãã³ããžã®å¯Ÿå¿ãå©ãã[34]ã 156 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY There should be a method for tracing all console activities to a user, either manually (e.g., control room sign in) or automatic (e.g., login at the application and/or OS layer). Policies and procedures for what is logged, how the logs are stored (or printed), how they are protected, who has access to the logs and how/when are they reviewed should be developed. These policies and procedures will vary with the ICS application and platform. Legacy systems typically employ printer loggers, which are reviewed by administrative, operational, and security staff. Logs maintained by the ICS application may be stored at various locations and may or may not be encrypted. 6.2.4 Security Assessment and Authorization The security controls that fall within the NIST SP 800-53 Assessment and Authorization (CA) family provide the basis for performing periodic assessments and providing certification of the security controls implemented in the information system to determine if the controls are implemented correctly, operating as intended, and producing the desired outcome to meet the system security requirements. A senior organizational official is responsible for accepting residual risk and authorizing system operation. These steps constitute accreditation. In addition, all security controls should be monitored on an ongoing basis. Monitoring activities include configuration management and control of information system components, security impact analysis of changes to the system, ongoing assessment of security controls, and status reporting. Supplemental guidance for the CA controls can be found in the following documents: ïŒ NIST SP 800-53A provides guidance on security control assessments [23]. ïŒ NIST SP 800-37 provides guidance defining the information system boundary and security certification and accreditation of the information system [21]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. 6.2.5 Configuration Management Configuration management policy and procedures are used to control modifications to hardware, firmware, software, and documentation to ensure that the information system is protected against improper modifications prior to, during, and after system implementation. The security controls that fall within the NIST SP 800-53 Configuration Management (CM) family provide policy and procedures for establishing baseline controls for information systems. Controls are also specified for maintaining, monitoring, and documenting configuration control changes. There should be restricted access to configuration settings, and security settings of IT products should be set to the most restrictive mode consistent with ICS operational requirements. Supplemental guidance for the CM controls can be found in the following documents: ïŒ NIST SP 800-70 provides guidance on configuration settings for IT products [26]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ïŒ NIST SP 800-128 provides guidance on implementation of a security-focused configuration management program [80]. 157 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æåïŒå¶åŸ¡å®€ãžã®ç«å ¥çœ²åçïŒåã¯èªåïŒã¢ããªã±ãŒã·ã§ã³ã OS ãžã®ãã°ã€ã³çïŒã«ãããã ããŠãŒã¶ã®å šãŠã®ã³ã³ãœãŒã«æŽ»åã«å¯Ÿãã远跡æ¹æ³ãæã€ã¹ãã§ãããèšé²å 容ãèšé²ã®ä¿ç®¡ ïŒåã¯ããªã³ãïŒæ¹æ³ãä¿è·èŠé ãèšé²ãžã®ã¢ã¯ã»ã¹ä»¶ä¿æè ãèšé²ã®å€æŽæ¹æ³ã»ææã«é¢ãã ããªã·ãŒåã³æé ãäœæãã¹ãã§ãããããªã·ãŒåã³æé ã¯ãICS ã®çšéåã³ãã©ããããŒã ã« ããç°ãªããã¬ã¬ã·ãŒã·ã¹ãã ã§ã¯ããªã³ã¿ãã¬ãŒãéåžžãæ¡çšããŠããã管çãæ¥ååã³ã»ã ã¥ãªãã£è·å¡ãç®ãéããŠãããICS ã¢ããªã±ãŒã·ã§ã³ãç¶æãããã°ã¯ãçš®ã ã®å Žæã«ä¿ç®¡ã ããæå·åãããŠãããã®ãããã°ããããŠããªããã®ãããã 6.2.4 ã»ãã¥ãªãã£è©äŸ¡åã³æš©éä»äž NIST SP 800-53 ã®ã»ãã¥ãªãã£è©äŸ¡åã³æš©éä»äžïŒCAïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿ çã¯ãå®æçè©äŸ¡ãè¡ããæ å ±ã·ã¹ãã ã«å®è£ ãããŠããã»ãã¥ãªãã£å¯Ÿçã®èšŒææžã亀ä»ã ãæ ¹æ ãå®ããŠãããããã«åŸã管çãé©æ§ã«è¡ãããäºå®ã©ããã«çšŒåããã·ã¹ãã ã»ã㥠ãªãã£èŠä»¶ã«åèŽããçµæã«ãªã£ãŠãããã©ãããå€å®ã§ãããçµç¹ã®å¹¹éšã¯æ®çãªã¹ã¯ãå ãå ¥ããã·ã¹ãã ã®çšŒåãèš±å¯ãã責任ãæããããã®ãããªæé ãèªå®ãæ§æããããŸãã å šãŠã®ã»ãã¥ãªãã£å¯Ÿçã¯ç¶ç¶çã«ç£èŠãã¹ãã§ãããç£èŠæŽ»åã«ã¯æ å ±ã·ã¹ãã ã³ã³ããŒã ã³ãã®èšå®ç®¡çãã·ã¹ãã å€æŽã®ã»ãã¥ãªãã£åœ±é¿åæãé²å±äžã®ã»ãã¥ãªãã£å¯Ÿçã®è©äŸ¡å ã³çŸç¶å ±åãå«ãŸããã CA 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-53AïŒã»ãã¥ãªãã£å¯Ÿçè©äŸ¡ã«ä¿ãã¬ã€ãã³ã¹[23] ïŒ NIST SP 800-37ïŒæ å ±ã·ã¹ãã å¢çåã³æ å ±ã·ã¹ãã ã»ãã¥ãªãã£èšŒæã»èªå®ã®å®çŸ©ã«ä¿ã ã¬ã€ãã³ã¹[21] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] 6.2.5 æ§æ管ç æ§æ管çããªã·ãŒåã³æé ã«åŸããããŒããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»ãœãããŠãšã¢ã»ææžãž ã®å€æŽã管çããã·ã¹ãã å®è£ åã»äžã»åŸã®äžé©åãªæ¹å€ããæ å ±ã·ã¹ãã ãä¿è·ããã NIST SP 800-53 ã®æ§æ管çïŒCMïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãæ å ±ã·ã¹ãã ã®ããŒã¹ã©ã€ã³ç®¡çãçå®ããããã®ããªã·ãŒåã³æé ãå®ããããŠãããæ§æ管çã®å€æŽ ãç¶æã»ç£èŠã»èšé²ããããã®ç®¡çããããæ§æèšå®ãžã®ã¢ã¯ã»ã¹ã¯å¶éãããIT 補åã®ã» ãã¥ãªãã£èšå®ã¯ãICS æ¥åèŠä»¶ã«åŸãæãå³æ Œãªã¢ãŒãã«èšå®ãã¹ãã§ããã CM 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-70ïŒIT 補åã®æ§æèšå®ã«ä¿ãã¬ã€ãã³ã¹[26] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ïŒ NIST SP 800-128 ã«ãã»ãã¥ãªãã£éèŠæ§æ管çããã°ã©ã ã«ä¿ãã¬ã€ãã³ã¹[80]ã 158 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS-specific Recommendations and Guidance A formal change management program should be established and procedures used to insure that all modifications to an ICS network meet the same security requirements as the original components identified in the asset evaluation and the associated risk assessment and mitigation plans. Risk assessment should be performed on all changes to the ICS network that could affect security, including configuration changes, the addition of network components, and installation of software. Changes to policies and procedures may also be required. The current ICS network configuration and device configurations must always be known and documented. 6.2.6 Contingency Planning Contingency plans are designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. The security controls that fall within the NIST SP 800-53 Contingency Planning (CP) family provide policies and procedures to implement a contingency plan by specifying roles and responsibilities, and assigning personnel and activities associated with restoring the information system after a disruption or failure. Along with planning, controls also exist for contingency training, testing, and plan update, and for backup information processing and storage sites. Supplemental guidance for the CP controls can be found in the following documents: ïŒ NIST SP 800-34 provides guidance on contingency planning [52]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance Contingency plans should cover the full range of failures or problems that could be caused by cyber incidents. Contingency plans should include procedures for restoring systems from known valid backups, separating systems from all non-essential interferences and connections that could permit cybersecurity intrusions, and alternatives to achieve necessary interfaces and coordination. Employees should be trained and familiar with the contents of the contingency plans. Contingency plans should be periodically reviewed with employees responsible for restoration of the ICS, and tested to ensure that they continue to meet their objectives. Organizations also have business continuity plans and disaster recovery plans that are closely related to contingency plans. Because business continuity and disaster recovery plans are particularly important for ICS, they are described in more detail in the sections to follow. 6.2.6.1 Business Continuity Planning Business continuity planning addresses the overall issue of maintaining or reestablishing production in the case of an interruption. These interruptions may take the form of a natural disaster (e.g., hurricane, tornado, earthquake, flood), an unintentional man-made event (e.g., accidental equipment damage, fire or explosion, operator error), an intentional man-made event (e.g., attack by bomb, firearm or vandalism, attacker or virus), or an equipment failure. From a potential outage perspective, this may involve typical time spans of days, weeks, or months to recover from a natural disaster, or minutes or hours to recover from a malware infection or a mechanical/electrical failure. Because there is often a separate discipline that deals with reliability and electrical/mechanical maintenance, some organizations choose to define business continuity in a way that excludes these sources of failure. Because business continuity also deals primarily with 159 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ æ£èŠã®å€æŽç®¡çããã°ã©ã ãçå®ããICS ãããã¯ãŒã¯ãžã®å šãŠã®å€æŽå 容ããè³ç£è©äŸ¡èšç» æžåã³é¢é£ãªã¹ã¯è©äŸ¡ã»ç·©åèšç»æžã«ç¹å®ãããåœåã®ã³ã³ããŒãã³ããšåãã»ãã¥ãªã㣠èŠä»¶ã«åèŽããããã«æé ãè¡äœ¿ããªããã°ãªããªãããªã¹ã¯è©äŸ¡ã¯ãã»ãã¥ãªãã£ã«åœ±é¿ ãã ICS ãããã¯ãŒã¯ãžã®å šãŠã®å€æŽã«å¯ŸããŠè¡ãã¹ãã§ãããã«ã¯æ§æå€æŽããããã¯ãŒ ã¯ã³ã³ããŒãã³ãã®è¿œå ããœãããŠãšã¢ã®ã€ã³ã¹ããŒã«ãå«ãŸãããããªã·ãŒåã³æé ã®å€ æŽãå¿ èŠãšãªããçŸåšã® ICS ãããã¯ãŒã¯æ§æãšããã€ã¹æ§æã¯åžžã«ç¥ããããèšé²ãã㊠ããªããã°ãªããªãã 6.2.6 äžæž¬äºæ èšç» ç·æ¥æ察å¿èšç»ã¯ãç·æ¥æã»ã·ã¹ãã é害æã»çœå®³æã«ä»£æ¿å°ãªã©ã§ã³ã³ãã¥ãŒã¿ãæäœã ããªã©ãæ¥åãç¶æã»åŸ©æ§ããããã«äœæãããã NIST SP 800-53 ã®äžæž¬äºæ èšç»ïŒCPïŒã ã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã¯ã圹å²ãšè²¬ä»»ãå®ããäžæã»æ éåŸã®æ å ±ã·ã¹ãã 㮠埩æ§ã«é¢é£ãã人å¡ã»æŽ»åãå²ãåœãŠãŠãäžæž¬äºæ èšç»ãå®è¡ããããã®ããªã·ãŒåã³æé ãå®ããŠããã ãã©ã³ãã³ã°ã®ã¿ãªããã管çã¯ãäžæž¬äºæ 察åŠèšç·Žãè©Šéšãèšç»ã®æŽæ°ãããã¯ã¢ããæ å ± åŠçã»ä¿ç®¡ãµã€ãã«ã€ããŠãåãäžããŠããã CP 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-34ïŒäžæž¬äºæ èšç»ã®ç«æ¡ã«ä¿ãã¬ã€ãã³ã¹[52] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ç·æ¥æ察å¿èšç»ã¯ããµã€ããŒã€ã³ã·ãã³ãã«ããçãåŸãããããé害ãåé¡ã«ã€ããŠåãäžã ãã¹ãã§ãããç·æ¥æ察å¿èšç»ã«ã¯ãæ¢ç¥ã®æå¹ããã¯ã¢ããããã·ã¹ãã ã埩æ§ãããµã€ã㌠ã»ãã¥ãªãã£äŸµå ¥ãèš±ãéèŠã§ãªãå šãŠã®å¹²æžã»æ¥ç¶ããã·ã¹ãã ãåé¢ããããã®ããªã·ãŒå ã³æé ã®ã»ããå¿ èŠãªã€ã³ã¿ãã§ãŒã¹ã»èª¿æŽãå®çŸããããã®ä»£æ¿æ¹æ³ãå«ããã¹ãã§ãããåŸ æ¥å¡ã¯èšç·Žãåããäžæž¬äºæ èšç»ã®å 容ã«ç²ŸéããŠããã¹ãã§ãããèšç»æžã¯ãICS ã®åŸ©æ§æ åœ è ãšãšãã«å®æçã«èŠçŽããåžžã«ç®çã«åèŽããŠãããè©Šéšãè¡ãã¹ãã§ãããçµç¹ã¯ãç·æ¥æ 察å¿èšç»ãšå¯æ¥ãªé¢ãããæã€äºæ¥ç¶ç¶èšç»æžãšçœå®³åŸ©æ§èšç»æžãä¿æãããäž¡èšç»æžã¯ç¹ã« ICS ã«ãšã£ãŠéèŠã§ãããããç¶ãã»ã¯ã·ã§ã³ã§è©³è¿°ããã 6.2.6.1 äºæ¥ç¶ç¶èšç» äºæ¥ç¶ç¶èšç»ã®ç«æ¡ã§ã¯ãäžææã®çç£ã®ç¶æåã¯åéã«é¢ããå šè¬çãªåé¡ãåãäžããã äžæã«ã¯èªç¶çœå®³ïŒããªã±ãŒã³ããã«ããŒããå°éã措氎çïŒã人çºçãªäºæããªãäºè±¡ïŒå¶ çºçãªè£ ååã®æ害ãç«çœã»ççºãæäœãã¹çïŒã人çºçãªæ æã®äºè±¡ïŒç匟ãéåšã»ç Žå£è¡ çºã«ããæ»æãæ»æè ã»ãŠã€ã«ã¹çïŒãè£ ååã®æ éãªã©ããããææ¥åæ¢ã®èŠ³ç¹ãããããšã èªç¶çœå®³ããã®åŸ©æ§ã«ã¯äžè¬ã«æ¥ã»é±ã»æåäœã®æéãèŠãããã«ãŠãšã¢ææãæ©æ¢°ã»é»åç æ éã®å Žåã¯åã»æéåäœãšãªãã 160 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY that deals with reliability and electrical/mechanical maintenance, some organizations choose to define business continuity in a way that excludes these sources of failure. Because business continuity also deals primarily with the long-term implications of production outages, some organizations also choose to place a minimum interruption limit on the risks to be considered. For the purposes of ICS cybersecurity, it is recommended that neither of these constraints be made. Long-term outages (disaster recovery) and shortterm outages (operational recovery) should both be considered. Because some of these potential interruptions involve man-made events, it is also important to work collaboratively with the physical security organization to understand the relative risks of these events and the physical security countermeasures that are in place to prevent them. It is also important for the physical security organization to understand which areas of a production site house data acquisition and control systems that might have higher-level risks. Before creating a business continuity plan (BCP) to deal with potential outages, it is important to specify the recovery objectives for the various systems and subsystems involved based on typical business needs. There are two distinct types of objectives: system recovery and data recovery. System recovery involves the recovery of communication links and processing capabilities, and it is usually specified in terms of a Recovery Time Objective (RTO). This is defined as the time required to recover the required communication links and processing capabilities. Data recovery involves the recovery of data describing production or product conditions in the past and is usually specified in terms of a Recovery Point Objective (RPO). This is defined as the longest period of time for which an absence of data can be tolerated. Once the recovery objectives are defined, a list of potential interruptions should be created and the recovery procedure developed and described. For most of the smaller scale interruptions, repair and replace activities based on a critical spares inventory will prove adequate to meet the recovery objectives. When this is not true, contingency plans need to be developed. Due to the potential cost and importance of these contingency plans, they should be reviewed with the managers responsible for business continuity planning to verify that they are justified. Once the recovery procedures are documented, a schedule should be developed to test part or all of the recovery procedures. Particular attention must be paid to the verification of backups of system configuration data and product or production data. Examples of system configuration data include computer configuration backups, application configuration backups, operational control limits, control bands and setpoints for pre-incident operation for all ICS programmable equipment. Not only should these be tested when they are produced, but the procedures followed for their storage should also be reviewed periodically to verify that the backups are kept in environmental conditions that will not render them unusable and that they are kept in a secure location, so they can be quickly obtained by authorized individuals when needed. 161 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ä¿¡é Œæ§ãé»æ°ã»æ©æ¢°ã®ä¿å®ã«é¢ããå¥ã®èŠåãå€åã«ãããããçµç¹ã«ãã£ãŠã¯ãã®ãããªæ é åå ãæé€ããäžã§äºæ¥ç¶ç¶ãå®ããŠãããšããããããäºæ¥ç¶ç¶ã¯ãäž»ã«é·æçãªææ¥åæ¢ã® å¶çŽãæ±ããããèæ ®ãã¹ããªã¹ã¯ã«æçäžæéçãèšå®ããŠããçµç¹ããããICS ãµã€ããŒã» ãã¥ãªãã£ã®ç®çäžããã®ãããªå¶çŽäºé ã¯èšããªãããšãèŠãããããé·æææ¥åæ¢ïŒçœå®³åŸ© æ§ïŒãšçæææ¥åæ¢ïŒæ¥å埩æ§ïŒã®äž¡æ¹ãæ€èšãã¹ãã§ããããã®ãããªäžæã«ã¯äººçºçãªäºè±¡ ãå«ãŸãããããç©ççã»ãã¥ãªãã£çµç¹ãšé£æºããŠãããããäºè±¡ã®çžå¯Ÿçãªã¹ã¯ãšãããã é²æ¢ããããã«è¬ããããŠããç©ççã»ãã¥ãªãã£å¯Ÿçã«ã€ããŠç解ããããšãèèŠã§ããã㟠ãç©ççã»ãã¥ãªãã£çµç¹ããçç£çŸå Žã®ã©ãã«é«ãªã¹ã¯ã®ããŒã¿ååŸã»å¶åŸ¡ã·ã¹ãã ãããã ãææ¡ããŠããããšãèèŠã§ããã ææ¥åæ¢ãåãäžããäºæ¥ç¶ç¶èšç»æžïŒBCPïŒãäœæããåã«ãäžè¬çãªäºæ¥ããŒãºã«åºã¥ãã çš®ã ã®ã·ã¹ãã ã»ãµãã·ã¹ãã ã®åŸ©æ§å¯Ÿè±¡ãæå®ããããšãèèŠã§ããã埩æ§å¯Ÿè±¡ã¯ã·ã¹ãã ãšããŒã¿ã® 2 çš®é¡ã§ãããã·ã¹ãã 埩æ§ã¯ãéä¿¡ãªã³ã¯ãšåŠçæ©èœã®åŸ©æ§ãé¢ä¿ããéåžžãç® æšåŸ©æ§æéïŒRTOïŒãšããŠå®ããããŠãããããã¯å¿ é éä¿¡ãªã³ã¯åã³åŠçæ©èœã埩æ§ããã ãã®æéãšããŠå®çŸ©ããããããŒã¿åŸ©æ§ã¯ãéå»ã®çç£åã¯è£œåç¶æ ãèšè¿°ããããŒã¿ã®åŸ©æ§ ãé¢ä¿ããéåžžãç®æšåŸ©æ§æç¹ïŒRPOïŒãšããŠå®ããããŠãããããã¯ããŒã¿ããªããŠã蚱容 ã§ããæé·æéãšããŠå®çŸ©ãããã 埩æ§å¯Ÿè±¡ãå®ãããªããäžæå¯èœæ§ãªã¹ããäœæãã埩æ§æé ãäœæãèšè¿°ãã¹ãã§ããã倧 æµã®å°èŠæš¡äžæã§ã¯ãéèŠè£çšååšåº«ã«åºã¥ãä¿®çã»äº€æã§åŸ©æ§å¯Ÿè±¡ã«åå察å¿ã§ããããã ãåœãŠã¯ãŸããªãå Žåã«ã¯ãç·æ¥æ察å¿èšç»ãäœæããå¿ èŠããããç·æ¥æ察å¿èšç»ã®ã³ã¹ã ãšéèŠæ§ãããç·æ¥æ察å¿èšç»ã¯äºæ¥ç¶ç¶ãã©ã³ãã³ã°æ åœç®¡çè ãšãšãã«èŠçŽãããã®åŠ¥åœ æ§ãæ€èšŒãã¹ãã§ããã埩æ§æé ãææžåãããªãã埩æ§æé ã®äžéšåã¯å šéšã®è©Šéšãè¡ãã ãã®ã¹ã±ãžã¥ãŒã«ãç«ãŠãã¹ãã§ãããã·ã¹ãã æ§æããŒã¿åã³è£œåã»çç£ããŒã¿ã®ããã¯ã¢ ããæ€èšŒã«ã¯ãç¹ã«æ³šæãæããªããã°ãªããªããã·ã¹ãã æ§æããŒã¿ã®äŸãšããŠãã³ã³ã㥠ãŒã¿æ§æããã¯ã¢ãããã¢ããªã±ãŒã·ã§ã³æ§æããã¯ã¢ãããæ¥åäžã®ç®¡çéçãå šãŠã® ICS ããã°ã©ã å¯èœè£ ååã®ã€ã³ã·ãã³ãåã®ç®¡çç¯å²ã»èšå®ç¹çããããããã¯ã¢ããã¯äœæã® éœåºŠè©Šéšãè¡ãã ãã§ãªãããããã®ä¿åæé ãå®æçã«èŠçŽããŠãããã¯ã¢ãããç°å¢æ¡ä»¶ ã«é©åããŠå©çšå¯èœã§ãã»ãã¥ã¢ãªå Žæã«ä¿ç®¡ãããå¿ èŠãªå Žåã«ã¯æš©éã®ãã人å¡ãããã« å ¥æã§ããããã«ãªã£ãŠãããæ€èšŒããã 162 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.6.2 Disaster Recovery Planning A disaster recovery plan (DRP) is a documented process or set of procedures to recover and protect an IT infrastructure in the event of a disaster. The DRP, ordinarily documented in written form, specifies procedures an organization is to follow in the event of a disaster. It is a comprehensive statement of consistent actions to be taken before, during and after a disaster. The disaster could be natural, environmental or man-made. Man-made disasters could be intentional or unintentional. ICS-specific Recommendations and Guidance A DRP is essential to continued availability of the ICS. The DRP should include the following items: ïŒ Required response to events or conditions of varying duration and severity that would activate the recovery plan. ïŒ Procedures for operating the ICS in manual mode with all external electronic connections severed until secure conditions can be restored. ïŒ Roles and responsibilities of responders. ïŒ Processes and procedures for the backup and secure storage of information. ïŒ Complete and up-to-date logical network diagram. ïŒ Personnel list for authorized physical and cyber access to the ICS. ïŒ Communication procedure and list of personnel to contact in the case of an emergency including ICS vendors, network administrators, ICS support personnel, etc. ïŒ Current configuration information for all components. ïŒ Schedule for exercising the DRP. The plan should also indicate requirements for the timely replacement of components in the case of an emergency. If possible, replacements for hard-to-obtain critical components should be kept in inventory. The security plan should define a comprehensive backup and restore policy. In formulating this policy, the following should be considered: ïŒ The speed at which data or the system must be restored. This requirement may justify the need for a redundant system, spare offline computer, or valid file system backups. ïŒ The frequency at which critical data and configurations are changing. This will dictate the frequency and completeness of backups. ïŒ The safe onsite and offsite storage of full and incremental backups. ïŒ The safe storage of installation media, license keys, and configuration information. ïŒ Identification of individuals responsible for performing, testing, storing, and restoring backups. 163 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.6.2 çœå®³åŸ©æ§èšç» çœå®³åŸ©æ§èšç»ïŒDRPïŒã¯ãçœå®³æã« IT ã€ã³ãã©ã埩æ§ãä¿è·ããããã®ææžåãããããã»ã¹ åã¯æé ã§ãããDRP ã¯éåžžææžåãããçœå®³æã«çµç¹ãåãæé ãå®ãããçœå®³åã»äžã»åŸã« åãã¹ãäžè²«ããè¡åã«ã€ããŠãå æ¬çã«èšè¿°ãããçœå®³ã¯èªç¶ç°å¢ã®å Žåãããã°ã人çºç㪠ãã®ãããã人çºçœå®³ã¯æ æåã¯å¶çºã«ããçããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ DRP ã¯ãICS ã®å¯çšæ§ãä¿æããããã«äžå¯æ¬ ã§ãããDRP ã«ã¯ä»¥äžãå«ããã¹ãã§ããã ïŒ åŸ©æ§èšç»æžãçºåãããäºè±¡åã¯ç¶æ ã®æéãšé倧æ§ã«å¿ããŠæ±ããããå¯Ÿå¿ ïŒ å€éšãžã®é»åæ¥ç¶ãå šãŠæãããäžã§ãã»ãã¥ã¢ãªç¶æ ã«åŸ©æ§ãããŸã§ãæåã¢ãŒã㧠ICS ã皌åãããããã®æé ïŒ å¯Ÿå¿è ã®åœ¹å²ãšè²¬ä»» ïŒ æ å ±ã®ããã¯ã¢ãããšã»ãã¥ã¢ãªä¿åãè¡ãããã®ããã»ã¹ãšæé ïŒ å®å šãªææ°ã®è«çãããã¯ãŒã¯å³ ïŒ ICS ãžã®ç«å ¥åã³ãµã€ããŒã¢ã¯ã»ã¹æš©éã®ãã人å¡ãªã¹ã ïŒ ç·æ¥æã®éä¿¡æé åã³é£çµ¡çžæã®ãªã¹ãïŒICS ãã³ããŒããããã¯ãŒã¯ç®¡çè ãICS ãµã㌠ãèŠå¡çãå«ããïŒ ïŒ å šãŠã®ã³ã³ããŒãã³ãã®ææ°æ§ææ å ± ïŒ DRP æŒç¿ã¹ã±ãžã¥ãŒã« èšç»æžã«ã¯ãç·æ¥æã®ã³ã³ããŒãã³ããé©æ亀æããããã®èŠä»¶ãå«ããã¹ãã§ãããã§ããã° å ¥æå°é£ãªéèŠã³ã³ããŒãã³ãã®ä»£æ¿åã¯ãåšåº«ãããŠããã¹ãã§ããã ã»ãã¥ãªãã£èšç»æžã¯ãå æ¬çãªããã¯ã¢ããåã³åŸ©æ§ããªã·ãŒãå®ããã¹ãã§ãããããªã·ãŒ ã®çå®ã«åœãã£ãŠã¯ã次ã®ç¹ãèæ ®ã«å ¥ããã¹ãã§ããã ïŒ ããŒã¿åã¯ã·ã¹ãã ã®åŸ©æ§ã«èŠããé床ããã®èŠä»¶ãããããšããåé·ã·ã¹ãã ãã¹ãã¢ã® ãªãã©ã€ã³ã³ã³ãã¥ãŒã¿åã¯æå¹ãã¡ã€ã«ã·ã¹ãã ããã¯ã¢ãããå¿ èŠãšãããã ïŒ éèŠããŒã¿åã³æ§æå€æŽã®é »åºŠãããã«ããããã¯ã¢ããã®é »åºŠãå®å šæ§ã決ãŸãã ïŒ å šé¢ããã¯ã¢ããåã³å·®åããã¯ã¢ããã®å®å šãªãªã³ãµã€ãåã³ãªããµã€ãä¿ç®¡ ïŒ ã€ã³ã¹ããŒã«ã¡ãã£ã¢ãã©ã€ã»ã³ã¹ããŒåã³èšå®æ å ±ã®å®å šãªä¿ç®¡ ïŒ ããã¯ã¢ããã®å®æœã»è©Šéšã»ä¿ç®¡ã»åŸ©æ§æ åœè ã®ç¹å® 164 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.7 Identification and Authentication Authentication describes the process of positively identifying potential network users, hosts, applications, services, and resources using a combination of identification factors or credentials. The result of this authentication process then becomes the basis for permitting or denying further actions (e.g., when an automatic teller machine asks for a PIN). Based on the authentication determination, the system may or may not allow the potential user access to its resources. Authorization is the process of determining who and what should be allowed to have access to a particular resource; access control is the mechanism for enforcing authorization. Access control is described in Section 6.2.1. There are several possible factors for determining the authenticity of a person, device, or system, including something you know, something you have or something you are. For example, authentication could be based on something known (e.g., PIN number or password), something possessed (e.g., key, dongle, smart card), something you are such as a biological characteristic (e.g., fingerprint, retinal signature), a location (e.g., Global Positioning System [GPS] location access), the time a request is made, or a combination of these attributes. In general, the more factors that are used in the authentication process, the more robust the process will be. When two or more factors are used, the process is known generically as multi-factor authentication. The security controls that fall within the NIST SP 800-53 Identification and Authentication (IA) family provide policy and guidance for the identification and authentication of users of and devices within the information system. These include controls to manage identifiers and authenticators within each technology used (e.g., tokens, certificates, biometrics, passwords, key cards). Supplemental guidance for the IA controls can be found in the following documents: ïŒ NIST SP 800-63 provides guidance on remote electronic authentication [53]. ïŒ NIST SP 800-73 provides guidance on interfaces for personal identity verification [49]. ïŒ NIST SP 800-76 provides guidance on biometrics for personal identity verification [50]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance Computer systems in ICS environments typically rely on traditional passwords for authentication. Control system suppliers often supply systems with default passwords. These passwords are factory set and are often easy to guess or are changed infrequently, which creates additional security risks. Also, protocols currently used in ICS environments generally have inadequate or no network service authentication. There are now several forms of authentication available in addition to traditional password techniques being used with ICS. Some of these, including password authentication, are presented in the following sections with discussions regarding their use with ICS. 165 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.7 èå¥åã³èªèšŒ èªèšŒã¯ããããã¯ãŒã¯ãŠãŒã¶ããã¹ããã¢ããªã±ãŒã·ã§ã³ããµãŒãã¹åã³ãªãœãŒã¹ãèå¥èŠçŽ ãèªèšŒæ å ±ãçµã¿åãããŠãèœåçã«èå¥ããããã»ã¹ã§ãããèªèšŒããã»ã¹ã®çµæãã次㮠ã¢ã¯ã·ã§ã³ãèš±å¯ãããæ絶ãããã®æ ¹æ ãšãªãïŒATM ã® PIN èŠæ±æçïŒãèªèšŒå€å®ã«åºã¥ãã ã·ã¹ãã ã¯ãŠãŒã¶ã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèš±å¯åã¯æ絶ãããæš©éä»äžãšã¯ãç¹å®ã®ãªãœãŒ ã¹ã«ã¢ã¯ã»ã¹ãèš±ãããäž»äœãå€å®ããããã»ã¹ã®ããšã§ãã¢ã¯ã»ã¹å¶åŸ¡ãšã¯æš©éä»äžãè¡ã ã¡ã«ããºã ããããã¢ã¯ã»ã¹å¶åŸ¡ã«ã€ããŠã¯ã»ã¯ã·ã§ã³ 6.2.1 ã§èª¬æããã å人ãããã€ã¹åã¯ã·ã¹ãã ã®æ£åœæ§ãå€å®ããèŠçŽ ãããã€ããããå人ãç¥ã£ãŠããã ãšãæã£ãŠãããã®åã¯äœè ã§ããããªã©ã§ãããäŸãã°ãèªèšŒã¯æ¢ç¥ã®äºæïŒPIN çªå·ãã ã¹ã¯ãŒãçïŒãææç©ïŒããŒããã³ã°ã«ãã¹ããŒãã«ãŒãçïŒãçç©åŠçç¹åŸŽçã®å人æ å ± ïŒæçŽã網èç §åçïŒãå ŽæïŒå šå°ç枬äœã·ã¹ãã [GPS]äœçœ®ã¢ã¯ã»ã¹çïŒãèŠæ±æå»åã¯ã ããå±æ§ã䜵çšããŠè¡ããããç·ããŠãèªèšŒããã»ã¹ã§å©çšããèŠçŽ ãå¢ããã°å¢ããã»ã©ã ããã»ã¹ã¯åŒ·åã«ãªãã2 ã€ä»¥äžã®èŠçŽ ãå©çšããããã»ã¹ã¯å€èŠçŽ èªèšŒãšããŠç¥ãããŠããã NIST SP 800-53 ã®èå¥åã³èªèšŒïŒIAïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã¯ãæ å ±ã·ã¹ã ã ã«ããããŠãŒã¶åã³ããã€ã¹ã®èå¥åã³èªèšŒã«ä¿ãããªã·ãŒåã³ã¬ã€ãã³ã¹ãå®ããŠããã 䜿çšãããåæè¡ïŒããŒã¯ã³ã蚌ææžããã€ãªã¡ããªã¯ã¹ããã¹ã¯ãŒããããŒã«ãŒãçïŒã§ã® èå¥åã³èªèšŒã®ç®¡çãå«ãŸããŠããã IA 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-63ïŒé éé»åèªèšŒã«ä¿ãã¬ã€ãã³ã¹[53] ïŒ NIST SP 800-73ïŒå人身å 確èªã€ã³ã¿ãã§ãŒã¹ã«ä¿ãã¬ã€ãã³ã¹[49] ïŒ NIST SP 800-76ïŒå人身å 確èªãã€ãªã¡ããªã¯ã¹ã«ä¿ãã¬ã€ãã³ã¹[50] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS ç°å¢ã«ãããã³ã³ãã¥ãŒã¿ã·ã¹ãã ã¯ãäžè¬ã«äŒçµ±çãªèªèšŒãã¹ã¯ãŒãã«äŸåããŠãããå¶ åŸ¡ã·ã¹ãã ãµãã©ã€ã€ã¯ãããã©ã«ãã®ãã¹ã¯ãŒããèšå®ããŠã·ã¹ãã ãäŸçµŠããããšãå€ãã ãã¹ã¯ãŒãã¯å·¥å Žã§èšå®ãããç°¡åã«æšæž¬ã§ãããã®ãå€ããæ» å€ã«å€æŽãããªãããšãããã» ãã¥ãªãã£ãªã¹ã¯ãšãªãããŸãçŸåš ICS ç°å¢ã§å©çšãããŠãããããã³ã«ã®ãããã¯ãŒã¯ãµãŒã ã¹èªèšŒã¯ãç·ããŠäžé©åã§ãããå šããªããçŸåšã§ã¯ãICS ã§å©çšãããäŒçµ±çãªãã¹ã¯ãŒãæ è¡ã«å ããŠãããã€ãã®èªèšŒåœ¢æ ãããããã¹ã¯ãŒãèªèšŒãå«ãããããã®ããã€ãã ICS ã§å© çšããããšã«ã€ããŠãç¶ãã»ã¯ã·ã§ã³ã§èª¬æããã 166 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.7.1 Password Authentication Password authentication technologies determine authenticity based on testing for something the device or human requesting access should know, such as a PIN number or password. Password authentication schemes are thought of as the simplest and most common forms of authentication. Password vulnerabilities can be reduced by using an active password checker that prohibits weak, recently used, or commonly used passwords. Another weakness is the ease of third-party eavesdropping. Passwords typed at a keyboard are easily observed or recorded, especially in areas where adversaries could plant tiny wireless cameras or keystroke loggers. Network service authentication often transmits passwords as plaintext (unencrypted), allowing any network capture tool to expose the passwords. ICS-specific Recommendations and Guidance One problem with passwords unique to the ICS environment is that a userâs ability to recall and enter a password may be impacted by the stress of the moment. During a major crisis when human intervention is critically required to control the process, an operator may panic and have difficulty remembering or entering the password and either be locked out completely or be delayed in responding to the event. If the password has been entered wrong and the system has a limit on allowed wrong password entries, the operator may be locked out permanently until an authorized employee can reset the account. Biometric identifiers may have similar drawbacks. Organizations should carefully consider the security needs and the potential ramifications of the use of authentication mechanisms on these critical systems. In situations where the ICS cannot support, or the organization determines it is not advisable (e.g., performance, safety, or reliability are adversely impacted), to implement authentication mechanisms in an ICS, the organization uses compensating controls, such as rigorous physical security controls (e.g., control center keycard access for authorized users) to provide an equivalent security capability or level of protection for the ICS. This guidance also applies to the use of session lock and session termination in an ICS. Special consideration must be made when pushing down policies based on login password authentication within the ICS environment. Without an exclusion list based on machine identification (ID), non-operator logon can result in policies being pushed down such as auto- logoff timeout and administrator password replacement that can be detrimental to the operation of the system. Some ICS operating systems make setting secure passwords difficult, as the password size is very small and the system allows only group passwords at each level of access, not individual passwords. Some industrial (and Internet) protocols transmit passwords in plaintext, making them susceptible to interception. In cases where this practice cannot be avoided, it is important that users have different (and unrelated) passwords for use with encrypted and non-encrypted protocols. The following are general recommendations and considerations with regards to the use of passwords. ïŒ The length, strength, and complexity of passwords should balance security and operational ease of access within the capabilities of the software and underlying OS. ïŒ Passwords should have appropriate length and complexity for the required security. In particular, they should not be able to be found in a dictionary or contain predictable sequences of numbers or letters. 167 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.7.1 ãã¹ã¯ãŒãèªèšŒ ãã¹ã¯ãŒãèªèšŒæè¡ã¯ãã¢ã¯ã»ã¹ãæ±ããŠããããã€ã¹ã人ãç¥ã£ãŠããã¹ãæ å ±ïŒPIN çªå·ã ãã¹ã¯ãŒãçïŒãæ€èšŒããŠæ£åœæ§ãå€å®ããæè¡ã§ããããã¹ã¯ãŒãèªèšŒæ³ã¯ãèªèšŒã®æãåçŽ ãã€æ £çšçãªåœ¢ãšèŠãªãããŠããã ãã¹ã¯ãŒãã®è匱æ§ã¯ãåçŽãªãã®ãæè¿äœ¿çšãããã®ããã䜿çšããããã®ãçŠæ¢ããã¢ã¯ã ã£ããã¹ã¯ãŒããã§ãã«ãŒãå©çšããããšã§æžããããšãã§ãããå¥ã®åŒ±ç¹ã¯ããµãŒãããŒã㣠ã容æã«ååã§ããããšã§ãããããŒããŒãã§ã¿ã€ããããã¹ã¯ãŒãã¯ãç¹ã«æ»æåŽãå°åã¯ã€ ã€ã¬ã¹ã«ã¡ã©ãããŒã¹ãããŒã¯ãã¬ãŒãèšçœ®ããå Žæã§ã¯ã容æã«èŠ³å¯åã¯èšé²ã§ãããããã ã¯ãŒã¯ãµãŒãã¹èªèšŒã¯ããã¹ã¯ãŒããå¹³æïŒæå·åãªãïŒã§éä¿¡ããããšãå€ãããããã¯ãŒã¯ ãã£ããã£ããŒã«ãããã°ãã¹ã¯ãŒããé²èŠããŠããŸãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS ã«äžæã®ãã¹ã¯ãŒãã䜿çšããåé¡ç¹ã¯ããŠãŒã¶ããã¹ã¯ãŒããæãåºããŠå ¥åããèœå ã¯ããã®ãšãã®ã¹ãã¬ã¹ã«åœ±é¿ãããããšã«ãããå±æ©ã®éã«ãããã»ã¹ã®å¶åŸ¡ã«äººã®å¯Ÿå¿ãæ¯ éãšãå¿ èŠãšãããå Žåãæäœå¡ããããã¯ã«é¥ãããã¹ã¯ãŒããæãåºããã«ãã°ã€ã³ã§ã㪠ãã£ããã察å¿ãé ãããããããšããããééã£ããã¹ã¯ãŒããå ¥åããã·ã¹ãã ã«ééãã ã¹ã¯ãŒãã®å ¥åå¶éãããå Žåããã®æäœå¡ã¯ãæš©éã®ããåŸæ¥å¡ãã¢ã«ãŠã³ãããªã»ãããã ãŸã§ããã£ãšãã°ã€ã³ã§ããªããªãããã€ãªã¡ããªãã¯èå¥åã«ãåæ§ã®æ¬ é¥ããããçµç¹ã¯ã ã»ãã¥ãªãã£ããŒãºãšéèŠã·ã¹ãã ã«ãããèªèšŒã¡ã«ããºã ã®å©çšã«é¢ããåé¡ã«ã€ããŠæ éã« æ€èšãã¹ãã§ããã ICS ã察å¿ããŠããããå㯠ICS ãžã®èªèšŒã¡ã«ããºã ã®å®è£ ãäžé©åãšå€æããå ŽåïŒããã©ãŒ ãã³ã¹ãå®å šæ§ãä¿¡é Œæ§ãäœäžãããªã©ïŒãçµç¹ã¯å³æ Œãªç©ççã»ãã¥ãªãã£å¯Ÿççã®ä»£æ¿ç®¡ç ãå©çšããŠïŒå¶åŸ¡ã»ã³ã¿ãŒãžã®ãæš©éã®ãããŠãŒã¶ã«ããããŒã«ãŒããå©çšããç«å ¥çïŒãICS ã®åçã®ã»ãã¥ãªãã£æ©èœåã¯ä¿è·ã¬ãã«ã確ä¿ããããã®ã¬ã€ãã³ã¹ã¯ãICS ã®ã»ãã·ã§ã³ã ãã¯åã³ã»ãã·ã§ã³çµäºã«ãåœãŠã¯ãŸãã ICS ç°å¢ã§ã®ãã°ã€ã³ãã¹ã¯ãŒãèªèšŒãåºã«ãããªã·ãŒãåŒãäžããå Žåã¯ãç¹å¥ãªèæ ®ãèŠã ãããã·ã³ ID ã«åºã¥ãæé€ãªã¹ãããªãå Žåãæäœå¡ä»¥å€ã®ãã°ãªã³ã¯ãã·ã¹ãã ã®åäœãæª åãããèªåãã°ãªãã¿ã€ã ã¢ãŠãã管çè ãã¹ã¯ãŒãã®çœ®æãšãã£ããããªã·ãŒã®åŒãäžãã çãåŸãã ICS ã® OS ã«ãã£ãŠã¯ããã¹ã¯ãŒããµã€ãºãçããåã¬ãã«ã§ã®ã¢ã¯ã»ã¹æãã·ã¹ãã ãå人ã ã¹ã¯ãŒãã§ã¯ãªãã°ã«ãŒããã¹ã¯ãŒãã®ã¿åãä»ããããã«ãªã£ãŠãããããã»ãã¥ã¢ãªãã¹ã¯ ãŒãèšå®ãå°é£ã§ãããç¹å®ã®ç£æ¥çšïŒåã³ã€ã³ã¿ãŒãããïŒãããã³ã«ã¯ããã¹ã¯ãŒããå¹³æ ã§éä¿¡ããããååãããããããã®èŠç¯ã®å©çšãé¿ããããªãå ŽåããŠãŒã¶ã¯å¥ã®ïŒç¡é¢ä¿ ãªïŒãã¹ã¯ãŒããæã¡ãæå·åãããã³ã«åã³éæå·åãããã³ã«ã§å©çšããããšãèèŠã§ã ãã 以äžã¯ãã¹ã¯ãŒãã®å©çšã«é¢ããäžè¬çãªæšå¥šäºé åã³èæ ®äºé ã§ããã ïŒ ãã¹ã¯ãŒãã®é·ãã匷床åã³è€éãã¯ããœãããŠãšã¢åã³äœ¿çš OS ã®èœåå ã§ãã»ãã¥ãªã ã£ãšã¢ã¯ã»ã¹ããããã®ãã©ã³ã¹ãåãã¹ãã§ããã ïŒ ãã¹ã¯ãŒãã®é·ããšè€éãã¯ãå¿ èŠãªã»ãã¥ãªãã£ã«èŠåã£ããã®ãšãã¹ãã§ãããç¹ã«èŸ æžã«èŒã£ãŠããçšèªããæ°åãæåã®é åºãäºæ³å¯èœãªãã®ã¯äœ¿çšãã¹ãã§ãªãã 168 SPECIAL PUBLICATION 800-82 REVISION 2 ïŒ ïŒ ïŒ ïŒ ïŒ ïŒ GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Passwords should be used with care on operator interface devices such as control consoles on critical processes. Using passwords on these consoles could introduce potential safety issues if operators are locked out or delayed access during critical events. Physical security should supplement operator control consoles when password protection is not feasible. The keeper of master passwords should be a trusted employee, available during emergencies. Any copies of the master passwords must be stored in a very secure location with limited access. The passwords of privileged users (such as network technicians, electrical or electronics technicians and management, and network designers/operators) should be most secure and be changed frequently. Authority to change master passwords should be limited to trusted employees. A password audit record, especially for master passwords, should be maintained separately from the control system. In environments with a high risk of interception or intrusion (such as remote operator interfaces in a facility that lacks local physical security access controls), organizations should consider supplementing password authentication with other forms of authentication such as multi-factor authentication using biometric or physical tokens. For user authentication purposes, password use is common and generally acceptable for users logging directly into a local device or computer. Passwords should not be sent across any network unless protected by some form of FIPS-approved encryption or salted cryptographic hash specifically designed to prevent replay attacks. It is assumed that the device used to enter a password is connected to the network in a secure manner. For network service authentication purposes, passwords should not be passed as plain text. There are more secure alternatives available, such as challenge/response or public key authentication. 6.2.7.2 Challenge/response Authentication Challenge/response authentication requires that both the service requester and service provider know a âsecretâ code in advance. When service is requested, the service provider sends a random number or string as a challenge to the service requester. The service requester uses the secret code to generate a unique response for the service provider. If the response is as expected, it proves that the service requester has access to the âsecretâ without ever exposing the secret on the network. Challenge/response authentication addresses the security vulnerabilities of traditional password authentication. When passwords (hashed or plain) are sent across a network, a portion of the actual âsecretâ itself is being sent, giving the secret to the remote device performs authentication. Therefore, traditional password exchange always suffers the risk of discovery or replay. Because the secret is known in advance and never sent in challenge/response systems, the risk of discovery is eliminated. If the service provider can never send the same challenge twice, and the receiver can detect all duplications, the risks of network capture and replay attacks are eliminated. 169 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ éèŠããã»ã¹ã®å¶åŸ¡ã³ã³ãœãŒã«çãæäœå¡ã€ã³ã¿ãã§ãŒã¹ããã€ã¹ã§ã¯ããã¹ã¯ãŒãã泚æ æ·±ã䜿çšãã¹ãã§ããããã®ãããªã³ã³ãœãŒã«äžã§ã®ãã¹ã¯ãŒãã®äœ¿çšã¯ãç·æ¥æã«æäœå¡ ããã°ã€ã³ã§ãããåã¯å¯Ÿå¿ãé ããå Žåã«ãå®å šäžã®åé¡ãçèµ·ããããã¹ã¯ãŒãä¿è·ã å©çšã§ããªãå Žåãç©ççã»ãã¥ãªãã£ã¯æäœå¡å¶åŸ¡ã³ã³ãœãŒã«ãè£å®ãããã®ãšãªãã ïŒ ãã¹ã¿ãŒãã¹ã¯ãŒãã®ä¿ç®¡è ã¯ãç·æ¥æã«é£çµ¡ãä»ãä¿¡é Œã®çœ®ããåŸæ¥å¡ãšãã¹ãã§ããã ãã¹ã¿ãŒãã¹ã¯ãŒãã®åããäœæããå Žåã¯ãç«å ¥ãå¶éãããå®å šãªå Žæã«ä¿ç®¡ããªãã ã°ãªããªãã ïŒ ç¹æš©ãŠãŒã¶ïŒãããã¯ãŒã¯æè¡è ãé»æ°ã»é»åæåž«ã»ç®¡çè ããããã¯ãŒã¯èšèšè ã»æäœå¡ çïŒã®ãã¹ã¯ãŒãã¯ã»ãã¥ã¢ã§ãé »ç¹ã«å€æŽãã¹ãã§ããããã¹ã¿ãŒãã¹ã¯ãŒãã®å€æŽæš©é ã¯ä¿¡é Œã®çœ®ããåŸæ¥å¡ã«éå®ãã¹ãã§ããããã¹ã¯ãŒãç£æ»èšé²ãç¹ã«ãã¹ã¿ãŒãã¹ã¯ãŒã çšã¯ãå¶åŸ¡ã·ã¹ãã ããç¬ç«ããŠä¿ç®¡ãã¹ãã§ããã ïŒ åååã¯äŸµå ¥ãªã¹ã¯ã®é«ãç°å¢ïŒããŒã«ã«ã®ç©ççã»ãã¥ãªãã£ç«å ¥å¶éã®ãªãæœèšã«ãã ãé éæäœå¡ã€ã³ã¿ãã§ãŒã¹çïŒã§ã¯ãçµç¹ã¯ããã€ãªã¡ããªãã¯ãç©ççããŒã¯ã³ãå©çš ããå€èŠçŽ èªèšŒçãå¥åœ¢æ ã®è£è¶³çãã¹ã¯ãŒãèªèšŒãèæ ®ãã¹ãã§ããã ïŒ ãŠãŒã¶èªèšŒç®çã§ã¯ããã¹ã¯ãŒãã®å©çšã¯äžè¬çã§ããŠãŒã¶ãçŽæ¥ããŒã«ã«ããã€ã¹ãã³ã³ ãã¥ãŒã¿ã«ãã°ã€ã³ããæ¹æ³ãšããŠåºãåãå ¥ããããŠãããç¹å®ã®åœ¢æ ã® FIPS æ¿èªæå· åã¯ãªãã¬ãŒæ»æé²æ¢çšãœã«ã䜵çšæå·åŠçããã·ã¥ã§ä¿è·ãããŠããªãå Žåããã¹ã¯ãŒã ããããã¯ãŒã¯ãè¶ããŠéä¿¡ãã¹ãã§ãªãããã¹ã¯ãŒãå ¥åããã€ã¹ã¯ãã»ãã¥ã¢ãªæ¹æ³ã§ ãããã¯ãŒã¯æ¥ç¶ãããŠããããšãåæã§ããã ïŒ ãããã¯ãŒã¯ãµãŒãã¹èªèšŒç®çã§ã¯ããã¹ã¯ãŒããå¹³æã§æž¡ãã¹ãã§ãªããããã以å€ã« ãããã£ã¬ã³ãž/ã¬ã¹ãã³ã¹èªèšŒãå ¬ééµèªèšŒçã®ã»ãã¥ã¢ãªä»£æ¿æ段ãããã 6.2.7.2 ãã£ã¬ã³ãž/ã¬ã¹ãã³ã¹èªèšŒ ãã£ã¬ã³ãž/ã¬ã¹ãã³ã¹èªèšŒã¯ããµãŒãã¹ã®èŠæ±åŽãšæäŸåŽãåãã£ãŠãç§å¯ã®ãã³ãŒããç¥ã£ ãŠããªããã°ãªããªãããµãŒãã¹èŠæ±ããããšããµãŒãã¹ãããã€ãã¯ã©ã³ãã ãªæ°åãæåå ããã£ã¬ã³ãžãšããŠèŠæ±è ã«éä¿¡ãããèŠæ±è ã¯ç§å¯ã³ãŒãã䜿çšããŠãäžæã®ã¬ã¹ãã³ã¹ãã ããã€ãåãã«çæãããã¬ã¹ãã³ã¹ãæåŸ ã©ããã ãšãèŠæ±è ã¯ããç§å¯ãããããã¯ãŒã¯äž ã«ãããããšãªããç§å¯ãžã®ã¢ã¯ã»ã¹æš©ãæã£ãŠããããšã«ãªãã ãã£ã¬ã³ãž/ã¬ã¹ãã³ã¹èªèšŒã¯ãäŒçµ±çãªãã¹ã¯ãŒãèªèšŒã®ã»ãã¥ãªãã£äžã®è匱æ§ã«å¯Ÿå¿ãã ãã®ãšãªãããããã¯ãŒã¯ãè¶ããŠãã¹ã¯ãŒãïŒããã·ã¥ååã¯å¹³æïŒãéä¿¡ãããå Žåãå®é ã®ãç§å¯ããã®ãã®ãéä¿¡ãããç§å¯ãé éããã€ã¹ã«äžããããšã§èªèšŒãè¡ããããããã㣠ãŠãäŒçµ±çãªãã¹ã¯ãŒã亀æã«ã¯ãåžžã«é²èŠåã¯ãªãã¬ãŒã®ãªã¹ã¯ãã€ããŸãšãããã£ã¬ã³ãž/ ã¬ã¹ãã³ã¹ã·ã¹ãã ã§ã¯ç§å¯ã¯äºåã«ç¥ããããéä¿¡ãããªããããé²èŠãªã¹ã¯ã¯æé€ãããã ãµãŒãã¹ãããã€ããåããã£ã¬ã³ãžãäºåºŠéãããšãã§ããªããã°ãåä¿¡è ãå šãŠã®è€è£œãæ¢ ç¥ããŠãããããã¯ãŒã¯ãã£ããã£ãšãªãã¬ãŒæ»æã®ãªã¹ã¯ã¯æé€ãããã 170 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS-specific Recommendations and Guidance For User Authentication, the direct use of challenge/response authentication may not be feasible for control system due to the possible latency that may be introduced in the necessary fast dynamics required for access to a control system or industrial network. For Network Service Authentication, the use of challenge/response authentication is preferable to more traditional password or source identity authentication schemes. Challenge/response authentication provides more security than encrypted passwords for user authentication across a network. Managing master encryption algorithms and master passwords becomes increasing more complex as more parties are involved in the security processes and is an important consideration in the robustness of the security scheme. 6.2.7.3 Physical Token Authentication Physical or token authentication is similar to password authentication, except that these technologies determine authenticity by testing for secret code or key produced by a device or token the person requesting access has in their possession, such as security tokens or smart cards. Increasingly, private keys are being embedded in physical devices such as USB dongles. Some tokens support single-factor authentication only, so that simply having possession of the token is sufficient to be authenticated. Others support multi-factor authentication that requires knowledge of a PIN or password in addition to possessing the token. The primary vulnerability that token authentication addresses is easily duplicating a secret code or sharing it with others. It eliminates the all-too-common scenario of a password to a âsecureâ system being left on the wall next to a PC or operator station. The security token cannot be duplicated without special access to equipment and supplies. A second benefit is that the secret within a physical token can be very large, physically secure, and randomly generated. Because it is embedded in metal or silicon, it does not have the same risks that manually entered passwords do. If a security token is lost or stolen, the authorized user loses access, unlike traditional passwords that can be lost or stolen without notice. Common forms of physical/token authentication include: ïŒ Traditional physical lock and keys. ïŒ Security cards (e.g., magnetic, smart chip, optical coding). ïŒ Radio frequency devices in the form of cards, key fobs, or mounted tags. ïŒ Dongles with secure encryption keys that attach to the USB, serial, or parallel ports of computers. ïŒ One-time authentication code generators (e.g., key fobs). For single-factor authentication, the largest weakness is that physically holding the token means access is granted (e.g., anyone finding a set of lost keys now has access to whatever they open). Physical/token authentication is more secure when combined with a second form of authentication, such as a memorized PIN used along with the token. 171 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ãŠãŒã¶èªèšŒã«é¢ããŠãå¶åŸ¡ã·ã¹ãã ã§ã¯ãã£ã¬ã³ãž/ã¬ã¹ãã³ã¹èªèšŒã®çŽæ¥çãªäœ¿çšã¯äžå¯èœã ããããªãããšèšãã®ã¯ãå¶åŸ¡ã·ã¹ãã åã¯ç£æ¥çšãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ã«å¿ èŠãšãããé« éãã€ããã¯ã¹ã§ã¯ãåŸ ã¡æéãçããããªãããã§ããããããã¯ãŒã¯ãµãŒãã¹èªèšŒã§ã¯ãã ã£ã¬ã³ãž/ã¬ã¹ãã³ã¹èªèšŒã®äœ¿çšã¯ãäŒçµ±çãªãã¹ã¯ãŒãæ¹åŒããœãŒã¹èå¥èªèšŒæ¹åŒãããæ㟠ããã ãããã¯ãŒã¯ãè¶ãããŠãŒã¶èªèšŒã§ã¯ããã£ã¬ã³ãž/ã¬ã¹ãã³ã¹èªèšŒã®ã»ãã¥ãªãã£ã¯æå·ãã¹ ã¯ãŒãããã匷ãããã¹ã¿ãŒæå·ã¢ã«ãŽãªãºã åã³ãã¹ã¿ãŒãã¹ã¯ãŒãã®ç®¡çã¯ãã»ãã¥ãªã㣠ããã»ã¹ã«é¢ä¿ããåœäºè ãå¢ããã«ã€ããŠããŸããŸãè€éã«ãªã£ãŠãããã»ãã¥ãªãã£äœå¶ã® å ç¢æ§ã«ãããéèŠãªèæ ®äºé ã§ããã 6.2.7.3 ç©ççããŒã¯ã³èªèšŒ ç©ççåã¯ããŒã¯ã³èªèšŒã¯ãã¹ã¯ãŒãèªèšŒã«äŒŒãŠããããéãã¯ã¢ã¯ã»ã¹èŠæ±è ãæã£ãŠã ãããã€ã¹ãããŒã¯ã³ïŒã»ãã¥ãªãã£ããŒã¯ã³ãã¹ããŒãã«ãŒãïŒãçæããç§å¯ã³ãŒãã ããŒãæ€èšŒããŠèªèšŒãå€å¥ããç¹ã«ããããŸããŸã USB ãã³ã°ã«çã®ç©ççããã€ã¹ã«ãã© ã€ããŒãããŒãåã蟌ãŸããããã«ãªã£ãŠãããåèŠçŽ èªèšŒã«ãã察å¿ããŠããªãããŒã¯ã³ ããããããŒã¯ã³ãæã£ãŠãããããã°èªèšŒã«ååãšããããšã§ãããããŒã¯ã³ã®ä¿æã«å ããŠãPIN ããã¹ã¯ãŒããèŠæ±ããå€èŠçŽ èªèšŒã«å¯Ÿå¿ãããã®ãããã ããŒã¯ã³èªèšŒã®äž»ãªè匱æ§ã¯ãç§å¯ã³ãŒãã®è€è£œã容æãªããšãšä»äººãšã®å ±æãå¯èœãªããšã§ ãããããŒã¯ã³ã䜿ãã°ããã»ãã¥ã¢ãªãã·ã¹ãã ã®ãã¹ã¯ãŒãã PC ãæäœå¡ã¹ããŒã·ã§ã³ ã®è¿ãã«æžããšã©ããŠãããããªãããããã·ããªãªã¯ãªããªããã»ãã¥ãªãã£ããŒã¯ã³ã®è€ 補ã¯ãè£ ååããµãã©ã€åãžã®ç¹å¥ãªã¢ã¯ã»ã¹æš©ããªããã°ã§ããªãã 2 ã€ç®ã®å©ç¹ã¯ãç©ççããŒã¯ã³å éšã®ç§å¯ã¯ãµã€ãºã倧ãããç©ççã«ã»ãã¥ã¢ã§ãã© ã³ãã çæããããéå±ãã·ãªã³ã³ã«åã蟌ãŸããŠãããããããã¥ã¢ã«æäœã§ãã¹ã¯ãŒ ããå ¥åãããããªãªã¹ã¯ã¯ãªããã»ãã¥ãªãã£ããŒã¯ã³ããªãããå ŽåãçãŸããå Žåã ãŠãŒã¶ã¯ã¢ã¯ã»ã¹æš©ã倱ããããã¯æ°ã¥ããªããã¡ã«ãªããããçãŸããããããã¹ã¯ãŒ ããšã®éãã§ããã ç©çç/ããŒã¯ã³èªèšŒã®å ±é圢æ ãšããŠæ¬¡ã®ãã®ãããã ïŒ äŒçµ±çãªç©çããã¯ãšããŒ ïŒ ã»ãã¥ãªãã£ã«ãŒãïŒç£æ°ãã¹ããŒãããããå ã³ãŒãã£ã³ã°çïŒ ïŒ ã«ãŒããããŒãã©ãåã¯åä»ãã¿ã°çã®ç¡ç·åšæ³¢æ°ããã€ã¹ ïŒ USBãã³ã³ãã¥ãŒã¿ã®ã·ãªã¢ã«åã¯ãã©ã¬ã«ããŒãã«åãä»ããã»ãã¥ã¢ãªæå·éµä»ããã³ ã°ã« ïŒ ã¯ã³ã¿ã€ã èªèšŒã³ãŒããžã§ãã¬ãŒã¿ïŒããŒãã©ãçïŒ åèŠçŽ èªèšŒã®æ倧ã®åŒ±ç¹ã¯ãããŒã¯ã³ãç©ççã«ä¿æããŠããã°ã¢ã¯ã»ã¹ã§ããããšã«ãã ïŒéµæã®æŸåŸè ã¯ä»äººã®å®¶ã«èªç±ã«åºå ¥ãã§ããïŒãç©çç/ããŒã¯ã³èªèšŒã¯ãå¥åœ¢æ ã®èªèšŒãš 䜵çšãããšã»ãã¥ãªãã£ãåäžããïŒèšæ¶ãã PIN ãšã®äœµçšãªã©ïŒã 172 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS-specific Recommendations and Guidance Multi-factor authentication is an accepted good practice for access to ICS applications from outside the ICS firewall. Physical/token authentication has the potential for a strong role in ICS environments. An access card or other token can be an effective form of authentication for computer access, as long as the computer is in a secure area (e.g., once the operator has gained access to the room with appropriate secondary authentication, the card alone can be used to enable control actions). 6.2.7.4 Smart Card Authentication Smart cards are similar to token authentication, but can provide additional functionality. Smart cards can be configured to run multiple on-board applications to support building access, computer dual-factor or triplefactor authentication and cashless vending on a single card, while also acting as the company photo ID for the individual. Typically, smart cards come in a credit card size form-factor that can be printed, embossed, and individually personalized. Smart cards can be customized, individualized, and issued in-house or outsourced to service providers who typically issue hundreds of thousands of cards per day. Smart cards enhance software-only solutions, such as password authentication, by offering an additional authentication factor and removing the human element in memorizing complex secrets. They also: ïŒ Isolate security-critical computations, involving authentication, digital signatures, and key exchange from other parts of the system that do not have a need to know. ïŒ Enable portability of credentials and other private information between multiple computer systems. ïŒ Provide tamper-resistant storage for protecting private keys and other forms of personal information. The majority of issues are logistical around issuing the cards, particularly to replace lost or stolen cards. ICS-specific Recommendations and Guidance Although smart cards are relatively inexpensive and offer useful functionality in an industrial control system context, their implementation must be done within the overall security context of the plant. The necessary identification of individuals, issuance of cards, revocation should compromise be suspected, and the assignment of authorizations to authenticated identities, represents a significant initial and on-going challenge. In some cases corporate IT or other resources may be available to assist in the deployment of smart card and public key based infrastructures. If smart cards are implemented in an industrial control setting, provisions for management of lost or damaged cards should be considered, as well as the costs to incorporate a respective access control system and provide a management process for card distribution and retrieval. 173 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ å€èŠçŽ èªèšŒã¯ãICS ãã¡ã€ã¢ãŠã©ãŒã«å€ãã ICS ã¢ããªã±ãŒã·ã§ã³ã«ã¢ã¯ã»ã¹ããéã®åãå ¥ã ãããåªè¯èŠç¯ã§ããã ç©çç/ããŒã¯ã³èªèšŒã¯ãICS ç°å¢ã§å€§ããªåœ¹å²ãæããå¯èœæ§ããããã¢ã¯ã»ã¹ã«ãŒããã®ä»ã® ããŒã¯ã³ã¯ãã³ã³ãã¥ãŒã¿ãã»ãã¥ã¢ãªãšãªã¢ã«ããéããã³ã³ãã¥ãŒã¿ãžã®å¹æçãªèªèšŒåœ¢æ ã§ããïŒæäœå¡ã 2 ã€ç®ã®é©æ£ãªèªèšŒãçµãŠå®€å ã«ç«ã¡å ¥ããšãå¶åŸ¡è¡çºãè¡ãã«ã¯ã«ãŒãã®ã¿ ãšãªãïŒã 6.2.7.4 ã¹ããŒãã«ãŒãèªèšŒ ã¹ããŒãã«ãŒãã¯ããŒã¯ã³èªèšŒã«äŒŒãŠããããä»å çãªæ©èœããããã¹ããŒãã«ãŒãã¯ãè€æ° ã®ãªã³ããŒãã¢ããªã±ãŒã·ã§ã³ãå®è¡ããŠã建ç©ãžã®ç«å ¥ãã³ã³ãã¥ãŒã¿ã® 2 éèŠçŽ å㯠3 é èŠçŽ èªèšŒåã³ 1 æã®ã«ãŒãã§ã®ãã£ãã·ã¥ã¬ã¹è²©å£²ã«å¯Ÿå¿ã§ããããã«èšå®å¯èœã§ãäŒæ¥ã®å çä»ãåäººçš ID ã«ãŒããšããŠã䜿çšã§ããã äžè¬ã«ã¹ããŒãã«ãŒãã¯ã¯ã¬ãžããã«ãŒããµã€ãºã§ãå°åã»ãšã³ãã¹ã»åå¥åãå¯èœã§ããã ã«ã¹ã¿ãã€ãºãå人å¥ã®åå¥åãå¯èœã§ãçµç¹å ã§çºè¡ã§ããã»ããæ°åäžã®ã«ãŒããæ¯æ¥çº è¡ããŠãããµãŒãã¹ãããã€ãã«å€æ³šããããšãã§ããã ã¹ããŒãã«ãŒãã¯ãä»å çãªèªèšŒèŠçŽ ãæäŸããè€éãªç§å¯ãèŠãããšãã人çèŠå ãæé€ã ãããšã«ããããã¹ã¯ãŒãèªèšŒçã®ãœãããŠãšã¢ã®ã¿ã«äŸåãããœãªã¥ãŒã·ã§ã³ãæ¡åŒµããã ãŸã次ã®ãããªç¹åŸŽãããã ïŒ ã»ãã¥ãªãã£ã®éèŠãªæŒç®ãäŸãã°èªèšŒãããžã¿ã«çœ²åãç¥ãå¿ èŠã®ãªãã·ã¹ãã ã®ä»ã®éš äœããã®ããŒäº€æã®éé¢ ïŒ è€æ°ã³ã³ãã¥ãŒã¿ã·ã¹ãã éã§ã®èªèšŒæ å ±ãã®ä»å人æ å ±ã®ããŒã¿ããªãã£ã®å®çŸ ïŒ ãã©ã€ããŒãããŒãã®ä»ã®å人æ å ±ã®æ¹å€é²æ¢ä¿ç®¡ åé¡ã®å€§åã¯ãã«ãŒãçºè¡ã«é¢ããæ¥åçãªå 容ã§ãç¹ã«ã«ãŒãã®çŽå€±ã»çé£ãå€ãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ã¹ããŒãã«ãŒãã¯æ¯èŒçå®äŸ¡ã§ãç£æ¥çšå¶åŸ¡ã·ã¹ãã ã«ãããŠäŸ¿å©ãªæ©èœãçºæ®ãããããã®å® è£ ã¯ããã©ã³ãã®å šäœçãªã»ãã¥ãªãã£ãèæ ®ããäžã§è¡ããªããã°ãªããªããå¿ èŠãªå人è å¥ãã«ãŒãçºè¡ãåæ¶ã«ãããã€ãã¹èŠçŽ ãèæ ®ã«å ¥ãããªããèªèšŒæžã¿å人ã«å¯Ÿããæš©éã®ä» äžã¯ãåœåã«ããã以åŸã倧ããªèª²é¡ãšãªããå Žåã«ãã£ãŠã¯ãäŒæ¥ IT ãã®ä»ã®ãªãœãŒã¹ãå© çšããŠãã¹ããŒãã«ãŒããšå ¬ééµããŒã¹ã®ã€ã³ãã©ãå±éããè³ãšã§ãããã ã¹ããŒãã«ãŒããç£æ¥çšå¶åŸ¡ç°å¢ã«å®è£ ããå ŽåãçŽå€±ã»æ¯æã«ãŒãã®ç®¡çèŠå®ãããããã®ã¢ ã¯ã»ã¹å¶åŸ¡ã·ã¹ãã ã®çµèŸŒã¿ã«èŠããã³ã¹ããæ€èšããã«ãŒãé åžã»ååã®ç®¡çããã»ã¹ãå®ã ãã¹ãã§ããã 174 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.7.5 Biometric Authentication Biometric authentication technologies determine authenticity by determining presumably unique biological characteristics of the human requesting access. Usable biometric features include finger minutiae, facial geometry, retinal and iris signatures, voice patterns, typing patterns, and hand geometry. Like physical tokens and smart cards, biometric authentication enhances software-only solutions, such as password authentication, by offering an additional authentication factor and removing the human element in memorizing complex secrets. In addition, because biometric characteristics are unique to a given individual, biometric authentication addresses the issues of lost or stolen physical tokens and smart cards. Noted issues with biometric authentication include: ïŒ Distinguishing a real object from a fake (e.g., how to distinguish a real human finger from a siliconrubber cast of one or a real human voice from a recorded one). ïŒ Generating type-I and type-II errors (the probability of rejecting a valid biometric image, and the probability of accepting an invalid biometric image, respectively). Biometric authentication devices should be configured to the lowest crossover between these two probabilities, also known as the crossover error rate. ïŒ Handling environmental factors such as temperature and humidity to which some biometric devices are sensitive. ïŒ Addressing industrial applications where employees may have on safety glasses and/or gloves and industrial chemicals may impact biometric scanners. ïŒ Retraining biometric scanners that occasionally âdriftâ over time. Human biometric traits may also shift over time, necessitating periodic scanner retraining. ïŒ Requiring face-to-face technical support and verification for device training, unlike a password that can be given over a phone or an access card that can be handed out by a receptionist. ïŒ Denying needed access to the control system because of a temporary inability of the sensing device to acknowledge a legitimate user. ïŒ Being socially acceptable. Users consider some biometric authentication devices more acceptable than others. For example, retinal scans may be considered very low on the scale of acceptability, while thumb print scanners may be considered high on the scale of acceptability. Users of biometric authentication devices will need to take social acceptability for their target group into consideration when selecting among various biometric authentication technologies. ICS-specific Recommendations and Guidance Biometric devices make a useful secondary check versus other forms of authentication that can become lost or borrowed. Using biometric authentication in combination with token-based access control or badgeoperated employee time clocks increases the security level. A possible application is in a control room that is environmentally controlled and physically secured [34]. Biometrics can provide a valuable authentication mechanism, but need to be carefully assessed for industrial applications because physical and environmental issues within the installation environment may need to be restructured for reliable authorized authentication. The exact physical and environmental properties of an installation should be coordinated with a system vendor or manufacturer. 175 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.7.5 ãã€ãªã¡ããªãã¯èªèšŒ ãã€ãªã¡ããªãã¯èªèšŒæè¡ã¯ãã¢ã¯ã»ã¹èŠæ±ããå人ã®ãå人ã«åºæãšèããããŠããçç© åŠçç¹åŸŽãå€å¥ããŠèªèšŒãå€å®ãããå©çšã§ãããã€ãªã¡ããªãã¯ç¹æ§ã«ã¯æçŽãé¡ã®èŒªéã 網èåã³å 圩ç¹æ§ãé³å£°ãã¿ãŒã³ãã¿ã€ãã³ã°ãã¿ãŒã³ãæã®èŒªéçãããã ç©ççããŒã¯ã³ãã¹ããŒãã«ãŒããšåæ§ããã€ãªã¡ããªãã¯èªèšŒã¯ãä»å çãªèªèšŒèŠçŽ ãæ äŸããè€éãªç§å¯ãèŠãããšãã人çèŠå ãæé€ããããšã«ããããã¹ã¯ãŒãèªèšŒçã®ãœã ããŠãšã¢ã®ã¿ã«äŸåãããœãªã¥ãŒã·ã§ã³ã匷åããããšãã§ããããŸããçç©åŠçç¹åŸŽã¯ç¹ å®ã®å人ã«åºæã§ããããšããããã€ãªã¡ããªãã¯èªèšŒã¯ãç©ççããŒã¯ã³ãã¹ããŒãã«ãŒ ãã®çŽå€±ã»çé£åé¡ã«å¯Ÿå¿ãããã®ãšãªãã ãã€ãªã¡ããªãã¯èªèšŒã«ã€ããŠç¥ãããŠããåé¡ã«ã¯æ¬¡ã®ãããªãã®ãããã ïŒ å®ç©ãšåœç©ã®åºå¥ïŒäººã®æãšååãããã·ãªã³ã³è£œã®æãå®éã®çºå£°ãšé²é³ãã声ã®åºå¥æ¹ æ³ïŒ ïŒ ã¿ã€ã 1 ãšã©ãŒãšã¿ã€ã 2 ãšã©ãŒã®çæïŒæå¹ãªãã€ãªã¡ããªãã¯ç»åãæ絶ãã確çãç¡ å¹ãªãã€ãªã¡ããªãã¯ç»åãåãå ¥ãã確çïŒããã€ãªã¡ããªãã¯èªèšŒããã€ã¹ã¯ãããã 2 ã€ã®ç¢ºçã®éã®æäœã®ã¯ãã¹ãªãŒããŒã«èšå®ãããã¹ãã§ãã¯ãã¹ãªãŒããŒèª€å·®çãšã㊠ãç¥ãããã ïŒ ç¹å®ã®ãã€ãªã¡ããªãã¯ããã€ã¹ãææã«åå¿ãã枩床ã»æ¹¿åºŠçã®ç°å¢å åã®åŠç ïŒ åŸæ¥å¡ãå®å šãŽãŒã°ã«ãã°ããŒããççšããå·¥æ¥çšååŠç©è³ªããã€ãªã¡ããªãã¯ã¹ãã£ã㌠ã«åœ±é¿ããç£æ¥çšã¢ããªã±ãŒã·ã§ã³ã®åŠç ïŒ çµæçã«ãããªããããããã€ãªã¡ããªãã¯ã¹ãã£ããŒã®åèšç·Žã人ã®ãã€ãªã¡ããªãã¯ç¹ æ§ã¯çµæçã«å€åãããããã¹ãã£ããŒã®å®æçåèšç·Žãå¿ èŠã«ãªãã ïŒ 1 察 1 ã®æè¡æ¯æŽãšããã€ã¹èšç·Žã®æ€èšŒãå¿ èŠãåä»ä¿ããé»è©±ã§æãããããã¹ã¯ãŒããã ææž¡ãå¯èœãªã¢ã¯ã»ã¹ã«ãŒããšç°ãªãã ïŒ é©æ ŒãŠãŒã¶ãèªç¥ããæ€ç¥ããã€ã¹ã®äžæçäžèª¿ã«ããå¶åŸ¡ã·ã¹ãã ãžã®ã¢ã¯ã»ã¹æåŠ ïŒ ç€ŸäŒã®åå ¥ãæ å¢ããã€ãªã¡ããªãã¯èªèšŒã«å¯ŸãããŠãŒã¶ã®å容床ã¯ããã€ã¹ã«ããã°ã〠ãããããäŸãã°ãå容床ã¯ç¶²èã¹ãã£ã³ã®å Žåäœãã芪æã®ããªã³ãã¹ãã£ããŒã¯é«ãã å€æ§ãªãã€ãªã¡ããªãã¯æè¡ã®äžãããããããéžæããéããã€ãªã¡ããªãã¯èªèšŒãã〠ã¹ãŠãŒã¶ã¯ã察象ã°ã«ãŒãã«å¯Ÿãã瀟äŒã®å容床ãèæ ®ã«å ¥ããå¿ èŠãããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ãã€ãªã¡ããªãã¯ããã€ã¹ã¯ãçŽå€±ããã貞åãããã§ããä»ã®åœ¢æ ã®èªèšŒã«å¯ŸããŠãæçšãª å¯æ¬¡çãã§ãã¯ãã§ãããããŒã¯ã³ããŒã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ããããžææ¥ããåŸæ¥å¡ã®ã¿ã€ã 㬠ã³ãŒããšäœµçšããã°ãã»ãã¥ãªãã£ã¬ãã«ãåäžãããèããããçšéãšããŠãç°å¢çã«å¶åŸ¡ ããç©ççãªã»ãã¥ãªãã£ã確ä¿ãããŠããå¶åŸ¡å®€ããã[34]ã ãã€ãªã¡ããªã¯ã¹ã¯è²ŽéãªèªèšŒã¡ã«ããºã ãšãªãããä¿¡é Œæ§ã®é«ãèªèšŒãåŸãã«ã¯èšçœ®ç°å¢ã® ç©çã»ç°å¢åé¡ã解決ããå¿ èŠããããããç£æ¥çšéãšããŠã¯æ éãªè©äŸ¡ãèŠãããèšçœ®ã®æ£ 確ãªç©çã»ç°å¢ç¹æ§ã«ã€ããŠãã·ã¹ãã ãã³ããŒãã¡ãŒã«ãŒãšèª¿æŽãã¹ãã§ããã 176 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.8 Incident Response An incident response plan is documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of incidents against an organizationâs information systems. Response should be measured first and foremost against the âservice being provided,â not just the system that was compromised. If an incident is discovered, there should be a quick risk assessment performed to evaluate the effect of both the attack and the options to respond. For example, one possible response option is to physically isolate the system under attack. However, this may have such a dire impact on the service that it is dismissed as not viable. The security controls that fall within the NIST SP 800-53 Incident Response (IR) family provide policies and procedures for incident response monitoring, handling, and reporting. The handling of a security incident includes preparation, detection and analysis, containment, eradication, and recovery. Controls also cover incident response training for personnel and testing the incident response capability for an information system. Supplemental guidance for the IR controls can be found in the following documents: ïŒ NIST SP 800-61 provides guidance on incident handling and reporting [59]. ïŒ NIST SP 800-83 provides guidance on malware incident prevention and handling [60]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27] . ICS-specific Recommendations and Guidance Regardless of the steps taken to protect an ICS, it is always possible that it may be compromised by an intentional or unintentional incident. The following symptoms can arise from normal network problems, but when several symptoms start to appear, a pattern may indicate the ICS is under attack and may be worth investigating further. If the adversary is skilled, it may not be very obvious that an attack is underway. The symptoms of an incident could include any of the following: ïŒ Unusually heavy network traffic. ïŒ Out of disk space or significantly reduced free disk space. ïŒ Unusually high CPU usage. ïŒ Creation of new user accounts. ïŒ Attempted or actual use of administrator-level accounts. ïŒ Locked-out accounts. ïŒ Account in-use when the user is not at work. ïŒ Cleared log files. ïŒ Full log files with unusually large number of events. 177 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.8 ã€ã³ã·ãã³ãå¯Ÿå¿ ã€ã³ã·ãã³ã察å¿èšç»æžã¯ãçµç¹ã®æ å ±ã·ã¹ãã ã«å¯Ÿããã€ã³ã·ãã³ãã®çµæãæ€ç¥ããå¯Ÿå¿ ããå±éããããã®äºåã«æ±ºããããäžé£ã®æ瀺åã¯æé ãææžåãããã®ã§ããã察å¿ã¯ã ãŸãèšæž¬ããããšããããŠãæäŸäžã®ãµãŒãã¹ãã«å¯ŸããŠè¡ããã®ã§ãããæ§èœãäœäžããã· ã¹ãã ã ãã«è¡ãã®ã§ã¯ãªããã€ã³ã·ãã³ããçºèŠããããªããè¿ éã«ãªã¹ã¯è©äŸ¡ãè¡ããæ» æã®åœ±é¿ãšå¯Ÿå¿ãªãã·ã§ã³ã®äž¡æ¹ãè©äŸ¡ãããäŸãã°ã察å¿ãªãã·ã§ã³ã®äžäŸãšããŠãæ»æã ããã·ã¹ãã ãç©ççã«é絶ããããšãã§ãããããã ããã®å¯Ÿå¿ã ãšããµãŒãã¹ã«æ·±å»ãªåœ± é¿ãåã¶ãããå®è¡äžèœãšäžè¹Žãããã NIST SP 800-53 ã®ã€ã³ã·ãã³ã察å¿ïŒIRïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãã€ã³ ã·ãã³ã察å¿ã®ç£èŠãåŠçåã³å ±åã®ããã®ããªã·ãŒåã³æé ãå®ããããŠãããã»ãã¥ãªã ã£ã€ã³ã·ãã³ãã®åŠçã«ã¯ãæºåãæ€åºã»åæãå°ã蟌ããæ ¹çµ¶åã³åŸ©æ§ãå«ãŸããã管çç ãè·å¡ã®ã€ã³ã·ãã³ã察å¿èšç·Žåã³æ å ±ã·ã¹ãã ã®ã€ã³ã·ãã³ã察å¿èœåè©Šéšãå«ãã IR 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-61ïŒã€ã³ã·ãã³ãåŠçåã³å ±åã«ä¿ãã¬ã€ãã³ã¹[59] ïŒ NIST SP 800-83ïŒãã«ãŠãšã¢ã€ã³ã·ãã³ãé²æ¢åã³åŠçã«ä¿ãã¬ã€ãã³ã¹[60] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS ã®ä¿è·æé ãšã¯ç¡é¢ä¿ã«ãæ æåã¯å¶çºçãªã€ã³ã·ãã³ãã«ãã ICS ã®æ§èœãäœäžããå Ž åããããæ£åžžãªãããã¯ãŒã¯åé¡ãšããŠä»¥äžã®ãããªåŸŽåãèŠãããããããã€ãã®åŸŽåã åºå§ãããªããICS ãæ»æãããŠããããšã瀺ããã¿ãŒã³ã§ããã調æ»ãè¡ãã«å€ãããæ»æ åŽãå·§åŠã ãšãæ»æäžã§ããããšãæ確ã«ã¯ãªããªãã ã€ã³ã·ãã³ãã®åŸŽåã«ã¯æ¬¡ã®ãããªãã®ãããã ïŒ ãããã¯ãŒã¯ãã©ãã£ãã¯ãç°åžžã«éã ïŒ ãã£ã¹ã¯å®¹éããªãåã¯ç©ºã容éãèããå°ãªã ïŒ CPU å©çšçãç°åžžã«é«ã ïŒ æ°èŠãŠãŒã¶ã¢ã«ãŠã³ããäœæãããŠãã ïŒ ç®¡çè ã¬ãã«ã¢ã«ãŠã³ãã䜿çšåã¯äœ¿çšããããšãã圢跡ããã ïŒ ã¢ã«ãŠã³ããããã¯ã¢ãŠãããã ïŒ ãã®ãŠãŒã¶ãäžåšãªã®ã«ã¢ã«ãŠã³ãã䜿çšãããŠãã ïŒ ãã°ãã¡ã€ã«ãã¯ãªã¢ãããŠãã ïŒ ãã°ãã¡ã€ã«ãäžæ¯ã§ã€ãã³ãæ°ãç°åžžã«å€ã 178 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Antivirus or IDS alerts. ïŒ Disabled antivirus software and other security controls. ïŒ Unexpected patch changes. ïŒ Machines connecting to outside IP addresses. ïŒ Requests for information about the system (social engineering attempts). ïŒ Unexpected changes in configuration settings. ïŒ Unexpected system shutdown. To minimize the effects of these intrusions, it is necessary to plan a response. Incident response planning defines procedures to be followed when an intrusion occurs. NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide [59], provides guidance on incident response planning, which might include the following items: ïŒ Classification of Incidents. The various types of ICS incidents should be identified and classified as to potential impact so that a proper response can be formulated for each potential incident. ïŒ Response Actions. There are several responses that can be taken in the event of an incident. These range from doing nothing to full system shutdown (although full shutdown of an ICS is a highly unlikely response). The response taken will depend on the type of incident and its effect on the ICS system and the physical process being controlled. A written plan documenting the types of incidents and the response to each type should be prepared. This will provide guidance during times when there might be confusion or stress due to the incident. This plan should include step-by-step actions to be taken by the various organizations. If there are reporting requirements, these should be noted as well as where the report should be made and phone numbers to reduce reporting confusion. ïŒ Recovery Actions. The results of the intrusion could be minor, or the intrusion could cause many problems in the ICS. Risk analysis should be conducted to determine the sensitivity of the physical system being controlled to failure modes in the ICS. In each case, step-by-step recovery actions should be documented so that the system can be returned to normal operations as quickly and safely as possible. Recovery actions for an intrusion that affects operation of the ICS will closely align with the system's Disaster Recovery Plan, and should take into account the planning and coordination already established. During the preparation of the incident response plan, input should be obtained from the various stakeholders including operations, engineering, IT, system support vendors, management, organized labor, legal, and safety. These stakeholders should also review and approve the plan. 179 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ã¢ã³ããŠã€ã«ã¹ã¢ã©ãŒãå㯠IDS ã¢ã©ãŒããåºãŠãã ïŒ ã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ãã®ä»ã®ã»ãã¥ãªãã£å¯Ÿçãç¡å¹ã«ãªã£ãŠãã ïŒ äºå®å€ã®ãããå€æŽããªãããŠãã ïŒ ãã·ã³ãå€éš IP ã¢ãã¬ã¹ã«æ¥ç¶ãããŠãã ïŒ ã·ã¹ãã ã«é¢ããæ å ±è«æ±ããã£ãïŒãœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ã°ã®ãããã¿ïŒ ïŒ æ§æã®èšå®ã«äºå®å€ã®å€æŽããªãããŠãã ïŒ äºå®å€ã®ã·ã¹ãã é®æããã£ã ãã®ãããªäŸµå ¥ã®åœ±é¿ãæå°éã«é£ãæ¢ããããã察å¿ãèšç»ããå¿ èŠããããã€ã³ã·ãã³ ã察å¿èšç»ã®ç«æ¡ã§ã¯ãäŸµå ¥ããã£ãéã«åãã¹ãæé ãå®ãããNIST SP 800-61 æ¹èšç¬¬ 2 çãã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ã€ã³ã·ãã³ãã®åŠçã[59]ã«ã¯ãã€ã³ã·ãã³ã察å¿èšç»ã®ç« æ¡ã«ä¿ãã¬ã€ãã³ã¹ã瀺ãããŠããã以äžã®é ç®ãå«ãŸããŠããã ïŒ ã€ã³ã·ãã³ãã®åºåãçš®ã ã® ICS ã€ã³ã·ãã³ããèå¥ãã圱é¿åºŠãåºåããã€ã³ã·ãã³ãã ãšã«é©æ£ãªå¯Ÿå¿ãåããããã«ãã¹ãã§ããã ïŒ å¯Ÿå¿è¡åãã€ã³ã·ãã³ãããããéã«ã¯ãåãåŸã察å¿ãããã€ããããäœãããªãããšã ãã·ã¹ãã ã®å šé¢é®æãŸã§ããïŒãã¡ãããICS ã®å šé¢é®æã¯ã»ãŒããããã«ãªã察å¿ã§ã¯ ããïŒã察å¿ã¯ã€ã³ã·ãã³ãã®ã¿ã€ããICS ã·ã¹ãã ãžã®åœ±é¿åã³å¶åŸ¡äžã«ç©çããã»ã¹ã« å¿ããŠåããããã€ã³ã·ãã³ãã®ã¿ã€ããšåã¿ã€ããžã®å¯Ÿå¿ãèšé²ããèšç»æžãçšæãã¹ã ã§ãããããããããšãã€ã³ã·ãã³ãã«ããæ··ä¹±ãã¹ãã¬ã¹äžã«ãã£ãŠãã¬ã€ãã³ã¹ãšãª ããèšç»æžã«ã¯ãå€æ§ãªçµç¹ãåãã¹ã段éããšã®è¡åãå«ããã¹ãã§ãããå ±åèŠä»¶ãã ãã°ãå ±åå ã®ã»ããå ±åæã®æ··ä¹±ãå°ãªãããããé»è©±çªå·ãšãšãã«ãèŠä»¶ãèšèŒããŠã ãã ïŒ åŸ©æ§å¯ŸçãäŸµå ¥ã®çµæãåãã«è¶³ããªãããšãããã°ãICS ã«å€ãã®åé¡ãçããããããš ãããããªã¹ã¯åæãè¡ããICS ã®æ éæ æ§ã«åœ±é¿ãåããå¶åŸ¡äžã®ç©çã·ã¹ãã ã®æ床ã å€å®ããããããã®å Žåãã段éããšã®åŸ©æ§å¯Ÿçãææžåããã§ããã ãè¿ éãã€å®å šã«ã· ã¹ãã ãæ£åžžæ¥åã«åŸ©åž°ã§ããããã«ãããICS ã®çšŒåã«åœ±é¿ããäŸµå ¥ãžã®åŸ©æ§å¯Ÿçã¯ãã· ã¹ãã ã®çœå®³åŸ©æ§èšç»æžãšå¯æ¥ã«é£æºããæ¢ã«ãªããããã©ã³ãã³ã°ã調æŽäºé ãèæ ®ã«å ¥ ããã¹ãã§ããã ã€ã³ã·ãã³ã察å¿èšç»æžãæºåããéã«ã¯ãéçšããšã³ãžãã¢ãªã³ã°ãITãã·ã¹ãã ãµããŒãã ã³ããŒãçµå¶æãçµååŽåè ãæ³åŸãå®å šçã®é¢ä¿è ããå¹ åºãæèŠãèãã¹ãã§ããããŸãã ããé¢ä¿è ã¯ãèšç»æžã®å¯©æ»ã»æ¿èªã«ãé¢ããã¹ãã§ããã 180 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.9 Maintenance The security controls that fall within the NIST SP 800-53 Maintenance (MA) family provide policy and procedure for performing routine and preventative maintenance on the components of an information system. This includes the usage of maintenance tools (both local and remote) and management of maintenance personnel. Supplemental guidance for the MA controls can be found in the following documents: ïŒ NIST SP 800-63 provides guidance on electronic authentication for remote maintenance [53]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. 6.2.10 Media Protection The security controls that fall within the NIST SP 800-53 Media Protection (MP) family provide policies and procedures for limiting the access to media to authorized users. Controls also exist for labeling media for distribution and handling requirements, as well as storage, transport, sanitization (removal of information from digital media), destruction, and disposal of the media. Supplemental guidance for the MP controls can be found in the following documents: ïŒ NIST SP 800-88 provides guidance on appropriate sanitization equipment, techniques, and procedures [78]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance Media assets include removable media and devices such as floppy disks, CDs, DVDs and USB memory sticks, as well as printed reports and documents. Physical security controls should address specific requirements for the safe and secure maintenance of these assets and provide specific guidance for transporting, handling, and erasing or destroying these assets. Security requirements could include safe storage from loss, fire, theft, unintentional distribution, or environmental damage. If an adversary gains access to backup media associated with an ICS, it could provide valuable data for launching an attack. Recovering an authentication file from the backups might allow an adversary to run password cracking tools and extract usable passwords. In addition, the backups typically contain machine names, IP addresses, software version numbers, usernames, and other data useful in planning an attack. The use of any unauthorized CDs, DVDs, floppy disks, USB memory sticks, or similar removable media on any node that is part of or connected to the ICS should not be permitted in order to prevent the introduction of malware or the inadvertent loss or theft of data. Where the system components use unmodified industry standard protocols, mechanized policy management software can be used to enforce media protection policy. 181 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.9 ä¿å® NIST SP 800-53 ã®ä¿å®ïŒMAïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã¯ãæ å ±ã·ã¹ãã ã³ã³ã㌠ãã³ãã®æåžžæŽåãšäºé²æŽåã«ä¿ãããªã·ãŒåã³æé ãå®ããŠãããããã«ã¯æŽåããŒã«ïŒã ãŒã«ã«ãšé éïŒã®å©çšåã³æŽåèŠå¡ã®ç®¡çãå«ãŸããã MA 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-63ïŒé éä¿å®ã®é»åèªèšŒã«ä¿ãã¬ã€ãã³ã¹[53] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] 6.2.10 ã¡ãã€ã¢ä¿è· NIST SP 800-53 ã®ã¡ãã€ã¢ä¿è·ïŒMPïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãã¡ãã£ã¢ãž ã®ã¢ã¯ã»ã¹ãèš±å¯ãåãããŠãŒã¶ã ãã«å¶éããããã®ããªã·ãŒåã³æé ãå®ããããŠããã 管çã«ã¯ãé åžèŠä»¶åã³åŠçèŠä»¶çšã®ã¡ãã£ã¢ã®ã©ããªã³ã°ã®ã»ããã¡ãã£ã¢ã®ä¿ç®¡ã茞éã ãµãã¿ã€ãºïŒããžã¿ã«ã¡ãã£ã¢ããã®æ å ±åé€ïŒãç Žå£ãç Žæ£ãå«ãŸããã MP 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-88ïŒé©åãªãµãã¿ã€ãºè£ ååãæè¡åã³æé ã«ä¿ãã¬ã€ãã³ã¹[78] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ã¡ãã£ã¢è³ç£ã«ã¯ãããããŒãã£ã¹ã¯ãCDãDVDãUSB ã¡ã¢ãªã¹ãã£ãã¯çã®åãå€ãå¯èœ ã¡ãã£ã¢åã³ããã€ã¹ã®ã»ãå°å·ç©ããããç©ççã»ãã¥ãªãã£å¯Ÿçã§ã¯ããããè³ç£ã®å®å š ãã€ã»ãã¥ã¢ãªä¿å®èŠä»¶ãåãäžãããããã®èŒžéãåŠçåã³æ¶å»åã¯ç Žå£ã«ä¿ãå ·äœçãªã¬ ã€ãã³ã¹ã容æãã¹ãã§ãããã»ãã¥ãªãã£èŠä»¶ã«ã¯ãçŽå€±ã»ç«çœã»çé£ã»æ³å®å€ã®é åžã»ç° å¢è¢«å®³ããã®å®å šãªä¿åãå«ããããšãã§ããã æ»æåŽã ICS é¢é£ã®ããã¯ã¢ããã¡ãã£ã¢ã«ã¢ã¯ã»ã¹ãããšã貎éãªããŒã¿ãæ»æã«å©çšãã ãå¯èœæ§ããããæ»æåŽã¯ããã¯ã¢ããããèªèšŒãã¡ã€ã«ãå埩ããŠããã¹ã¯ãŒã解æããŒã« ãå®è¡ãããã¹ã¯ãŒããæãåãããšãã§ããããŸãããã¯ã¢ããã«ã¯éåžžããã·ã³åãIP 㢠ãã¬ã¹ããœãããŠãšã¢ã®ããŒãžã§ã³çªå·ããŠãŒã¶åãã®ä»æ»æã«åœ¹ç«ã€ããŒã¿ãå ¥ã£ãŠããã ICS ã®äžéšå㯠ICS ã«æ¥ç¶ãããããŒãäžã®èš±å¯ãããŠããªã CDãDVDããããããŒãã£ã¹ ã¯ãUSB ã¡ã¢ãªã¹ãã£ãã¯çã®åãå€ãå¯èœã¡ãã£ã¢ã®äœ¿çšã¯ããã«ãŠãšã¢åã¯æ³å®å€ã®ããŒã¿ åªå€±ã»çé£ãäºé²ããããã«èš±å¯ãã¹ãã§ãªããã·ã¹ãã ã³ã³ããŒãã³ããæªä¿®æ£ã®æ¥çæšæºã ããã³ã«ã䜿çšããå Žåãããªã·ãŒç®¡çãœãããŠãšã¢ãå©çšããŠã¡ãã£ã¢ä¿è·ããªã·ãŒãæœè¡ã ãããšãã§ããã 182 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.11 Physical and Environmental Protection The security controls that fall within the NIST SP 800-53 Physical and Environmental Protection (PE) family provide policy and procedures for all physical access to an information system including designated entry/exit points, transmission media, and display media. These include controls for monitoring physical access, maintaining logs, and handling visitors. This family also includes controls for the deployment and management of emergency protection controls such as emergency shutdown of the IT system, backup for power and lighting, controls for temperature and humidity, and protection against fire and water damage. Supplemental guidance for the PE controls can be found in the following documents: ïŒ NIST SP 800-46 provides guidance on telecommuting and broadband communication security [51]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. Physical security measures are designed to reduce the risk of accidental or deliberate loss or damage to plant assets and the surrounding environment. The assets being safeguarded may be physical assets such as tools and plant equipment, the environment, the surrounding community, and intellectual property, including proprietary data such as process settings and customer information. The deployment of physical security controls is often subject to environmental, safety, regulatory, legal, and other requirements that must be identified and addressed specific to a given environment. The subject of deploying physical security controls is vast and needs to be specific to the type of protection needed. ICS-specific Recommendations and Guidance The physical protection of the cyber components and data associated with the ICS must be addressed as part of the overall security of a plant. Security at many ICS facilities is closely tied to plant safety. A primary goal is to keep people out of hazardous situations without preventing them from doing their job or carrying out emergency procedures. Physical security controls are any physical measures, either active or passive, that limit physical access to any information assets in the ICS environment. These measures are employed to prevent many types of undesirable effects, including: ïŒ ïŒ Unauthorized physical access to sensitive locations. Physical modification, manipulation, theft or other removal, or destruction of existing systems, infrastructure, communications interfaces, personnel, or physical locations. ïŒ Unauthorized observation of sensitive informational assets through visual observation, note taking, photographs, or other means. ïŒ Prevention of unauthorized introduction of new systems, infrastructure, communications interfaces, or other hardware. ïŒ Prevention of unauthorized introduction of devices intentionally designed to cause hardware manipulation, communications eavesdropping, or other harmful impact. Gaining physical access to a control room or control system components often implies gaining logical access to the process control system as well. Likewise, having logical access to systems such as main servers and control room computers allows an adversary to exercise control over the physical process. 183 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.11 ç©çç°å¢äžã®ä¿è·ïŒPEïŒ NIST SP 800-53 ã®ç©çç°å¢äžã®ä¿è·ïŒPEïŒãã¡ããªã«å«ãŸããŠããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãæ å ± ã·ã¹ãã ãžã®ããããç©ççç«å ¥ã«ä¿ãããªã·ãŒåã³æé ãå®ããããŠãããæå®ãããå ¥éå Ž ç¹ãéä¿¡åªäœã衚瀺åªäœã«ã€ããŠèšè¿°ãããŠãããç©ççç«å ¥ã®ç£èŠãèšé²ã®ç¶æãæ¥èšªè ã®å æ±ã«é¢ãã管çãå«ãŸããŠããããŸããã®ãã¡ããªã«ã¯ãç·æ¥ä¿è·å¯Ÿçã®å±éåã³ç®¡çã«é¢ãã 察çãå«ãŸããIT ã·ã¹ãã ã®ç·æ¥é®æãé»åã»ç §æã®ããã¯ã¢ããã枩床ã»æ¹¿åºŠç®¡çãç«çœã»æ°Ž 害察ççã«ã€ããŠåãäžããŠããã PE 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-46ïŒåšå® å€ååã³ãããŒããã³ãéä¿¡ã«ä¿ãã¬ã€ãã³ã¹[51] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ç©ççã»ãã¥ãªãã£å¯Ÿçã¯ããã©ã³ãè³ç£ãåšèŸºç°å¢ã«å¯Ÿããå¶çºçåã¯æ æã®åªå€±ã»æ害ãªã¹ ã¯ã軜æžããããã®ãã®ã§ãããä¿è·å¯Ÿè±¡ãããã®ã¯ãããŒã«ã»ãã©ã³ãè£ ååãç°å¢ãåšèŸºå ± åäœãç¥ç財ç£ïŒããã»ã¹èšå®ã顧客æ å ±ãšãã£ãå°æããŒã¿ïŒçã®ç©ççè³ç£ã察象ã§ããã ç©ççã»ãã¥ãªãã£å¯Ÿçã®å±éã¯ç°å¢ãå®å šæ§ãèŠå¶ãæ³åŸãã®ä»ç¹å®ã®ç°å¢ã«åºæã®èŠä»¶ã«ã ãå·Šå³ãããããšãå€ããç©ççã»ãã¥ãªãã£å¯Ÿçã®å±é察象ã¯åºç¯ã§ãå¿ èŠãšãããä¿è·ã®ã¿ ã€ãã«ç¹åããå¿ èŠãããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ãµã€ããŒã³ã³ããŒãã³ãåã³ ICS é¢é£ããŒã¿ã®ç©ççä¿è·ã¯ããã©ã³ãå šäœã®ã»ãã¥ãªãã£ã®äž ç°ãšããŠæ€èšããªããã°ãªããªããå€ãã® ICS æœèšã®ã»ãã¥ãªãã£ã¯ããã©ã³ãã®å®å šæ§ãšå¯æ¥ ã«çµã³ã€ããŠãããäž»ãªç®æšã¯ãåŸæ¥å¡ãè·åãç·æ¥æé ãéè¡ããã®ã劚ããããšãªããå±éº ç¶æ ã«ã¯çœ®ããªãããšã«ãããç©ççã»ãã¥ãªãã£å¯Ÿçã¯ãèœåçåã¯ååçãªç©çç察çã§ã ICS ç°å¢ã«ãããæ å ±è³ç£ãžã®ç©ççç«å ¥ãå¶éããããã®ãããªå¯Ÿçãæ¡çšããããšã§ã次㮠ãããªæãŸãããªãçš®ã ã®åœ±é¿ãé²ãããšãã§ããã ïŒ æ³šæãèŠããå Žæãžã®ç¡æç«å ¥ ïŒ æ¢åã·ã¹ãã ãã€ã³ãã©ãéä¿¡ã€ã³ã¿ãã§ãŒã¹ãè·å¡åã¯å Žæã®ç©ççå€æŽãæäœãçé£ã ã®ä»ã®é€å»åã¯ç Žå£ ïŒ èŠèªãã¡ã¢ãåçãã®ä»ã®æ段ã«ããèŠæ³šææ å ±è³ç£ã®ç¡æåµå¯ ïŒ æ°èŠã·ã¹ãã ãã€ã³ãã©ãéä¿¡ã€ã³ã¿ãã§ãŒã¹ãã®ä»ããŒããŠãšã¢ã®ç¡æå°å ¥ ïŒ ããŒããŠãšã¢æäœãéä¿¡ååãã®ä»æ害圱é¿ãæå³ããããã€ã¹ã®ç¡æå°å ¥ å¶åŸ¡å®€ãå¶åŸ¡ã·ã¹ãã ã³ã³ããŒãã³ããžã®ç«å ¥ã¯ãããã»ã¹å¶åŸ¡ã·ã¹ãã ãžã®è«çã¢ã¯ã»ã¹ãå¯ èœã«ãªãããšãå€ããåæ§ã«ãã¡ã€ã³ãµãŒããå¶åŸ¡å®€ã®ã³ã³ãã¥ãŒã¿çã®ã·ã¹ãã ãžã®è«çã¢ã¯ ã»ã¹ãåŸãããã°ãæ»æåŽã¯ç©çããã»ã¹ãå¶åŸ¡ã§ããããã«ãªãã 184 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY If computers are readily accessible, and they have removable media drives (e.g., floppy disks, compact discs, external hard drives) or USB ports, the drives can be fitted with locks or removed from the computers and USB ports disabled. Depending on security needs and risks, it might also be prudent to disable or physically protect power buttons to prevent unauthorized use. For maximum security, servers should be placed in locked areas and authentication mechanisms (such as keys) protected. Also, the network devices on the ICS network, including switches, routers, network jacks, servers, workstations, and controllers, should be located in a secured area that can only be accessed by authorized personnel. The secured area should also be compatible with the environmental requirements of the devices. A defense-in-depth solution to physical security should include the following attributes: ïŒ ïŒ Protection of Physical Locations. Classic physical security considerations typically refer to a ringed architecture of layered security measures. Creating several physical barriers, both active and passive, around buildings, facilities, rooms, equipment, or other informational assets, establishes these physical security perimeters. Physical security controls meant to protect physical locations include fences, antivehicle ditches, earthen mounds, walls, reinforced barricades, gates, or other measures. Most organizations include this layered model by preventing access to the plant first by the use of fences, guard shacks, gates, and locked doors. Access Control. Access control systems should ensure that only authorized people have access to controlled spaces. An access control system should be flexible. The need for access may be based on time (day vs. night shift), level of training, employment status, work assignment, plant status, and a myriad of other factors. A system must be able to verify that persons being granted access are who they say they are (usually using something the person has, such as an access card or key; something they know, such as a personal identification number (PIN); or something they are, using a biometric device). Access control should be highly reliable, yet not interfere with the routine or emergency duties of plant personnel. Integration of access control into the process system allows a view into not only security access, but also physical and personnel asset tracking, dramatically accelerating response time in emergencies, helping to direct individuals to safe locations, and improving overall productivity. Within an area, access to network and computer cabinets should be limited to only those who have a need, such as network technicians and engineers, or computer maintenance staff. Equipment cabinets should be locked and wiring should be neat and within cabinets. Consider keeping all computers in secure racks and using peripheral extender technology to connect human-machine interfaces to the racked computers. Access Monitoring Systems. Access monitoring systems include still and video cameras, sensors, and various types of identification systems. Examples of these systems include cameras that monitor parking lots, convenience stores, or airline security. These devices do not specifically prevent access to a particular location; rather, they store and record either the physical presence or the lack of physical presence of individuals, vehicles, animals, or other physical entities. Adequate lighting should be provided based on the type of access monitoring device deployed. ïŒ Access Limiting Systems. Access limiting systems may employ a combination of devices to physically control or prevent access to protected resources. Access limiting systems include both active and passive security devices such as fences, doors, safes, gates, and guards. They are often coupled with identification and monitoring systems to provide role-based access for specific individuals or groups of individuals. People and Asset Tracking. Locating people and vehicles in a large installation is important for safety reasons, and it is increasingly important for security reasons as well. Asset location technologies can be used to track the movements of people and vehicles within the plant, to ensure that they stay in authorized areas, to identify personnel needing assistance, and to support emergency response. 185 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã³ã³ãã¥ãŒã¿ãžã®ã¢ã¯ã»ã¹ã容æã§ãåãå€ãå¯èœã¡ãã£ã¢ãã©ã€ãïŒãããããŒãã£ã¹ã¯ãCDãå€ ä»ãããŒããã£ã¹ã¯çïŒå㯠USB ããŒããä»ããŠããå Žåããã©ã€ããããã¯ãããã³ã³ãã¥ãŒã¿ã ãåãå€ããUSB ããŒããç¡å¹ã«ããããšãã§ãããã»ãã¥ãªãã£äžã®ããŒãºåã³ãªã¹ã¯ã«å¿ããŠã é»æºãã¿ã³ãç¡æã§æäœã§ããªãããã«ã䜿çšäžèœã«ãããç©ççã«ä¿è·ããã®ããããã»ãã¥ãªã ã£ãæ倧åããããããµãŒãã¯éµã®ããããšãªã¢ã«çœ®ããèªèšŒã¡ã«ããºã ïŒããŒçïŒãä¿è·ãã¹ã㧠ããããŸã ICS ãããã¯ãŒã¯äžã®ãããã¯ãŒã¯ããã€ã¹ïŒã¹ã€ãããã«ãŒã¿ããããã¯ãŒã¯ãžã£ã ã¯ããµãŒããã¯ãŒã¯ã¹ããŒã·ã§ã³ãã³ã³ãããŒã©çïŒã¯ãèš±å¯ãããè·å¡ããç«ã¡å ¥ãããšã®ã§ã㪠ãã»ãã¥ã¢ãªå Žæã«çœ®ãã¹ãã§ãããã»ãã¥ã¢ãªå Žæã¯ãããã€ã¹ã®ç°å¢èŠä»¶ã«ãé©åããŠããã¹ã ã§ããã ç©ççã»ãã¥ãªãã£ã®å€å±€é²åŸ¡ãœãªã¥ãŒã·ã§ã³ã¯ã次ã®ãããªå±æ§ãå«ãã§ããã¹ãã§ããã ïŒ å Žæã®ä¿è·ãæ¢æã®ç©ççã»ãã¥ãªãã£ã§ã¯ãèæ ®äºé ãšããŠéåžžå€éã»ãã¥ãªãã£å¯Ÿçã® ãªã³ã°ã¢ãŒããã¯ãã£ã«èšåããŠããã建ç©ãæœèšãéšå±ãè£ ååãã®ä»æ å ±è³ç£ã®åšãã« èœåçã»ååçç©çããªã¢ãŒãèšçœ®ããç©ççã»ãã¥ãªãã£å¢çãæ§ç¯ãããå Žæãä¿è·ã ãããã®ç©ççã»ãã¥ãªãã£å¯Ÿçã«ã¯ãã§ã³ã¹ãè»æ¢ãæºãåçããå£ãããªã±ãŒããã²ãŒ ããã®ä»ãããã倧æµã®çµç¹ã§ã¯ããŸããã§ã³ã¹ãã¬ãŒããã³åŸ æ©æãã²ãŒãåã³æœé ã㢠ã«ãããã©ã³ããžã®ç«å ¥ãé²ãããšã§ããã®å€éã¢ãã«ãåã蟌ãã§ããã ïŒ ç«å ¥ç®¡çãç«å ¥ç®¡çã·ã¹ãã ã¯ãèš±å¯ãåãã人å¡ã ãã管ç空éã«ç«ã¡å ¥ãããšãã§ãã ããã«ãã¹ãã§ãããç«å ¥ç®¡çã·ã¹ãã ã¯æè»æ§ãåããŠããã¹ãã§ãããç«å ¥ã®å¿ èŠæ§ã¯ æéïŒæ¥äžã»å€éã·ããå€åïŒãèšç·Žã¬ãã«ãéçšåœ¢æ ã圹è·ããã©ã³ãã®ç¶æ ãã®ä»å€çš® å€æ§ãªèŠå ã§çãããã·ã¹ãã ã¯ãç«å ¥èš±å¯ãåãã人å¡ãèªããã©ãèªç§°ããŠãããç¢ºèª ã§ããªããã°ãªããªãïŒéåžžãç«å ¥ã«ãŒããéµçã®ææç©ãå人èå¥çªå·[PIN]çäœããã® ç¥èããã€ãªã¡ããªãã¯ããã€ã¹ã«ããå人æ å ±çãå©çšããïŒãç«å ¥ç®¡çã¯é«ãä¿¡é Œæ§ã æã€ã¹ãã§ãããããã©ã³ãè·å¡ã®æåžžä»»åãç·æ¥ä»»åã劚ããŠã¯ãªããªããç«å ¥ç®¡çãã ãã»ã¹ã·ã¹ãã ã«åã蟌ãã°ãã»ãã¥ãªãã£ã¢ã¯ã»ã¹ã®ã¿ãªãããç©ççã»äººçè³ç£ã®è¿œè·¡ ãå¯èœã«ãªããç·æ¥æã®å¯Ÿå¿æéãèããççž®ãããåŸæ¥å¡ãå®å šãªå Žæãžèªå°ããå©ããš ãªããå šäœçãªçç£æ§ãé«ããããšãã§ããããšãªã¢å ã§ã¯ããããã¯ãŒã¯ãã³ã³ãã¥ãŒã¿ ãã£ãããããžã®ã¢ã¯ã»ã¹ã¯ããããã¯ãŒã¯æåž«ã»ãšã³ãžãã¢ãã³ã³ãã¥ãŒã¿ä¿å®èŠå¡çã å¿ èŠãªäººå¡ã®ã¿ã«å¶éããããè£ ååãã£ããããã¯æœé ããé ç·ãæŽçããŠãã£ãããã å ã«çŽããã¹ãã§ãããå šãŠã®ã³ã³ãã¥ãŒã¿ãå®å šãªã©ãã¯ã«çŽããåšèŸºå»¶é·æè¡ãå©çšã ãŠãã©ãã¯ã®ã³ã³ãã¥ãŒã¿ã«ãã³ãã·ã³ã€ã³ã¿ãã§ãŒã¹ãæ¥ç¶ããã ç«å ¥ç£èŠã·ã¹ãã ãç«å ¥ç£èŠã·ã¹ãã ã«ã¯ãããªã«ã¡ã©ãã»ã³ãµåã³å€æ§ãªèå¥ã·ã¹ãã ã å«ãŸãããã·ã¹ãã ã«ã¯é§è»å Žãã³ã³ãããšã³ã¹ã¹ãã¢ãèªç©ºäŒç€Ÿã®ã»ãã¥ãªãã£ç£èŠçšã® ã«ã¡ã©ãå«ãŸããããããããã€ã¹ã¯ç¹å®ã®å Žæãžã®ç«å ¥ãé²ãã®ã§ã¯ãªããå人ãè»äž¡ã åç©ãã®ä»ç©äœã®ååšã®æç¡ãä¿åãèšé²ãããç£èŠããã€ã¹ã®çš®é¡ã«å¿ããŠé©åãªç §æã åããã¹ãã§ããã ç«å ¥å¶éã·ã¹ãã ãç«å ¥å¶éã·ã¹ãã ã¯ãä¿è·ãªãœãŒã¹ãç©ççã«ç®¡çããããã€ã¹åã¯ä¿ è·ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãé²æ¢ããããã€ã¹ã䜵çšãããç«å ¥å¶éã·ã¹ãã ã«ã¯ããã§ã³ ã¹ããã¢ãé庫ãã²ãŒããç£èŠçã®èœåçã»ååçã»ãã¥ãªãã£ããã€ã¹ãå«ãŸãããè å¥ã»ç£èŠã·ã¹ãã ãšé£åããããšãå€ããç¹å®ã®å人ãã°ã«ãŒãã«åœ¹å²ã«å¿ããã¢ã¯ã»ã¹ã äžããã ïŒ äººå¡ã»è³ç£ã®è¿œè·¡ãåºå€§ãªç£æ¥æœèšã§ã¯ãå®å šäžã®çç±ãã人ãè»äž¡ãèŠã€ãåºãããšãé èŠã§ãã»ãã¥ãªãã£äžã®çç±ããããŸããŸãéèŠã«ãªã£ãŠããããã©ã³ãå ã§ã®äººãè»äž¡ã® 移åã远跡ã§ããè³ç£äœçœ®æšå®æè¡ã䜿çšããã°ãèš±å¯ãšãªã¢å ã«ãšã©ãŸããæ¯æŽãå¿ èŠãš ããŠããè·å¡ãèå¥ããç·æ¥å¯Ÿå¿ãæ¯æŽã§ããã 186 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Environmental Factors. In addressing the security needs of the system and data, it is important to consider environmental factors. For example, if a site is dusty, systems should be placed in a filtered environment. This is particularly important if the dust is likely to be conductive or magnetic, as in the case of sites that process coal or iron. If vibration is likely to be a problem, systems should be mounted on rubber bushings to prevent disk crashes and wiring connection problems. In addition, the environments containing systems and media (e.g., backup tapes, floppy disks) should have stable temperature and humidity. An alarm to the process control system should be generated when environmental specifications such as temperature and humidity are exceeded. ïŒ Environmental Control Systems. Heating, ventilation, and air conditioning (HVAC) systems for control rooms must support plant personnel during normal operation and emergency situations, which could include the release of toxic substances. Fire systems must be carefully designed to avoid causing more harm than good (e.g., to avoid mixing water with incompatible products). HVAC and fire systems have significantly increased roles in security that arise from the interdependence of process control and security. For example, fire prevention and HVAC systems that support industrial control computers need to be protected against cyber incidents. ïŒ Power. Reliable power for the ICS is essential, so an uninterruptible power supply (UPS) should be provided. If the site has an emergency generator, the UPS battery life may only need to be a few seconds; however, if the site relies on external power, the UPS battery life may need to be hours. It should be sized, at a minimum, so that the system can be shutdown safely. 6.2.11.1 Control Center/Control Room ICS-specific Recommendations and Guidance Providing physical security for the control center/control room is essential to reduce the potential of many threats. Control centers/control rooms frequently have consoles continuously logged onto the primary control server, where speed of response and continual view of the plant is of utmost importance. These areas will often contain the servers themselves, other critical computer nodes, and sometimes plant controllers. It is essential that access to these areas be limited to authorized users only, using authentication methods such as smart or magnetic identity cards or biometric devices. In extreme cases, it may be considered necessary to make the control center/control room blast-proof, or to provide an offsite emergency control center/control room so that control can be maintained if the primary control center/control room becomes uninhabitable. 6.2.11.2 Portable Devices ICS-specific Recommendations and Guidance Computers and computerized devices used for ICS functions (such as PLC programming) should never be allowed to leave the ICS area. Laptops, portable engineering workstations and handhelds (e.g., 375 HART communicator) should be tightly secured and should never be allowed to be used outside the ICS network. Antivirus and patch management should be kept current. 187 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ç°å¢èŠå ãã·ã¹ãã åã³ããŒã¿ã®ã»ãã¥ãªãã£ããŒãºãæ€èšããäžã§ãç°å¢èŠå ãèæ ®ã«å ¥ ããããšãèèŠã§ãããäŸãã°ãçŸå Žãã»ããã£ãœãå Žåããã£ã«ã¿ãå°å ¥ããç°å¢ã«ã·ã¹ ãã ãèšçœ®ãã¹ãã§ãããç¹ã«ç³çãéã®åŠççŸå Žã®ããã«ã塵è¥ã«å°é»æ§ãç£æ§ãããå Ž åã«ã¯ç¹ã«éèŠãšãªããæ¯åãåé¡ã«ãªãããã§ããã°ãã·ã¹ãã ãã©ããŒããã·ã³ã°äžã« æ®ãä»ãããã£ã¹ã¯ã¯ã©ãã·ã¥ãé ç·æ¥ç¶ã®åé¡ãäºé²ãã¹ãã§ããããŸãã·ã¹ãã ãšã¡ã ã£ã¢ïŒããã¯ã¢ããããŒãããããããŒãã£ã¹ã¯çïŒãããç°å¢ã§ã¯ã枩床ã»æ¹¿åºŠãäžå®ã« ä¿ã€ã¹ãã§ãããããã»ã¹å¶åŸ¡ã·ã¹ãã ã®ã¢ã©ãŒã ã¯ã枩床ã»æ¹¿åºŠãšãã£ãç°å¢ä»æ§ãéç ãè¶ ãããšãã«çºçãã¹ãã§ããã ïŒ ç°å¢å¶åŸ¡ã·ã¹ãã ãå¶åŸ¡å®€ã®ææ¿ææ°ç©ºèª¿ïŒHVACïŒã·ã¹ãã ã¯ãæ£åžžææ¥æåã³ç·æ¥äºæ æã«ãã©ã³ãè·å¡ãæ¯æŽã§ããªããã°ãªãããããã«ã¯æ¯ç©ã®æåºãå«ãŸãããé²ç«è£ 眮㮠èšèšã¯æ éã«è¡ããå©ç¹ãããæ¬ ç¹ã倧ãããªããªãããã«ããªããã°ãªããªãïŒæ°Žãšçžå®¹ ããªãç©è³ªã®æ··ååé¿çïŒã ããã»ã¹å¶åŸ¡ãšã»ãã¥ãªãã£ã®çžäºäŸåæ§ã«ãããHVAC ã·ã¹ãã ãšé²ç«è£ 眮ãã»ãã¥ãªã ã£ã§æãã圹å²ã¯èããå¢å€§ããŠãããäŸãã°ãç£æ¥çšå¶åŸ¡ã³ã³ãã¥ãŒã¿ã«å¯Ÿå¿ããé²ç«è£ 眮㚠HVAC ã·ã¹ãã ã¯ããµã€ããŒã€ã³ã·ãã³ãããå®ãå¿ èŠãããã ïŒ é»æºãICS ã«ã¯ä¿¡é Œæ§ã®é«ãé»æºãäžå¯æ¬ ãªãããç¡åé»é»æºè£ 眮ïŒUPSïŒãè£ åãã¹ã㧠ãããçŸå Žã«ç·æ¥çšã®çºé»æ©ãããå ŽåãUPS ã®ããããªå¯¿åœã¯æ°ç§çšåºŠã§ããããå€éš é»æºã«äŸåããŠããå Žåã¯ãæ°æéãããªããã°ãªããªããå°ãªããšã倧ãããå®ããŠãã· ã¹ãã ãå®å šã«é®æã§ããããã«ãã¹ãã§ããã 6.2.11.1 ã³ã³ãããŒã«ã»ã³ã¿ãŒ/å¶åŸ¡å®€ ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ çš®ã ã®è åšã®å¯èœæ§ãæžãããããã³ã³ãããŒã«ã»ã³ã¿ãŒ/å¶åŸ¡å®€ã®ç©ççã»ãã¥ãªãã£ã®ç¢ºä¿ ãäžå¯æ¬ ã§ãããã³ã³ãããŒã«ã»ã³ã¿ãŒ/å¶åŸ¡å®€ã«ã¯ããã©ã€ããªå¶åŸ¡ãµãŒãã«åžžç¶çã«æ¥ç¶ã ãŠããã³ã³ãœãŒã«ãããå Žåãå€ãã察å¿é床ãšãã©ã³ããç¶ç¶çã«èŠãããšã極ããŠéèŠã§ ããããµãŒããã®ä»ã®éèŠã³ã³ãã¥ãŒã¿ããŒããããå Žåãå€ãããšãã«ã¯ãã©ã³ãã³ã³ãã ãŒã©ããããã³ã³ãããŒã«ã»ã³ã¿ãŒ/å¶åŸ¡å®€ãžã®ç«å ¥ã¯ãã¹ããŒãã«ãŒããç£æ°ã«ãŒãããã€ãª ã¡ããªãã¯ããã€ã¹çãå©çšããèš±å¯ãåãããŠãŒã¶ã«éå®ããããšãèèŠã§ããã極端ãªå Ž åãã³ã³ãããŒã«ã»ã³ã¿ãŒ/å¶åŸ¡å®€ãé²çä»æ§ã«ãããããªããµã€ãã®ç·æ¥çšã³ã³ãããŒã«ã»ã³ ã¿ãŒ/å¶åŸ¡å®€ãçšæããŠããã©ã€ããªã®ã³ã³ãããŒã«ã»ã³ã¿ãŒ/å¶åŸ¡å®€ã®ç«å ¥äžèœæã«å¶åŸ¡ãç¶è¡ ã§ãããããªæ€èšãå¿ èŠã«ãªããã 6.2.11.2 ããŒã¿ãã«ããã€ã¹ ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS æ©èœçšã«å©çšããã³ã³ãã¥ãŒã¿åã³ã³ã³ãã¥ãŒã¿ããã€ã¹ïŒPLC ããã°ã©ãã³ã°çïŒã¯ãICS ãšãªã¢ããæ¬åºããŠã¯ãªããªããã©ããããããããŒã¿ãã«ãšã³ãžãã¢ãªã³ã°ã¯ãŒã¯ã¹ããŒã·ã§ ã³åã³ãã³ããã«ãïŒ375 HART ã³ãã¥ãã±ãŒã¿çïŒã®ã»ãã¥ãªãã£ã¯å³æ Œã«ããICS ããã㯠ãŒã¯å€ã§ã¯äœ¿çšãã¹ãã§ãªããã¢ã³ããŠã€ã«ã¹åã³ãããã®ç®¡çãææ°ç¶æ ã«ä¿ã€ã¹ãã§ããã 188 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.11.3 Cabling ICS-specific Recommendations and Guidance Cabling design and implementation for the control network should be addressed in the cybersecurity plan. Unshielded twisted pair communications cable, while acceptable for the office environment, is generally not suitable for the plant environment due to its susceptibility to interference from magnetic fields, radio waves, temperature extremes, moisture, dust, and vibration. Industrial RJ-45 connectors should be used in place of other types of twisted pair connectors to provide protection against moisture, dust and vibration. Fiber-optic cable and coaxial cable are often better network cabling choices for the control network because they are immune to many of the typical environmental conditions including electrical and radio frequency interference found in an industrial control environment. Cable and connectors should be color-coded and labeled so that the ICS and IT networks are clearly delineated and the potential for an inadvertent crossconnect is reduced. Cable runs should be installed so that access is minimized (i.e., limited to authorized personnel only) and equipment should be installed in locked cabinets with adequate ventilation and air filtration. 6.2.12 Planning A security plan is a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements. The security controls that fall within the NIST SP 800-53 Planning (PL) family provide the basis for developing a security plan. These controls also address maintenance issues for periodically updating a security plan. A set of rules describes user responsibilities and expected behavior regarding information system usage with provision for signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to the information system. Supplemental guidance for the PL controls can be found in the following documents: ïŒ NIST SP 800-18 provides guidance on preparing rules of behavior [19]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance A security plan for an ICS should build on appropriate existing IT security experience, programs, and practices. However, the critical differences between IT and ICS addressed in Section 2.4 will influence how security will be applied to the ICS. A forward-looking plan is needed to provide a method for continuous security improvements. Whenever a new system is being designed and installed, it is imperative to take the time to address security throughout the lifecycle, from architecture to procurement to installation to maintenance to decommissioning. ICS security is a rapidly evolving field requiring the security planning process to constantly explore emerging ICS security capabilities as well as new threats that are identified by organizations such as the ICS-CERT. 189 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.11.3 ã±ãŒãã«é ç· ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ å¶åŸ¡ãããã¯ãŒã¯çšã±ãŒãã«é ç·ã®èšèšåã³å®è£ ã¯ããµã€ããŒã»ãã¥ãªãã£èšç»æžã®äžã§åãäž ããã¹ãã§ãããéä¿¡çšã®ã·ãŒã«ãã®ãªãæã察ç·ã¯ããªãã£ã¹ç°å¢ã§ã¯åãå ¥ããããããé åžžãã©ã³ãç°å¢ã§ã¯ç£å Žãç¡ç·åšæ³¢æ°ã枩床ã®å¯æã湿æ°ã塵è¥åã³æ¯åã«ããå¹²æžãåããã ãããäžåãã§ããã湿æ°ã»å¡µè¥ã»æ¯å察çãšããŠãç£æ¥çš RJ-45 ã³ãã¯ã¿ããã®ä»ã®æãå¯Ÿç· ã³ãã¯ã¿ã®ä»£ããã«äœ¿çšãã¹ãã§ãããå ã±ãŒãã«åã³å軞ã±ãŒãã«ã¯ãç£æ¥çšå¶åŸ¡ç°å¢ã«ãã ããé»æ°ã»ç¡ç·åšæ³¢æ°å¹²æžçã®ç°å¢æ¡ä»¶ã®å€ãã«åœ±é¿ãåããªããããå¶åŸ¡ãããã¯ãŒã¯çšã®é ç·éžæè¢ãšããŠè¯ãå Žåãå€ããã±ãŒãã«åã³ã³ãã¯ã¿ã«ã¯ã«ã©ãŒã³ãŒããšã©ãã«ãä»ããICS ãããã¯ãŒã¯ãš IT ãããã¯ãŒã¯ã®èå¥ãæ確ã«ãããã£ãã亀差é ç·ããªãããã«ãã¹ãã§ã ããé ç·ã¯ãé ç·ãžã®ã¢ã¯ã»ã¹ãæå°ã§æžãããã«è¡ãïŒèš±å¯ãããè·å¡ã®ã¿ïŒãè£ ååã¯æœé ã§ãããã£ããããã«åçŽããææ°ãšç©ºæ°æ¿Ÿéãè¡ãã 6.2.12 ãã©ã³ãã³ã° ã»ãã¥ãªãã£èšç»æžã¯ãæ å ±ã·ã¹ãã ã®ã»ãã¥ãªãã£èŠä»¶ãæŠèª¬ããæ£åŒææžã§ããã®èŠä»¶ ãæºè¶³ããå®æœäžåã¯èšç»äžã®ã»ãã¥ãªãã£å¯Ÿçã«ã€ããŠèšè¿°ãããNIST SP 800-53 ãã©ã³ ãã³ã°ïŒPLïŒãã¡ããªã«ã¯ãã»ãã¥ãªãã£èšç»æžãäœæããããã®æ ¹æ ã瀺ãããŠããã管 ççã«ã¯ãã»ãã¥ãªãã£èšç»æžãå®æçã«æŽæ°ããããã®ä¿å®åé¡ãå«ãŸãããäžé£ã®èŠå ã¯ãæ å ±ã·ã¹ãã ã®å©çšã«é¢ãããŠãŒã¶ã®è²¬ä»»ãšæåŸ ãããè¡åã«ã€ããŠèª¬æããæ å ±ã·ã¹ ãã ãžã®ã¢ã¯ã»ã¹èš±å¯ãåŸãåã«ããŠãŒã¶ãè¡åèŠåãèªã¿ãç解ããéµå®ããæšã®çœ²åå ¥ ãåææžãä»ããŠããã PL 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-18ïŒè¡åèŠåã®äœæã«ä¿ãã¬ã€ãã³ã¹[19] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ICS ã®ã»ãã¥ãªãã£èšç»æžã¯ã該åœããæ¢åã® IT ã»ãã¥ãªãã£çµéšãããã°ã©ã åã³èŠç¯ãåºæ¬ ãšãããã»ã¯ã·ã§ã³ 2.4 ã§èª¬æãã IT ãš ICS ã®éèŠãªçžéã¯ãICS ãžã®ã»ãã¥ãªãã£é©çšæ¹æ³ã« 圱é¿ããã絶ããã»ãã¥ãªãã£ãæ¹åããŠããã®æ¹æ³ã瀺ããããååããªèšç»æžãå¿ èŠãšãª ããæ°ããã·ã¹ãã ãèšèšã»å°å ¥ããå Žåã¯åžžã«ãã¢ãŒããã¯ãã£ãã調éãå°å ¥ãä¿å®ãå»æ£ ã«è³ããŸã§ãã©ã€ããµã€ã¯ã«å šäœãèŠéããã»ãã¥ãªãã£ã«ã€ããŠèå¯ããæéãåãåããã ãšãèèŠã§ãããICS ã»ãã¥ãªãã£ã¯æ¥éã«é²å±äžã®åéã§ãã»ãã¥ãªãã£ã®ãã©ã³ãã³ã°ãã ã»ã¹ã§ã¯ãICS ã»ãã¥ãªãã£ã®æ°èæ©èœãšãICS-CERT ãªã©ã®æ©é¢ã«ããç¹å®ãããæ°ããè åš ã絶ããæ¢çŽ¢ããããšãæ±ããããã 190 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.13 Personnel Security The security controls that fall within the NIST SP 800-53 Personnel Security (PS) family provide policies and procedures to reduce the risk of human error, theft, fraud, or other intentional or unintentional misuse of information systems. Supplemental guidance for the PS controls can be found in the following documents: ïŒ NIST SP 800-35 provides guidance on information technology security services [44]. ïŒ NIST SP 800-73 provides guidance on interfaces for personal identity verification [49]. ïŒ NIST SP 800-76 provides guidance on biometrics for personal identity verification [50]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. Personnel security measures are meant to reduce the possibility and risk of human error, theft, fraud, or other intentional or unintentional misuse of informational assets. There are three main aspects to personnel security: ïŒ Hiring Policies. This includes pre-employment screening such as background checks, the interview process, employment terms and conditions, complete job descriptions and detailing of duties, terms and condition of employment, and legal rights and responsibilities of employees or contractors. ïŒ Organization Policies and Practices. These include security policies, information classification, document and media maintenance and handling policies, user training, acceptable usage policies for organization assets, periodic employee performance reviews, appropriate background checks, and any other policies and actions that detail expected and required behavior of organization employees, contractors, and visitors. Organization policies to be enforced should be written down and readily available to all workers through an employee handbook, distributed as email notices, located in a centralized resource area, or posted directly at a workerâs area of responsibility. ïŒ Terms and Conditions of Employment. This category includes job and position responsibilities, notification to employees of terminable offenses, disciplinary actions and punishments, and periodic employee performance reviews. ICS-specific Recommendations and Guidance Positions should be categorized with a risk designation and screening criteria, and individuals filling a position should be screened against this criteria as well as complete an access agreement before being granted access to an information system. Personnel should be screened for the critical positions controlling and maintaining the ICS. Additionally, training programs should be carefully developed to ensure that each employee has received training relevant and necessary to his job functions. Further, ensure that the employees have demonstrated their competence in their job functions. 191 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.13 人å¡ã®ã»ãã¥ãªã㣠NIST SP 800-53 ã®äººå¡ã®ã»ãã¥ãªãã£ïŒPSïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã¯ã人çé 誀ãçé£ãè©æ¬ºãã®ä»æ æåã¯äžäœçºã«ããæ å ±ã·ã¹ãã ã®èª€çšãæžããããã®ããªã·ãŒåã³ æé ãå®ããŠããã PS 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-35ïŒæ å ±æè¡ã»ãã¥ãªãã£ãµãŒãã¹ã«ä¿ãã¬ã€ãã³ã¹[44] ïŒ NIST SP 800-73ïŒå人身å 確èªã€ã³ã¿ãã§ãŒã¹ã«ä¿ãã¬ã€ãã³ã¹[49] ïŒ NIST SP 800-76ïŒå人身å 確èªãã€ãªã¡ããªã¯ã¹ã«ä¿ãã¬ã€ãã³ã¹[50] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] 人å¡ã®ã»ãã¥ãªãã£å¯Ÿçã¯ã人çé誀ãçé£ãè©æ¬ºãã®ä»æ æåã¯äžäœçºã«ããæ å ±è³ç£ã® 誀çšæ©äŒãæžããããã®ãã®ã§ããã人å¡ã®ã»ãã¥ãªãã£ã«ã¯æ¬¡ã® 3 ã€ã®é¢ãããã ïŒ éçšããªã·ãŒãããã«èæ¯èª¿æ»ãé¢æ¥ããã»ã¹çã®éçšåã®ã¹ã¯ãªãŒãã³ã°ãéçšå¥çŽãè· åæ现ãéçšæ¡ä»¶ãåŸæ¥å¡ã»è«è² æ¥è ã®æ³çæš©å©ãšè²¬åãå«ãŸããã ïŒ çµç¹ã®ããªã·ãŒåã³èŠç¯ãããã«å«ãŸããã®ã¯ã»ãã¥ãªãã£ããªã·ãŒãæ å ±åºåãææžåã³ ã¡ãã£ã¢ã®ç¶æåã³åæ±ããªã·ãŒããŠãŒã¶èšç·Žãçµç¹è³ç£ã®åãå ¥ããããå©çšããªã·ãŒã åŸæ¥å¡å®æå€åè©å®ãé¢é£ããèæ¯èª¿æ»ãã®ä»åŸæ¥å¡ã»è«è² æ¥è ã»æ¥èšªè ã®æåŸ ã»çŸ©åè¡å ã詳述ããããªã·ãŒåã³è¡çºã§ãããæœè¡ãã¹ãçµç¹ã®ããªã·ãŒã¯æžé¢ã«ããåŸæ¥å¡ãã³ã ããã¯ãéããŠå šå¡ã容æã«å©çšã§ããé»åã¡ãŒã«éç¥ã§é åžãããéäžãªãœãŒã¹ãšãªã¢ã« 眮ãããåã¯åŸæ¥å¡ã®æ åœãšãªã¢ã«æ²ç€ºãã¹ãã§ããã ïŒ éçšæ¡ä»¶ãããã«ã¯è·ååã³åœ¹è·ã®è²¬åãåŸæ¥å¡ã«å¯Ÿããå¥çŽè§£é€ãšãªãéåã®éç¥ãæ²çœ° åã³å®æå€åè©å®ãå«ãŸããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ 圹è·ã¯ãªã¹ã¯æå®åã³éžæåºæºã§åé¡ããã圹è·ã«å°±ãå人ã¯ãã®åºæºã«ç §ãããŠéžæããã æ å ±ã·ã¹ãã ãžã®ã¢ã¯ã»ã¹æš©ãåŸãåã«ã¢ã¯ã»ã¹åææžãäœæãã¹ãã§ãããICS ã®å¶åŸ¡åã³ ä¿å®ãæ åœããéèŠåœ¹è·ã«å°±ãè·å¡ã¯éžæãã¹ãã§ããã ãŸãæ éã«èšç·Žããã°ã©ã ãäœæããååŸæ¥å¡ãè·äœã«å¿ããèšç·Žãåããããããã«ãã¹ ãã§ãããæŽã«åŸæ¥å¡ãè·åã«ãããé©æ§ãå®èšŒã§ããããã«ããã 192 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.14 Risk Assessment The security controls that fall within the NIST SP 800-53 Risk Assessment (RA) family provide policy and procedures to develop, distribute, and maintain a documented risk assessment policy that describes purpose, scope, roles, responsibilities, and compliance as well as policy implementation procedures. An information system and associated data is categorized based on the security objectives and a range of risk levels. A risk assessment is performed to identify risks and the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of an information system and data. Also included in these controls are mechanisms for keeping risk assessments up-to-date and performing periodic testing and vulnerability assessments. Supplemental guidance for the RA controls can be found in the following documents: ïŒ NIST SP 800-30 provides guidance on conducting risk assessments and updates [79]. ïŒ NIST SP 800-39 provides guidance on risk management at all organizational levels [20]. ïŒ NIST SP 800-40 provides guidance on handling security patches [40]. ïŒ NIST SP 800-115 provides guidance on network security testing [41]. ïŒ NIST SP 800-60 provides guidance on determining security categories for information types [25]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance Organizations must consider the potential consequences resulting from an incident on an ICS. Well-defined policies and procedures lead to mitigation techniques designed to thwart incidents and manage the risk to eliminate or minimize the consequences. The potential degradation of the physical plant, economic status, or stakeholder/national confidence could justify mitigation. For an ICS, a very important aspect of the risk assessment is to determine the value of the data that is flowing from the control network to the corporate network. In instances where pricing decisions are determined from this data, the data could have a very high value. The fiscal justification for mitigation has to be derived by comparing the mitigation cost to the effects of the consequence. However, it is not possible to define a one-size-fits-all set of security requirements. A very high level of security may be achievable but undesirable in many situations because of the loss of functionality and other associated costs. A well-thought-out security implementation is a balance of risk versus cost. In some situations the risk may be safety, health, or environment-related rather than purely economic. The risk may result in an unrecoverable consequence rather than a temporary financial setback 6.2.15 System and Services Acquisition The security controls that fall within the NIST SP 800-53 System and Services Acquisition (SA) family provide the basis for developing policies and procedures for acquisition of resources required to adequately protect an information system. These acquisitions are based on security requirements and security specifications. As part of the acquisition procedures, an information system is managed using a system development life cycle methodology that includes information security considerations. As part of acquisition, adequate documentation must be maintained on the information system and constituent components. 193 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.14 ãªã¹ã¯è©äŸ¡ NIST SP 800-53 ã®ãªã¹ã¯è©äŸ¡ïŒRAïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãç®çãé©çš ç¯å²ã圹å²ã責任ãã³ã³ãã©ã€ã¢ã³ã¹åã³ããªã·ãŒå®æœæé ãèšè¿°ãããªã¹ã¯è©äŸ¡ããªã·ãŒæ æžãäœæã»é åžã»ä¿æããããã®ããªã·ãŒåã³æé ãå®ããããŠãããæ å ±ã·ã¹ãã åã³é¢é£ ããŒã¿ã¯ãã»ãã¥ãªãã£ç®æšåã³ãªã¹ã¯ã¬ãã«ã®ç¯å²ãåºã«åé¡ãããããªã¹ã¯è©äŸ¡ã¯ãªã¹ã¯ ãšãäžæ£ã¢ã¯ã»ã¹ãå©çšãæŒæŽ©ã劚害ãæ¹å€åã¯æ å ±ã·ã¹ãã ã»ããŒã¿ã®ç Žå£ããçãåŸãæ 害ã®èŠæš¡ãæããã«ããããã«å®æœããããŸããªã¹ã¯è©äŸ¡ãææ°ç¶æ ã«ä¿ã¡ãå®æçæ€èšŒåã³ è匱æ§è©äŸ¡ãå®æœããããã®ã¡ã«ããºã ããã®ç®¡çã§åãäžããã RA 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-30ïŒãªã¹ã¯è©äŸ¡ã®å®æœåã³æŽæ°ã«ä¿ãã¬ã€ãã³ã¹[79] ïŒ NIST SP 800-39ïŒããããçµç¹ã¬ãã«ã«ããããªã¹ã¯ç®¡çã«ä¿ãã¬ã€ãã³ã¹[20] ïŒ NIST SP 800-40ïŒã»ãã¥ãªãã£ãããã®åæ±ã«ä¿ãã¬ã€ãã³ã¹[40] ïŒ NIST SP 800-115ïŒãããã¯ãŒã¯ã»ãã¥ãªãã£ã®è©Šéšã«ä¿ãã¬ã€ãã³ã¹[41] ïŒ NIST SP 800-60ïŒæ å ±çš®é¡ã®ã»ãã¥ãªãã£åé¡å€å®ã«ä¿ãã¬ã€ãã³ã¹[25] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ çµç¹ã¯ ICS äžã®ã€ã³ã·ãã³ãããçãåŸãçµæãæ€èšããªããã°ãªããªãããã£ããå®çŸ©ãã ãããªã·ãŒåã³æé ã¯ãã€ã³ã·ãã³ããé»æ¢ãããªã¹ã¯ã管çããŠçµæãæé€åã¯æå°éã«é£ ãæ¢ããããã®ç·©åæè¡ã«éããããã©ã³ããçµæžç¶æ åã¯å©å®³é¢ä¿è ã»åœæ°ã®ä¿¡é Œæãäœäž ããããšãããç·©åçã¯æ¯éãšãå¿ èŠãšãªãã ICS ã«ããããªã¹ã¯è©äŸ¡ã®æ¥µããŠéèŠãªäžé¢ã¯ãå¶åŸ¡ãããã¯ãŒã¯ããäŒæ¥ãããã¯ãŒã¯ãžæµ ããããŒã¿ã®äŸ¡å€ãå€å®ããããšã§ãããäŸãã°ããã®ããŒã¿ãåºã«äŸ¡æ Œã決å®ããå Žåãã ãŒã¿ã¯æ¥µããŠé«ã䟡å€ãæã€ãç·©åãæ£åœåããäŒèšäžã®çç±ã¯ãç·©åã«èŠããã³ã¹ããšçµæ ããçãã圱é¿ã®æ¯èŒããåŒãåºããªããã°ãªããªãããšã¯èšãã1 ã€ã§å šãŠã«é©åãããã ãªã»ãã¥ãªãã£èŠä»¶ãå®çŸ©ããããšã¯äžå¯èœã§ãããé«ã¬ãã«ã®ã»ãã¥ãªãã£ã¯éæå¯èœã§ã¯ ããããæ©èœã倱ãããã®ä»é¢é£ã³ã¹ãããããããšããã倧æµã¯æãŸãããªããããæ€èšã ããã»ãã¥ãªãã£ã¯ããªã¹ã¯ãšã³ã¹ãã®ãã©ã³ã¹ãåããŠãããããå Žåããªã¹ã¯ã¯çŽç²ãªçµ æžããããå®å šãå¥åº·åã¯ç°å¢é¢é£ãšãªãããªã¹ã¯ã¯ãäžæçãªè²¡æ¿äžã®å€±æãšãããããå ãè¿ãã®ã€ããªãçµæãæãããšãããã 6.2.15 ã·ã¹ãã åã³ãµãŒãã¹ã®ååŸ NIST SP 800-53 ã®ã·ã¹ãã åã³ãµãŒãã¹ã®ååŸïŒSAïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿç ã«ã¯ãæ å ±ã·ã¹ãã ãå®ãããã«å¿ èŠãšããããªãœãŒã¹ã®ååŸã«ä¿ãããªã·ãŒåã³æé ã®çå® æ ¹æ ã瀺ãããŠãããååŸã¯ãã»ãã¥ãªãã£èŠä»¶åã³ã»ãã¥ãªãã£ä»æ§æžã«åºã¥ããååŸæé ã®äžç°ãšããŠãæ å ±ã·ã¹ãã ã¯ãæ å ±ã»ãã¥ãªãã£ã®èæ ®äºé ãå«ããã·ã¹ãã éçºã©ã€ããµ ã€ã¯ã«æ¹æ³è«ãå©çšããŠç®¡çããããååŸã®äžç°ãšããŠãæ å ±ã·ã¹ãã åã³æ§æã³ã³ããŒãã³ ãã«é¢ããææžãä¿æããªããã°ãªããªãã 194 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The SA family also addresses outsourced systems and the inclusion of adequate security controls by vendors as specified by the supported organization. Vendors are also responsible for configuration management and security testing for these outsourced information systems. Supplemental guidance for the SA controls can be found in the following documents: ïŒ NIST SP 800-23 provides guidance on the acquisition and use of tested/evaluated information technology products [42]. ïŒ NIST SP 800-27 provides guidance on engineering principles for information system security [43]. ïŒ NIST SP 800-35 provides guidance on information technology security services [44]. ïŒ NIST SP 800-36 provides guidance on the selection of information security products [45]. ïŒ NIST SP 800-64 provides guidance on security considerations in the system development life cycle [46]. ïŒ NIST SP 800-65 provides guidance on integrating security into the capital planning and investment control process [47]. ïŒ NIST SP 800-70 provides guidance on configuration settings for information technology products [26]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance The security requirements of an organization outsourcing the management and control of all or some of its information systems, networks, and desktop environments should be addressed in a contract agreed between the parties. External suppliers that have an impact on the security of the organization must be held to the same security policies and procedures to maintain the overall level of ICS security. Security policies and procedures of second and third-tier suppliers should also be in compliance with corporate cybersecurity policies and procedures in the case that they impact ICS security. DHS has developed a procurement language document [48] for specifying security requirements when procuring new systems or maintaining existing systems. 6.2.16 System and Communications Protection The security controls that fall within the NIST SP 800-53 System and Communications Protection (SC) family provide policy and procedures for protecting systems and data communications components. Supplemental guidance for the SC controls can be found in the following documents: ïŒ NIST SP 800-28 provides guidance on active content and mobile code [69]. ïŒ NIST SP 800-52 provides guidance on Transport Layer Security (TLS) Implementations [70]. ïŒ NIST SP 800-56 provides guidance on cryptographic key establishment [71]. ïŒ NIST SP 800-57 provides guidance on cryptographic key management [72]. 195 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã SA ãã¡ããªã§ã¯å€æ³šã·ã¹ãã ãããµããŒããåããçµç¹ãæå®ãããã³ããŒã«ããã»ãã¥ãªã ã£å¯Ÿçã®åã蟌ã¿ã«ã€ããŠãåãäžããŠããããã³ããŒã¯ããã®ãããªå€æ³šæ å ±ã·ã¹ãã ã®æ§æ 管çåã³ã»ãã¥ãªãã£è©Šéšã«ã責任ãè² ãã SA 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-23ïŒè©Šéšã»è©äŸ¡æžã¿æ å ±æè¡è£œåã®ååŸåã³å©çšã«ä¿ãã¬ã€ãã³ã¹[42] ïŒ NIST SP 800-27ïŒæ å ±ã·ã¹ãã ã»ãã¥ãªãã£ã®ãšã³ãžãã¢ãªã³ã°ååã«ä¿ãã¬ã€ãã³ã¹[43] ïŒ NIST SP 800-35ïŒæ å ±æè¡ã»ãã¥ãªãã£ãµãŒãã¹ã«ä¿ãã¬ã€ãã³ã¹[44] ïŒ NIST SP 800-36ïŒæ å ±ã»ãã¥ãªãã£è£œåã®éžå®ã«ä¿ãã¬ã€ãã³ã¹[45] ïŒ NIST SP 800-64ïŒã·ã¹ãã éçºã©ã€ããµã€ã¯ã«ã«ãããã»ãã¥ãªãã£èæ ®äºé ã«ä¿ãã¬ã€ã ã³ã¹[46] ïŒ NIST SP 800-65ïŒè³æ¬èšç»åã³æè³ç®¡çããã»ã¹ãžã®ã»ãã¥ãªãã£çµ±åã«ä¿ãã¬ã€ãã³ã¹ [47] ïŒ NIST SP 800-70ïŒæ å ±æè¡è£œåã®æ§æèšå®ã«ä¿ãã¬ã€ãã³ã¹[26] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ æ å ±ã·ã¹ãã ããããã¯ãŒã¯åã³ãã¹ã¯ãããç°å¢ã®å šéšåã¯äžéšã®ç®¡çã»å¯Ÿçãå€æ³šããé ã®ã»ãã¥ãªãã£èŠä»¶ã¯ãäž¡åœäºè éã®å¥çŽæžã§åãäžããã¹ãã§ãããçµç¹ã®ã»ãã¥ãªãã£ã« 圱é¿ãäžãã瀟å€ãµãã©ã€ã€ã¯ãICS ã»ãã¥ãªãã£ã®å šäœã¬ãã«ãç¶æããããã®åãã»ã㥠ãªãã£ããªã·ãŒåã³æé ã«åŸããªããã°ãªããªããå«è«ã以éã®ãµãã©ã€ã€ã®ã»ãã¥ãªãã£ã ãªã·ãŒåã³æé ããICS ã»ãã¥ãªãã£ã«åœ±é¿ããå Žåã¯ãäŒæ¥ã®ãµã€ããŒã»ãã¥ãªãã£ããªã· ãŒåã³æé ãéµå®ãã¹ãã§ããã DHS ã¯ãæ°èŠã·ã¹ãã 調éåã¯æ¢åã·ã¹ãã ä¿å®ã®éã®ã»ãã¥ãªãã£èŠä»¶ãå®ããããã®èª¿ éèšèªææž[48]ãäœæããã 6.2.16 ã·ã¹ãã åã³éä¿¡ä¿è· NIST SP 800-53 ã®ã·ã¹ãã åã³éä¿¡ä¿è·ïŒSCïŒãã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãã· ã¹ãã åã³ããŒã¿éä¿¡ã³ã³ããŒãã³ããä¿è·ããããã®ããªã·ãŒåã³æé ãå®ããããŠããã SC 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-28ïŒã¢ã¯ãã£ãã³ã³ãã³ãåã³ã¢ãã€ã«ã³ãŒãã«ä¿ãã¬ã€ãã³ã¹[69] ïŒ NIST SP 800-52ïŒãã©ã³ã¹ããŒãã¬ã€ã€ãŒã»ãã¥ãªãã£ïŒTLSïŒã®å®è£ ã«ä¿ãã¬ã€ãã³ã¹[70] ïŒ NIST SP 800-56ïŒæå·éµã®èšå®ã«ä¿ãã¬ã€ãã³ã¹[71] ïŒ NIST SP 800-57ïŒæå·éµã®ç®¡çã«ä¿ãã¬ã€ãã³ã¹[72] 196 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ NIST SP 800-58 provides guidance on security considerations for VoIP technologies [73]. ïŒ NIST SP 800-63 provides guidance on remote electronic authentication [53]. ïŒ NIST SP 800-77 provides guidance on IPsec VPNs [74]. 6.2.16.1 Encryption Encryption is the cryptographic transformation of data (called plaintext) into a form (called ciphertext) that conceals the dataâs original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called decryption, which is a transformation that restores encrypted data to its original state [75]. ICS-specific Recommendations and Guidance Before deploying encryption, first determine if encryption is an appropriate solution for the specific ICS application, because authentication and integrity are generally the key security issues for ICS applications. Other cryptographic solutions such as cryptographic hashes should also be considered. The use of encryption within an ICS environment could introduce communications latency due to the additional time and computing resources required to encrypt, decrypt, and authenticate each message. For ICS, any latency induced from the use of encryption, or any other security technique, must not degrade the operational performance of the end device or system. Before deploying encryption within an ICS environment, solutions should go through extensive performance testing. Encryption at OSI Layer 2 should be considered, rather than at Layer 3 to reduce encryption latency. In addition, encrypted messages are often larger than unencrypted messages due to one or more of the following: ïŒ ïŒ ïŒ ïŒ ïŒ Additional checksums to reduce errors. Protocols to control the cryptography. Padding (for block ciphers). Authentication procedures. Other required cryptographic processes. Cryptography also introduces key management issues. Sound security policies require periodic key changes. This process becomes more difficult as the geographic size of the ICS increases, with extensive SCADA systems being the most severe example. Because site visits to change keys can be costly and slow, it is useful to be able to change keys remotely. If cryptography is selected, the most effective safeguard is to use a complete cryptographic system approved by the NIST/ Communications Security Establishment (CSE) Cryptographic Module Validation Program (CMVP) 41. Within this program standards are maintained to ensure that cryptographic systems were studied carefully for weaknesses by a wide range of experts, rather than being developed by a few engineers in a single organization. At a minimum, certification makes it probable that: ïŒ Some method (such as counter mode) will be used to ensure that the same message does not 41 Information on the CMVP can be found on the CMVP web site http://csrc.nist.gov/cryptval/cmvp.htm. 197 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ NIST SP 800-58ïŒVoIP æè¡ã®ã»ãã¥ãªãã£èæ ®äºé ã«ä¿ãã¬ã€ãã³ã¹[73] ïŒ NIST SP 800-63ïŒé éé»åèªèšŒã«ä¿ãã¬ã€ãã³ã¹[53] ïŒ NIST SP 800-77ïŒIPsec VPNs ã«ä¿ãã¬ã€ãã³ã¹[74] 6.2.16.1 æå·å æå·åãšã¯ããŒã¿ïŒå¹³æãšåŒã°ããïŒãæå·å€æããŠããã圢æ ïŒæå·æãšåŒã°ããïŒã«ããã ãšã§ãããŒã¿ã®åºã®æå³ãç§å¿ããç¥ããããå©çšããããã§ããªãããã«ãããå€æãéå€æ ãå¯èœãªå Žåããã®ããã»ã¹ã¯åŸ©å·ãšåŒã°ããæå·åãããããŒã¿ãå ã®ç¶æ ã«æ»ã[75]ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ èªèšŒãšå®å šæ§ã¯ãç·ã㊠ICS çšéã§ã¯äž»èŠãªã»ãã¥ãªãã£åé¡ãšãªããããæå·åãè¡ãåã«ã ãŸããããç¹å®ã® ICS çšéã«é©ãããœãªã¥ãŒã·ã§ã³ãã©ãããå€å®ãããæå·åŠçããã·ã¥çã ãã®ä»ã®æå·ãœãªã¥ãŒã·ã§ã³ã«ã€ããŠãèæ ®ãã¹ãã§ããã ICS ç°å¢ã§æå·ã䜿çšãããšãåã¡ãã»ãŒãžã®æå·ã埩å·åã³èªèšŒã«ä»å çãªæéãšèšç®ãªãœãŒ ã¹ãèŠãããããéä¿¡ã®åŸ ã¡æéãçããå ŽåããããICS ã§ã¯ãæå·ã®äœ¿çšåã¯ä»ã®ã»ãã¥ãª ãã£æè¡ããçããåŸ ã¡æéã¯ããšã³ãããã€ã¹ãã·ã¹ãã ã®éçšããã©ãŒãã³ã¹ãäœäžãã㊠ã¯ãªããªããICS ç°å¢ã§æå·ãå±éããåã«ã培åºçãªããã©ãŒãã³ã¹è©Šéšãè¡ãã¹ãã§ããã æå·åã®åŸ ã¡æéãççž®ãããããOSI ã¬ã€ã€ãŒ3 ã§ã¯ãªãã¬ã€ã€ãŒ2 ã§ã®æå·åãèæ ®ãã¹ã ã§ããã ãŸã以äžã«æããçç±ãããæå·ã¡ãã»ãŒãžã¯å¹³æã¡ãã»ãŒãžãã倧ãããªãããšãå€ãã ïŒ ãšã©ãŒãæžããããã®ä»å çãªãã§ãã¯ãµã ïŒ æå·åãå¶åŸ¡ããããã®ãããã³ã« ïŒ ããã£ã³ã°ïŒãããã¯æå·çšïŒ ïŒ èªèšŒæé ïŒ ä»ã®å¿ é æå·åããã»ã¹ æå·åã«ã¯éµç®¡çã®åé¡ãçãããå¥å šãªã»ãã¥ãªãã£ããªã·ãŒã«ã¯å®æçãªéµã®å€æŽãå¿ é 㧠ããããã®ããã»ã¹ã¯ãICS ã®å°ççãªèŠæš¡ãæ¡å€§ãããšãã£ããé£ãããªããå žåäŸã倧èŠæš¡ SCADA ã·ã¹ãã ã§ãããçŸå Žã«åºåããŠããŒå€æŽãè¡ãã®ã¯ã³ã¹ããšæéãããããããé é æäœã䟿å©ã§ããã æå·åã®å°å ¥ãéžæãããªããæãå¹æçãªå®å šå¯Ÿçã¯ã ã«ããéä¿¡å®å šä¿éå±ïŒCSEïŒã®æå· ã¢ãžã¥ãŒã«åŠ¥åœæ§æ€èšŒããã°ã©ã ïŒCMVPïŒ 42ãæ¿èªããå®å šãªæå·åã¢ãžã¥ãŒã«ãå©çšããã ãšã§ããããã®ããã°ã©ã ã§ã¯ãæå·åã·ã¹ãã ã¯åäžçµç¹ã®å°æ°ãšã³ãžãã¢ã«éçºãå§ããã® ã§ã¯ãªããåºç¯ãªå°é家ããã®åŒ±ç¹ãæ éã«èª¿æ»ããããã«åºæºãå®ããŠãããå°ãªããšãèªå® æžã¯ä»¥äžã®å¯èœæ§ãèªããŠããã ïŒ ç¹å®ã®æ¹æ³ïŒã«ãŠã³ã¿ãŒã¢ãŒãçïŒãå©çšããŠãåãã¡ãã»ãŒãžãæ¯ååãå€ãçæããªã ããã«ããã 42 CMVP ã«é¢ããæ å ±ã¯æ¬¡ã® CMVP ãµã€ãã«ãããhttp://csrc.nist.gov/cryptval/cmvp.htm. 蚳泚)æãåœã§ã¯ãFIPS140-2 ã«èµ·æºãæ〠JIS X 19790 ã«åºã¥ãæå·ã¢ãžã¥ãŒã«è©Šéšåã³èªèšŒå¶åºŠããIPA ã»ãã¥ãªãã£ã»ã³ ã¿ãŒãéçšããŠãã(http://www.ipa.go.jp/security/jcmvp/index.html 198 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY generate the same value each time. ïŒ ICS messages are protected against replay and forging. ïŒ Key management is secure throughout the life cycle of the key. ïŒ The system is using an effective random number generator. ïŒ The entire system has been implemented securely. Even then, the technology is effective only if it is an integral part of an effectively enforced information security policy. American Gas Association (AGA) report 12-1 [5] contains an example of such a security policy. While it is directed toward a natural gas SCADA system, many of its policy recommendations could apply to any ICS. For an ICS, encryption can be deployed as part of a comprehensive, enforced security policy. Organizations should select cryptographic protection based on a risk assessment and the identified value of the information being protected and ICS operating constraints. Specifically, a cryptographic key should be long enough so that guessing it or determining it through analysis takes more effort, time, and cost than the value of the protected asset. The encryption hardware should be protected from physical tampering and uncontrolled electronic connections. Assuming cryptography is the appropriate solution, organizations should select cryptographic protection with remote key management if the units being protected are so numerous or geographically dispersed that changing keys is difficult or expensive. Use separate plaintext and ciphertext ports unless the network absolutely requires the restriction to pass both plaintext and ciphertext through each port. Use only modules that can be certified to comply with a standard, such as FIPS 140-2 [90] through the Cryptographic Module Validation Program (CMVP). 6.2.16.2 Virtual Private Network (VPN) One method of encrypting communication data is through a VPN, which is a private network that operates as an overlay on a public infrastructure, so that the private network can function across a public network. The most common types of VPN technologies implemented today are: ïŒ Internet Protocol Security (IPsec). IPsec is a set of standards defined by IETF to govern the secure communications of data across public networks at the IP layer. IPsec is included in many current operating systems. The intent of the standards is to guarantee interoperability across vendor platforms; however, the reality is that the determination of interoperability of multi-vendor implementations depends on specific implementation testing conducted by the end-user organization. IPsec supports two encryption modes: transport and tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure tunnel mode adds a new header to each packet and encrypts both the original header and the payload. On the receiving side, an IPseccompliant device decrypts each packet. The protocol has been continually enhanced to address specific requirements, such as extensions to the protocol to address individual user authentication and NAT device transversal. These extensions are typically vendor-specific and can lead to interoperability issues primarily in host-to-security gateway environments. NIST SP 800-77 provides guidance on IPsec VPNs [74]. 199 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ICS ã¡ãã»ãŒãžããªãã¬ãŒã欺çããä¿è·ãããã ïŒ ããŒç®¡çãããŒã®ã©ã€ããµã€ã¯ã«äžã»ãã¥ã¢ã«ãªãã ïŒ ã·ã¹ãã ãå¹æçãªä¹±æ°çºçåšã䜿çšããã ïŒ ã·ã¹ãã å šäœãã»ãã¥ã¢ã«å®è£ ãããã ããã§ããã®æè¡ãå¹æçã§ããããã«ã¯ããããæå¹ã«å®æœãããŠããæ å ±ã»ãã¥ãªãã£ã㪠ã·ãŒã®äžå¯æ¬ ãªäžéšã«ãªã£ãŠããå Žåã®ã¿ã§ãããç±³åœã¬ã¹åäŒïŒAGAïŒå ±åæž 12-1[5]ã«ã¯ã ãã®ãããªã»ãã¥ãªãã£ããªã·ãŒã®äžäŸãèŒã£ãŠããã倩ç¶ã¬ã¹ SCADA ã·ã¹ãã åãã®ãã®ã§ ã¯ãããããã®ããªã·ãŒæšå¥šäºé ã®å€ãã¯ã©ã® ICS ã«ãåœãŠã¯ãŸãã ICS ã§ã¯ãæå·åã¯å æ¬çãªã»ãã¥ãªãã£æœè¡ã®äžç°ãšããŠå±éå¯èœã§ãããçµç¹ã¯ããªã¹ã¯è© 䟡ãä¿è·ãããæ å ±ã®äŸ¡å€åã³ ICS æ¥åã®å¶çŽäºé ãåºã«ãæå·åä¿è·ãéžæãã¹ãã§ãããç¹ ã«æå·éµã¯ååé·ããã解æã«ããæšæž¬ã»å€å¥ã«èŠããåŽåã»æéã»ã³ã¹ãããä¿è·ãããè³ç£ 䟡å€ã«èŠåããªãããã«ãã¹ãã§ããã æå·åããŒããŠãšã¢ã¯ãç©ççæ¹ç«ã管çå€ã®é»åæ¥ç¶ããä¿è·ãã¹ãã§ãããæå·åããµãã ãããœãªã¥ãŒã·ã§ã³ã§ãããšã¿ãªããªããä¿è·ããéšçœ²ãå€ãå°ççã«åæ£ããŠããŠããŒå€æŽã å°é£ã»å²é«ã«ãªãå Žåãçµç¹ã¯é éããŒç®¡çã®å¯èœãªæå·åä¿è·ãéžæãã¹ãã§ããã ãããã¯ãŒã¯ãå¹³æãæå·æãåããŒãããæž¡ãããšã絶察çã«å¶éããŠããã®ã§ãªããã°ãå¹³ æããŒããšæå·æããŒããåé¢ããŠäœ¿çšããã æå·ã¢ãžã¥ãŒã«åŠ¥åœæ§æ€èšŒããã°ã©ã ïŒCMVPïŒãéããŠãFIPS 140-2 [90]çã®èŠæ Œã«é©åãã ã¢ãžã¥ãŒã«ã®ã¿ã䜿çšããã 6.2.16.2 ä»®æ³ãã©ã€ããŒããããã¯ãŒã¯ïŒVPNïŒ éä¿¡ããŒã¿ãæå·åãã 1 ã€æ¹æ³ã¯ VPN ãçµç±ããããšã§ãããVPN ã¯å ¬éã€ã³ãã©äžã®ãªãŒ ããŒã¬ã€ãšããŠæ©èœãããã©ã€ããŒããããã¯ãŒã¯ã¯å ¬éãããã¯ãŒã¯ãšã®éã§çšŒåãããä»æ¥ å®è£ ãããŠããæãäžè¬ç㪠VPN æè¡ã«ã¯ä»¥äžãããã ïŒ ã€ã³ã¿ãŒããããããã³ã«ã»ãã¥ãªãã£ïŒIPSecïŒãIPSec 㯠IETF ãå®çŸ©ããèŠæ Œã§ãIP 㬠ã€ã€ãŒã«ãããå ¬éãããã¯ãŒã¯ãè¶ããŠãã»ãã¥ã¢ãªããŒã¿éä¿¡ãå¶åŸ¡ãããIPSec ã¯çŸ è¡ OS ã®å€ãã«çµã¿èŸŒãŸããŠããããã®èŠæ Œã®ç®çã¯ããã³ããŒãã©ããããŒã éã®çžäºé çšæ§ãä¿å®ããããšã«ããããã ãçŸå®ã«ã¯ãè€æ°ãã³ããŒå®è£ éã®çžäºéçšæ§ã®å€å®ã¯ã ãšã³ããŠãŒã¶çµç¹ãè¡ãåå¥ã®å®è£ è©Šéšã«å·Šå³ããããIPSec ã¯ããã©ã³ã¹ããŒããšãã³ã ã«ãšãã 2 ã€ã®æå·ã¢ãŒãã«å¯Ÿå¿ããŠããããã©ã³ã¹ããŒãã¢ãŒãã¯ãåãã±ããã®ããŒã¿ éšåïŒãã€ããŒãïŒã®ã¿ãæå·åããããããŒã¯ãã®ãŸãŸã«ãããããã»ãã¥ã¢ãªãã³ãã« ã¢ãŒãã¯ãåãã±ããã«æ°ããããããŒãä»ããå ã®ããããŒãšãã€ããŒãããšãã«æå·å ãããåä¿¡åŽã§ã¯ãIPSec ã«é©åããããã€ã¹ãåãã±ããã埩å·ããããããã³ã«ã¯ç¶ç¶ çã«æ¡åŒµãããç¹å®ã®èŠä»¶ã«ã察å¿ããããã«ãªã£ãŠãããåã ã®ãŠãŒã¶èªèšŒåã³ NAT ã ãã€ã¹æšªæã«å¯Ÿå¿ãããããã³ã«æ¡åŒµããã®äžã«å«ãŸããããã®ãããªæ¡åŒµã¯äžè¬ã«ãã³ã ãŒåºæã®ãã®ã§ãããããç¹ã«ãã¹ãããã»ãã¥ãªãã£ã²ãŒããŠã§ã€ç°å¢ã«ãããŠãçžäºé çšæ§ã®åé¡ç¹ãšãªããNIST SP 800-77 ã«ã¯ãIPsec VPN ã«ä¿ãã¬ã€ãã³ã¹[74]ãããã 200 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Secure Sockets Layer (SSL). SSL provides a secure channel between two machines that encrypts the contents of each packet. The IETF made slight modifications to the SSL version 3 protocol and created a new protocol called Transport Layer Security (TLS). The terms âSSLâ and âTLSâ are often used interchangeably, and this document generically uses the SSL terminology. SSL is most often recognized for securing HTTP traffic; this protocol implementation is known as HTTP Secure (HTTPS). However, SSL is not limited to HTTP traffic; it can be used to secure many different application layer programs. SSL-based VPN products have gained acceptance because of the market for âclientlessâ VPN products. These products use standard Web browsers as clients, which have builtin SSL support. The âclientlessâ term means that there is no need to install or configure third-party VPN âclientâ software on usersâ systems. NIST SP 800-52 provides guidance on SSL configuration [70]. ïŒ Secure Shell (SSH). SSH is a command interface and protocol for securely gaining access to a remote computer. It is widely used by network administrators to remotely control Web servers and other types of servers. The latest version, SSH2, is a proposed set of standards from the IETF. Typically, SSH is deployed as a secure alternative to a telnet application. SSH is included in most UNIX distributions, and is typically added to other platforms through a third-party package. ICS-specific Recommendations and Guidance VPNs are most often used in the ICS environment to provide secure access from an untrusted network to the ICS control network. Untrusted networks can range from the Internet to the corporate LAN. Properly configured, VPNs can greatly restrict access to and from control system host computers and controllers, thereby improving security. They can also potentially improve control network responsiveness by removing unauthorized non-essential traffic from the intermediary network. Other possible deployments include using either host-based or mini-standalone security gateways, either interposed before or running on individual control devices. This technique of implementing VPNs on an individual device basis can have significant administration overhead. VPN devices used to protect control systems should be thoroughly tested to verify that the VPN technology is compatible with the application and that implementation of the VPN devices does not unacceptably affect network traffic characteristics. 201 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ã»ãã¥ã¢ãœã±ããã¬ã€ã€ãŒïŒSSLïŒãSSL 㯠2 å°ã®ãã·ã³éã«ã»ãã¥ã¢ãªçµè·¯ãäžããåã ã±ããã®å 容ãæå·åãããIETF 㯠SSL ãè¥å¹²æ¹ä¿®ã㊠SSL ããŒãžã§ã³ 3 ãšãããã©ã³ã¹ ããŒãã¬ã€ã€ãŒã»ãã¥ãªãã£ïŒTLSïŒãæ°èŠãããã³ã«ãšããŠäœæããããSSLããš ãTLSãã¯ãçšèªãšããŠäºæçã«äœ¿ãããããšãå€ããæ¬æžã§ã¯å šè¬çã« SSL ã®çšèªãçšã ããSSL 㯠HTTP ãã©ãã£ãã¯ãã»ãã¥ã¢ã«ããæè¡ãšããŠããç¥ãããŠããããã®ããã ã³ã«å®è£ 㯠HTTP ã»ãã¥ã¢ïŒHTTPSïŒãšããŠç¥ãããŠãããããã SSL 㯠HTTP ãã©ã㣠ãã¯ã«éå®ãããªããå€æ§ãªã¢ããªã±ãŒã·ã§ã³å±€ããã°ã©ã ãã»ãã¥ã¢ã«ããããã«å©çšã ãããSSL ããŒã¹ã® VPN 補åã¯ãã¯ã©ã€ã¢ã³ãã¬ã¹ãVPN 補ååžå Žã®ããã§ãåãå ¥ãã ããŠããããããã補åã§ã¯ãSSL ãµããŒããå èµãããæšæºçãŠã§ããã©ãŠã¶ãŒãã¯ã©ã€ ã¢ã³ããšããŠå©çšããããã¯ã©ã€ã¢ã³ãã¬ã¹ããšã¯ããµãŒãããŒãã£ã® VPNãã¯ã©ã€ã¢ã³ ãããœãããŠãšã¢ããŠãŒã¶ã·ã¹ãã ã«ã€ã³ã¹ããŒã«åã¯èšå®ããå¿ èŠããªããšããæå³ã§ã ããNIST SP 800-52 ã«ã¯ãSSL ã®èšå®ã«ä¿ãã¬ã€ãã³ã¹[70]ãããã ïŒ ã»ãã¥ã¢ã·ã§ã«ïŒSSH)ãSSH ã¯ãé éã³ã³ãã¥ãŒã¿ãžã®ã»ãã¥ã¢ãªã¢ã¯ã»ã¹ãåŸãããã® ã³ãã³ãã€ã³ã¿ãã§ãŒã¹åã³ãããã³ã«ã§ããããŠã§ããµãŒããã®ä»ã®ãµãŒããé éæäœã ããããåºããããã¯ãŒã¯ç®¡çè ã«å©çšãããŠãããææ°ããŒãžã§ã³ã® SSH2 ãæ°ããèŠæ Œ ãšããŠãIETF ããæå±ãããŠãããäžè¬ã« SSH ã¯ããã«ãããã«ä»£ããã»ãã¥ã¢ãªä»£æ¿æ 段ãšããŠå±éãããŠãããSSH ã¯ã»ãšãã©ã® UNIX ãã£ã¹ããªãã¥ãŒã·ã§ã³ã«çµã¿èŸŒãŸã㊠ãããéåžžããµãŒãããŒãã£ããã±ãŒãžãéããŠãä»ã®ãã©ããããŒã ã«ãè¿œå ãããŠããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ VPN ã¯ãä¿¡é Œã®çœ®ããªããããã¯ãŒã¯ãã ICS å¶åŸ¡ãããã¯ãŒã¯ãžã»ãã¥ã¢ã«ã¢ã¯ã»ã¹ããã ããICS ç°å¢ã§å©çšãããããšãå€ããä¿¡é Œã®çœ®ããªããããã¯ãŒã¯ãšã¯ãã€ã³ã¿ãŒãããã ãäŒæ¥ LAN ãŸã§å€å²ã«ããããæ£ããèšå®ããã°ãVPN ã¯å¶åŸ¡ã·ã¹ãã ã®ãã¹ãã³ã³ãã¥ãŒ ã¿ããã³ã³ã³ãããŒã©ãšã®ã¢ã¯ã»ã¹ãèããå¶éããã»ãã¥ãªãã£ãæ¹åããããŸãæªèš±å¯ã® äžèŠãã©ãã£ãã¯ãåªä»ãããã¯ãŒã¯ããé€å»ããããšã§ãå¶åŸ¡ãããã¯ãŒã¯ã®å¿çæ床ãæ¹ åã§ããã ãã®ä»å¯èœãªå±éãšããŠã¯ããã¹ãããŒã¹åã¯å°åã®ã¹ã¿ã³ãã¢ããŒã³ã»ãã¥ãªãã£ã²ãŒ ããŠã§ã€ãåã ã®å¶åŸ¡ããã€ã¹ã®åé¢ã«åã¯é£ç¶ã§é 眮ããŠäœ¿çšããæ¡ããããåã ã®ã ãã€ã¹ããšã« VPN ãå®è£ ãããã®æè¡ã¯ã管çãªãŒããŒãããã倧ãããªãã å¶åŸ¡ã·ã¹ãã ã®ä¿è·ã«äœ¿çšãã VPN ããã€ã¹ã¯ã培åºçã«è©Šéšãè¡ããVPN æè¡ãã¢ããªã±ãŒ ã·ã§ã³ã«é©åããŠããããšãVPN ããã€ã¹ã®å®è£ ã«ãããããã¯ãŒã¯ãã©ãã£ãã¯ç¹æ§ã蚱容 é床ãè¶ ããŠåœ±é¿ãããªãããšã確èªãã¹ãã§ããã 202 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.17 System and Information Integrity Maintaining system and information integrity assures that sensitive data has not been modified or deleted in an unauthorized and undetected manner. The security controls that fall within the NIST SP 800-53 System and Information Integrity (SI) family provide policies and procedures for identifying, reporting, and correcting information system flaws. Controls exist for malicious code detection, spam and spyware protection, and intrusion detection, although they may not be appropriate for all ICS applications. Also provided are controls for receiving security alerts and advisories, and the verification of security functions on the information system. In addition, there are controls within this family to detect and protect against unauthorized changes to software and data, provide restrictions to data input and output, and check for the accuracy, completeness, and validity of data as well as handle error conditions, although they may not be appropriate for all ICS applications. Supplemental guidance for the SI controls can be found in the following documents: ïŒ NIST SP 800-40 provides guidance on security patch installation [40]. ïŒ NIST SP 800-94 provides guidance on Intrusion Detection and Prevention (IDP) Systems [55]. ïŒ NIST SP 800-100 provides guidance on information security governance and planning [27]. ICS-specific Recommendations and Guidance Controls exist for malicious code detection, spam and spyware protection, and intrusion detection, although they may not be appropriate for all ICS applications. ICS-specific recommendations and guidance for these controls are included in Sections Error! Reference source not found.and 0. 203 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.17 ã·ã¹ãã åã³æ å ±ã®ä¿å š ã·ã¹ãã åã³æ å ±ä¿å šãç¶æããããšã«ãããèŠæ³šæããŒã¿ãæ¹å€ããããç¡æã§æ°ã¥ããªã ãã¡ã«åé€ããããããªããšããªããªããNIST SP 800-53 ã®ã·ã¹ãã åã³æ å ±ã®ä¿å šïŒSIïŒã ã¡ããªã«å«ãŸããã»ãã¥ãªãã£å¯Ÿçã«ã¯ãæ å ±ã·ã¹ãã ã®æ¬ é¥ãèå¥ããå ±åããæ¯æ£ããã ãã®ããªã·ãŒåã³æé ãå®ããããŠãããå šãŠã® ICS çšéã«é©åããããã§ã¯ãªãããæªæã ãã³ãŒãã®æ€åºãã¹ãã åã³ã¹ãã€ãŠãšã¢ä¿è·åã³äŸµå ¥æ€ç¥ã®ããã®å¯ŸçãããããŸãã»ã㥠ãªãã£ã¢ã©ãŒããå§åãåããããã®å¯Ÿçããæ å ±ã·ã¹ãã äžã®ã»ãã¥ãªãã£æ©èœã®æ€èšŒå¯Ÿç ããããå ããŠãå šãŠã® ICS çšéã«é©åããããã§ã¯ãªããããã®ãã¡ããªã§ã¯ããœãããŠãš ã¢ãããŒã¿ãžã®ç¡æå€æŽãæ€åºã»é²æ¢ããããã®å¯ŸçãããŒã¿å ¥åºåãå¶éããããã®å¯Ÿçã ããŒã¿ã®æ£ç¢ºæ§ã»å®å šæ§ã»åŠ¥åœæ§ã確èªããããã®å¯Ÿçããšã©ãŒç¶æ ãåŠçããããã®å¯Ÿçã ããã SI 管çã®è£è¶³çã¬ã€ãã³ã¹ã以äžã®ææžã«æ²èŒãããŠããã ïŒ NIST SP 800-40ïŒã»ãã¥ãªãã£ãããã®ã€ã³ã¹ããŒã«ã«ä¿ãã¬ã€ãã³ã¹[40] ïŒ NIST SP 800-94ïŒäŸµå ¥æ€ç¥åã³é²æ¢ã«ä¿ãã¬ã€ãã³ã¹[55] ïŒ NIST SP 800-100ïŒæ å ±ã»ãã¥ãªãã£ã¬ããã³ã¹åã³ãã©ã³ãã³ã°ã«ä¿ãã¬ã€ãã³ã¹[27] ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ å šãŠã® ICS çšéã«é©åããããã§ã¯ãªãããæªæããã³ãŒãã®æ€åºãã¹ãã åã³ã¹ãã€ãŠãšã¢ä¿ è·åã³äŸµå ¥æ€ç¥ã®ããã®å¯Ÿçããããããã察çã«é¢ãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ã ã»ã¯ã·ã§ã³ Error!Reference source not found.and 0 ã«ããã 204 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.17.1 Virus and Malicious Code Detection Antivirus and malware code detection products evaluate files on a computerâs storage devices against an inventory of known malware signature files. If one of the files on a computer matches the profile of a known virus, the virus is removed through a disinfection process (e.g., quarantine, deletion) so it cannot infect other local files or communicate across a network to infect other files. Antivirus software can be deployed on workstations, servers, firewalls and handheld devices. ICS-specific Recommendations and Guidance Antivirus tools only function effectively when installed, configured, running full-time, and maintained properly against the state of known attack methods and payloads. While antivirus tools are common security practice in IT computer systems, their use with ICS may require adopting special practices including compatibility checks, change management issues, and performance impact metrics. These special practices should be utilized whenever new signatures or new versions of antivirus software are installed. Major ICS vendors recommend and even support the use of particular antivirus tools. In some cases, control system vendors may have performed regression testing across their product line for supported versions of a particular antivirus tool and also provide associated installation and configuration documentation. There is also an effort to develop a general set of guidelines and test procedures focused on ICS performance impacts to fill the gaps where ICS and antivirus vendor guidance is not available [56]. Generally: ïŒ Windows, Unix, Linux systems, etc. used as consoles, engineering workstations, data historians, HMIs and general purpose SCADA and backup servers can be secured just like commercial IT equipment: install push- or auto-updated antivirus and patch management software with updates distributed via an antivirus server and patch management server located inside the process control network and autoupdated from the IT network. ïŒ Follow vendor recommendations on all other servers and computers (DCS, PLC, instruments) that have time-dependent code, modified or extended the operating system or any other change that makes it different from any standard PC that one could buy at an office supply or computer store. Expect the vendor to make periodic maintenance releases that include security patches. 6.2.17.2 Intrusion Detection and Prevention Intrusion detection systems (IDS) monitor events on a network, such as traffic patterns, or a system, such as log entries or file accesses, so that they can identify an intruder breaking into or attempting to break into a system [57]. IDS ensure that unusual activity such as new open ports, unusual traffic patterns, or changes to critical operating system files is brought to the attention of the appropriate security personnel. The two most commonly used types of IDS are: ïŒ Network-Based IDS. These systems monitor network traffic and generate alarms when they identify traffic that they deem to be an attack. 205 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 6.2.17.1 ãŠã€ã«ã¹åã³æªæããã³ãŒãã®æ€åº ãŠã€ã«ã¹åã³æªæããã³ãŒãã®æ€åºè£œåã¯ãã³ã³ãã¥ãŒã¿ã®ã¹ãã¬ãŒãžããã€ã¹äžã«ãããã¡ã€ ã«ããæ¢ç¥ã®ãã«ãŠãšã¢ã·ã°ããã£ãã¡ã€ã«ã®ç®é²ã«ç §ãããŠè©äŸ¡ãããã³ã³ãã¥ãŒã¿äžã®ãã¡ ã€ã«ã® 1 ã€ãæ¢ç¥ã®ãŠã€ã«ã¹ã®ãããã¡ã€ã«ã«åèŽãããšããã®ãŠã€ã«ã¹ã¯æ¶æ¯ããã»ã¹ïŒæ€ç«ã åé€çïŒãéããŠæé€ãããä»ã®ããŒã«ã«ãã¡ã€ã«ããããã¯ãŒã¯ãè¶ããä»ã®ãã¡ã€ã«ãžã®æ æåã倱ããã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã¯ã¯ãŒã¯ã¹ããŒã·ã§ã³ããµãŒãããã¡ã€ã¢ãŠã©ãŒã«å ã³ãã³ããã«ãããã€ã¹ã«å±éã§ããã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ ã¢ã³ããŠã€ã«ã¹ããŒã«ã¯ã€ã³ã¹ããŒã«ãããèšå®ãããåžžæå®è¡ãããæ£ããç¶æãããŠããå Ž åã«ã®ã¿ãæ¢ç¥ã®æ»ææ¹æ³åã³ãã€ããŒãç¶æ ã«å¯ŸããŠæå¹ã«æ©èœãããIT ã³ã³ãã¥ãŒã¿ã·ã¹ã ã ã§ã¯äžè¬çãªã»ãã¥ãªãã£èŠç¯ãšãªã£ãŠããããICS ã§äœ¿çšããã«ã¯ãæŽåæ§ãã§ãã¯ã管ç å€æŽåé¡ãããã©ãŒãã³ã¹åœ±é¿è©äŸ¡åºæºçã®ç¹å¥ãªèŠç¯ãæ¡çšããå¿ èŠãããããã®ãããªç¹å¥ èŠç¯ã¯ãã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã®æ°èŠã·ã°ããã£ãæ°ããŒãžã§ã³ãã€ã³ã¹ããŒã«ãããšã ã«ã¯å¿ ãæ¡çšãã¹ãã§ããã 倧æ ICS ãã³ããŒã¯ãç¹å®ã®ã¢ã³ããŠã€ã«ã¹ããŒã«ã®äœ¿çšãæšå¥šãããµããŒããè¡ã£ãŠãããå Ž åã«ãã£ãŠã¯ãå¶åŸ¡ã·ã¹ãã ãã³ããŒã¯ã補åç³»åå šäœã®ãªã°ã¬ãã·ã§ã³è©Šéšãè¡ããç¹å®ã®ã¢ ã³ããŠã€ã«ã¹ããŒã«ã®åããŒãžã§ã³ã®å¯Ÿå¿ç¶æ³ãæ€èšŒããŠããããšããããé¢ä¿ããã€ã³ã¹ã㌠ã«åã³èšå®ã«é¢ããææžãæäŸããŠããããŸã ICS ã¢ã³ããŠã€ã«ã¹ãã³ããŒã¬ã€ãã³ã¹ããªãå Ž åã«ã¯ãäžè¶³ãè£ããããICS ããã©ãŒãã³ã¹ã®åœ±é¿ã«ç¹åããæ±çšçãªã¬ã€ãã©ã€ã³åã³è©Šéš æé ã®äœæã«ãåãçµãã§ãã[56]ã äžè¬çã«ã ïŒ ã³ã³ãœãŒã«ããšã³ãžãã¢ãªã³ã°ã¯ãŒã¯ã¹ããŒã·ã§ã³ãããŒã¿ãã¹ããªã¢ã³ãHMIãæ±çš SCADA åã³ããã¯ã¢ãããµãŒããšããŠå©çšãã WindowsãUnixãLinux ã·ã¹ãã çã¯ãåž è²©ã® IT è£ åååæ§ã«ã»ãã¥ã¢ã«ããããšãå¯èœã§ããããã®å Žåãããã·ã¥åŒåã¯èªåæŽ æ°åŒã®ã¢ã³ããŠã€ã«ã¹åã³ããã管çãœãããŠãšã¢ãã€ã³ã¹ããŒã«ããïŒæŽæ°ã¯ããã»ã¹å¶ 埡ãããã¯ãŒã¯å ã«ããã¢ã³ããŠã€ã«ã¹ãµãŒãåã³ããã管çãµãŒãçµç±ã§é åžãããIT ãããã¯ãŒã¯ããèªåæŽæ°ãããïŒã ïŒ æéäŸåã³ãŒããæã¡ãOS ãæ¹ä¿®ã»æ¡åŒµãããããã®ä»ã®å€æŽãå ããŠãåžè²©ã®æšæº PC ãš ã¯ç°ãªã£ãŠããäžèšä»¥å€ã®å šãŠã®ã³ã³ãã¥ãŒã¿ïŒDCSãPLCãã€ã³ã¹ãã«ã¡ã³ãïŒã«ã€ã㊠ã¯ããã³ããŒã®æšå¥šäºé ã«åŸãããã³ããŒãå®æçã«ã»ãã¥ãªãã£ãããã®å ¥ã£ãä¿å®ãªãª ãŒã¹ãæäŸããããšãæåŸ ããã 6.2.17.2 äŸµå ¥æ€ç¥åã³é²æ¢ äŸµå ¥æ€ç¥ã·ã¹ãã ïŒIDSïŒã¯ããã©ãã£ãã¯ãã¿ãŒã³çã®ãããã¯ãŒã¯ã€ãã³ãããã°é ç®ãã ã¡ã€ã«ã¢ã¯ã»ã¹çã®ã·ã¹ãã ãç£èŠããã·ã¹ãã ã«å ¥ã蟌ãäŸµå ¥è ãã·ã¹ãã ã«å ¥ã蟌ãããšã ãäŸµå ¥è ãèŠæ¥µããããšãã§ãã[57]ãIDS ã¯ãããŒãã®æ°èŠéèšãéåžžãšç°ãªããã©ãã£ã㯠ãã¿ãŒã³ãéèŠãª OS ãã¡ã€ã«ãžã®å€æŽãšãã£ãæ®æ®µãšéã掻åãã»ãã¥ãªãã£æ åœè·å¡ã®æ³šæ ãåŒãããã«ããã IDS ã䜿çšããäžè¬çãªçš®é¡ã¯æ¬¡ã® 2 ã€ã§ããã ïŒ ãããã¯ãŒã¯ããŒã¹ IDSãã·ã¹ãã ã¯ãããã¯ãŒã¯ãã©ãã£ãã¯ãç£èŠããŠãæ»æãšèŠãªã ãããã©ãã£ãã¯ãç¹å®ãããšã¢ã©ãŒã ãçºããã 206 SPECIAL PUBLICATION 800-82 REVISION 2 ïŒ GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Host-Based IDS. This software monitors one or more types of characteristics of a system, such as application log file entries, system configuration changes, and access to sensitive data on a system and responds with an alarm or countermeasure when a user attempts to breach security. ICS-specific Recommendations and Guidance An effective IDS deployment typically involves both host-based and network-based IDS. In the current ICS environment, network-based IDS are most often deployed between the control network and the corporate network in conjunction with a firewall; host-based IDS are most often deployed on the computers that use general-purpose OSs or applications such as HMIs, SCADA servers, and engineering workstations. Properly configured, an IDS can greatly enhance the security management teamâs ability to detect attacks entering or leaving the system, thereby improving security. They can also potentially improve a control networkâs efficiency by detecting non-essential traffic on the network. However, even when IDS are implemented, security staff can primarily recognize individual attacks, as opposed to organized patterns of attacks over time. Network security monitoring and an understanding of the normal state of the ICS network can help distinguish attacks from transient conditions, and both trigger and provide information into events that are outside the normal state. Current IDS and IPS products are effective in detecting and preventing well-known Internet attacks, but until recently they have not addressed ICS protocol attacks. IDS and IPS vendors are beginning to develop and incorporate attack signatures for various ICS protocols such as Modbus, DNP3, and ICCP [58]. 6.2.17.3 Patch Management Patches are additional pieces of code that have been developed to address specific problems or flaws in existing software. Vulnerabilities are flaws that can be exploited, enabling unauthorized access to IT systems or enabling users to have access to greater privileges than authorized. A systematic approach to managing and using software patches can help organizations to improve the overall security of their IT systems in a cost-effective way. Organizations that actively manage and use software patches can reduce the chances that the vulnerabilities in their IT systems can be exploited; in addition, they can save time and money that might be spent in responding to vulnerability-related incidents. NIST SP 800-40 Revision 3 [40] provides guidance for organizational security managers who are responsible for designing and implementing security patch and vulnerability management programs and for testing the effectiveness of the programs in reducing vulnerabilities. The guidance is also useful to system administrators and operations personnel who are responsible for applying and testing patches and for deploying solutions to vulnerability problems. ICS-specific Recommendations and Guidance Applying patches to OS components creates another situation where significant care should be exercised in the ICS environment. Patches should be adequately tested (e.g., off-line on a comparable ICS) to determine the acceptability of side effects. Regression testing is advised. It is not uncommon for patches to have an adverse effect on other software. A patch may remove a vulnerability, but it can 207 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ãã¹ãããŒã¹ IDSããã®ãœãããŠãšã¢ã¯ãã¢ããªã±ãŒã·ã§ã³ãã°ãã¡ã€ã«ãšã³ããªãã·ã¹ã ã èšå®å€æŽãã·ã¹ãã äžã®èŠæ³šæããŒã¿ãžã®ã¢ã¯ã»ã¹ãšãã£ãã·ã¹ãã ç¹æ§ã¿ã€ãã 1 ã€ã è€æ°ç£èŠããŠããŠãŒã¶ãã»ãã¥ãªãã£éåããããããšãã¢ã©ãŒã åã¯å¯Ÿçããã£ãŠå¯Ÿå¿ã ãã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ å¹æç㪠IDS ã®å±éã«ã¯ãéåžžãã¹ãããŒã¹ãšãããã¯ãŒã¯ããŒã¹ã® IDS ããšãã«å«ãŸããã çŸåšã® ICS ç°å¢ã§ã¯ããããã¯ãŒã¯ããŒã¹ IDS ã¯ãå¶åŸ¡ãããã¯ãŒã¯ãšãã¡ã€ã¢ãŠã©ãŒã«çµç± ã®äŒæ¥ãããã¯ãŒã¯ãšã®éã§å±éãããããšãå€ããäžæ¹ãã¹ãããŒã¹ IDS ã¯ãæ±çš OS ã HMIãSCADA ãµãŒãããšã³ãžãã¢ãªã³ã°ã¯ãŒã¯ã¹ããŒã·ã§ã³çã®ã¢ããªã±ãŒã·ã§ã³ã䜿çšãã ã³ã³ãã¥ãŒã¿ã§å±éãããããšãå€ããæ£ããèšå®ããã°ãIDS ã¯ã»ãã¥ãªãã£ããŒã ã®èœå ãèããåäžãããã·ã¹ãã ãžã®äŸµå ¥ã»éåºãæ€ç¥ããã»ãã¥ãªãã£ãæ¹åããããŸãããã ã¯ãŒã¯äžã®äžèŠãªãã©ãã£ãã¯ãæ€åºããŠãå¶åŸ¡ãããã¯ãŒã¯ã®å¹çãæ¹åã§ããããã ã IDS ãå®è£ ããå Žåã§ããã»ãã¥ãªãã£èŠå¡ã¯ãçµæçãªæ»æã®çµç¹çãã¿ãŒã³ãšã¯å察ã«ã åã ã®æ»æãèªèã§ããããããã¯ãŒã¯ã»ãã¥ãªãã£ç£èŠåã³ ICS ãããã¯ãŒã¯ã®æ£åžžç¶æ 㫠察ããç解ãããã°ãéæž¡çç¶æ ããã®æ»æãèŠæ¥µããæ£åžžç¶æ ãéžè±ããã€ãã³ãã«å¯Ÿã㊠ããªã¬ãŒãšæ å ±ãçºä¿¡ãããããªãã çŸåšã® IDS åã³ IPS 補åã¯ãè¯ãç¥ãããã€ã³ã¿ãŒãããæ»æã®æ€ç¥ã»é²æ¢ã«å¹æãããããæ è¿ã«ãªããŸã§ ICS ãããã³ã«æ»æã«ã¯å¯Ÿå¿ããŠããªãã£ããIDS åã³ IPS ãã³ããŒã¯ãModbusã DNP3 åã³ ICCP çã®å€æ§ãª ICS ãããã³ã«ã®æ»æã·ã°ããã£ãéçºããçµã¿èŸŒã¿ã€ã€ãã[58]ã 6.2.17.3 ããã管ç ãããã¯ã³ãŒãã®è¿œå ããŒã¹ã§ãæ¢åãœãããŠãšã¢ã®åé¡ãæ¬ é¥ã«å¯Ÿå¿ããããã«éçºãããã è匱æ§ã¯æªçšå¯èœãªæ¬ é¥ã§ãIT ã·ã¹ãã ãžã®äžæ£ã¢ã¯ã»ã¹ãå¯èœã«ãããŠãŒã¶ã«ä»äžãããŠã ã以äžã®æš©éãäžããã ãœãããŠãšã¢ããããäœç³»çã«ç®¡çã»å©çšããåçµãããããšã§ãçµç¹ã¯è²»çšå¹æã®é«ãæ¹æ³ ã§ãIT ã·ã¹ãã å šäœã®ã»ãã¥ãªãã£ãæ¹åã§ããããœãããŠãšã¢ããããç©æ¥µçã«ç®¡çã»å© çšããçµç¹ã§ã¯ãIT ã·ã¹ãã ã®è匱æ§ãæªçšãããå¯èœæ§ãæžãããŸãè匱æ§ã«é¢ä¿ãã〠ã³ã·ãã³ã察å¿ã«èŠããæéãšã³ã¹ããç¯çŽã§ããã NIST SP 800-40 第 3 ç[40]ã«ã¯ãã»ãã¥ãªãã£ãããã®èšèšã»å®è£ ãè匱æ§ç®¡çããã°ã©ã åã³è匱æ§è»œæžããã°ã©ã ã®å¹ææ§æ€èšŒãæ åœããã»ãã¥ãªãã£ç®¡çè åãã®ã¬ã€ãã³ã¹ãã ãããã®ã¬ã€ãã³ã¹ã¯ããããã®é©çšãšè©Šéšãè匱æ§åé¡ã®ãœãªã¥ãŒã·ã§ã³å±éãæ åœããã· ã¹ãã 管çè ãè·å¡ã«ã圹ç«ã€ã ICS åºæã®æšå¥šäºé åã³ã¬ã€ãã³ã¹ OS ã³ã³ããŒãã³ããžã®ãããé©çšã¯ãICS ç°å¢ã§ã¯ç¹ã«æ éãæãã¹ãå¥ã®ç¶æ³ãçãããã ããã®è©Šéšã¯ååã«è¡ãïŒåçã® ICS ç°å¢ã§ãªãã©ã€ã³ã§ïŒãå¯æ¬¡ç圱é¿ã®èš±å®¹åºŠãå€å®ãã¹ ãã§ããããªã°ã¬ãã·ã§ã³è©Šéšãæšå¥šããããããããä»ã®ãœãããŠãšã¢ã«æªåœ±é¿ãåãŒãã ãšã¯çãããªãããããã¯è匱æ§ããªããããã 208 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY also introduce a greater risk from a production or safety perspective. Patching the vulnerability may also change the way the OS or application works with control applications, causing the control application to lose some of its functionality. Another issue is that many ICS utilize older versions of operating systems that are no longer supported by the vendor. Consequently, available patches may not be applicable. Organizations should implement a systematic, accountable, and documented ICS patch management process for managing exposure to vulnerabilities. Once the decision is made to deploy a patch, there are other tools that automate this process from a centralized server and with confirmation that the patch has been deployed correctly. Consider separating the automated process for ICS patch management from the automated process for non-ICS applications. Patching should be scheduled to occur during planned ICS outages. 6.2.18 Program Management The security controls that fall within the NIST SP 800-53 Program Management (PM) focus on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs. Organizations document program management controls in the information security program plan. The organization-wide information security program plan supplements the individual security plans developed for each organizational information system. In addition to documenting the information security program management controls, the security program plan provides a vehicle for the organization, in a central repository, to document all security controls that have been designated as common controls (i.e., security controls inherited by organizational information systems). 6.2.19 Privacy Controls Protecting the privacy of personally identifiable information (PII) 43 collected, used, maintained, shared, and disposed of by programs and information systems is critical given the advances in information technologies and applications of those technologies. Effective privacy for individuals depends on the safeguards employed within the organizational information systems that are processing, storing, and transmitting PII. Organizations cannot have effective privacy without a foundation of information security. However, privacy is more than security and includes, for example, the principles of transparency, notice, and choice. The privacy controls focus on information privacy as a value distinct from, but highly interrelated with, information security. The privacy controls are based on the Fair Information Practice Principles (FIPPs) embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and related Office of Management and Budget (OMB) guidance. The FIPPs are designed to build public trust in an organizationâs privacy practices and to help organizations avoid tangible costs and intangible damages stemming from privacy incidents. 43 OMB Memorandum 07-16 defines PII as âinformation which can be used to distinguish or trace an individualâs identity such as their name, social security number, biometric records, etc., alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, motherâs maiden name, etc.â [86]. OMB Memorandum 10-22 reaffirmed this definition [87]. NIST Special Publication 800-122 defines PII as âany information about an individual [that is] maintained by an agency, including: (i) any information that can be used to distinguish or trace an individualâs identity, such as name, social security number, date and place of birth, motherâs maiden name, or biometric records; and (ii) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment informationâ [88]. 209 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã çç£ãå®å šæ§ã®èŠ³ç¹ããã¯ããã倧ããªãªã¹ã¯ã«ãªãå Žåããããè匱æ§ã«ããããåœãŠããšã OS ãã¢ããªã±ãŒã·ã§ã³ãšå¶åŸ¡ã¢ããªã±ãŒã·ã§ã³ã®é£åæ¹æ³ãå€ãããå¶åŸ¡ã¢ããªã±ãŒã·ã§ã³ã® æ©èœã倱ãããããšããããå¥ã®åé¡ãšããŠããã³ããŒããµããŒããæã¡åã£ã OS ã®æ§ããŒãž ã§ã³ã䜿çšãã ICS ãå€ãããšãæããããããã®çµæãå ¥æå¯èœãªããããé©çšã§ããªãããš ã«ãªããçµç¹ã¯è匱æ§ã®é²åºã管çãããããäœç³»çã§èª¬æã®ã€ããææžåããã ICS ããã管 çããã»ã¹ãå®è¡ãã¹ãã§ããã ãããã®å±éã決å®ãããªããéäžåãµãŒããããã®ããã»ã¹ãèªååããããããæ£ããå±é ãããããšã確èªã§ããå¥ã®ããŒã«ããããICS ããã管çã®èªååããã»ã¹ããICS 以å€ã®ã¢ ããªã±ãŒã·ã§ã³ã®èªååããã»ã¹ããåé¢ããããšãæ€èšããããããã®é©çšã¯ãèšç»ããã ICS ã®ææ¥åæ¢æã«è¡ãããã«äºå®ãã¹ãã§ããã 6.2.18 ããã°ã©ã 管ç NIST SP 800-53 ã®ããã°ã©ã 管çïŒPMïŒã«å«ãŸããŠããã»ãã¥ãªãã£å¯Ÿçã¯ãç¹å®ã®æ å ±ã·ã¹ ãã ããç¬ç«ãããæ å ±ã»ãã¥ãªãã£ããã°ã©ã ã®ç®¡çã«äžå¯æ¬ ãªãå šçµç¹çæ å ±ã»ãã¥ãªã㣠èŠä»¶ã«çŠç¹ãåœãŠãŠããã çµç¹ã¯ãããã°ã©ã 管çå¶åŸ¡ãæ å ±ã»ãã¥ãªãã£ããã°ã©ã èšç»æžã®äžã«èšèŒãããå šçµç¹çæ å ±ã»ãã¥ãªãã£ããã°ã©ã èšç»æžã¯ãåçµç¹ã®æ å ±ã·ã¹ãã çšåå¥ã»ãã¥ãªãã£èšç»æžãè£å®ã ããæ å ±ã»ãã¥ãªãã£ããã°ã©ã 管ç察çã®ææžåã«å ããŠãã»ãã¥ãªãã£ããã°ã©ã èšç»æžã¯ã å ±é管çïŒçµç¹ã®æ å ±ã·ã¹ãã ãç¶æ¿ããŠããã»ãã¥ãªãã£å¯ŸçïŒãšããŠæå®ãããŠããå šãŠã® ã»ãã¥ãªãã£å¯Ÿçãææžåããæ段ãéäžä¿ç®¡å Žæã«çšæããã 6.2.19 ãã©ã€ãã·ãŒç®¡ç æ å ±æè¡ã®é²æ©ããã®æè¡ã®é©çšãèæ ®ãããšãããã°ã©ã åã³æ å ±ã·ã¹ãã ãåéã»å©çšã»ç¶ æã»å ±æã»å»æ£ããå人ãç¹å®å¯èœãªæ å ±ïŒPIIïŒ 44ã®ãã©ã€ãã·ãŒä¿è·ã¯éèŠã§ãããå¹æç㪠å人ãã©ã€ãã·ãŒã¯ãPII ãåŠçã»ä¿ç®¡ã»è»¢éããçµç¹ã®æ å ±ã·ã¹ãã ã§æ¡çšãããŠããå®å šå¯Ÿ çã«å·Šå³ããããæ å ±ã»ãã¥ãªãã£ã®åºç€ã確ç«ãããŠããªãçµç¹ã«ã¯ãå¹æçãªãã©ã€ãã·ãŒ ã¯ãªãããšã¯èšãããã©ã€ãã·ãŒã¯ã»ãã¥ãªãã£ä»¥äžã®ãã®ã§ãããäŸãã°éææ§ãéç¥åã³éž æã®ååãå«ãŸããã ãã©ã€ãã·ãŒç®¡çã¯ãæ å ±ã»ãã¥ãªãã£ãšã®é¢ä¿ã¯åŒ·ããã®ã®ããããšã¯å¥ã®äŸ¡å€ãšããŠã®ãã© ã€ãã·ãŒæ å ±ãéç¹ãšããããã©ã€ãã·ãŒç®¡çã¯ããã©ã€ãã·ãŒæ³ïŒ1974 幎ïŒã®å ¬æ£æ å ±èŠç¯ ååïŒFIPPsïŒãé»åæ¿åºæ³ïŒ2002 幎ïŒç¬¬ 208 æ¡åã³é¢ä¿ããè¡æ¿äºç®ç®¡çå±ïŒOMBïŒã¬ã€ãã³ ã¹ãæ ¹æ ãšããŠãããFIPPs ã¯ãçµç¹ã®ãã©ã€ãã·ãŒèŠç¯ã«å¯Ÿããåœæ°ã®ä¿¡é Œãéžæãããã©ã€ ãã·ãŒã€ã³ã·ãã³ãããçããæ圢ã®çµè²»ãç¡åœ¢ã®æ害ã®åé¿ãç®æããŠããã 44 OMB èŠæž 07-16 㯠PII ããæ°åã瀟äŒä¿éçªå·ããã€ãªã¡ããªãã¯èšé²çãåç¬ã§ãåã¯èªçæ¥ãåºçå°ãæ¯èŠªã®æ§å§ç ç¹å®ã®å人ã«çµã³ã€ããçµã³ã€ãããããã®ä»ã®å人è¥ããã¯èº«åæ å ±ãšçµã¿åãããŠãå人ã®èº«åãå€å¥åã¯è¿œè·¡ã§ã ãæ å ±ããšå®çŸ©ããŠãã[86]ãOMB èŠæž 10-22 ã¯ãã®å®çŸ©ãè¿œèªããŠãã[87]ãNIST SP800-122 㯠PII ãããæ©é¢ãä¿æ ããŠããå人ã«é¢ããæ å ±ã§ãïŒ1ïŒæ°åã瀟äŒä¿éçªå·ãèªçæ¥ãåºçå°ãæ¯èŠªã®æ§å§ããã€ãªã¡ããªãã¯èšé²çãå 人ã®èº«åãå€å¥åã¯è¿œè·¡ã§ããæ å ±åã³ïŒ2ïŒå»çãæè²ã財æ¿ãå°±æ¥æ å ±çãå人ã«çµã³ã€ããçµã³ã€ãããããã®ä» ã®æ å ±ããšå®çŸ©ããŠãã[88]ã 210 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Privacy controls are the administrative, technical, and physical safeguards employed within organizations to protect and ensure the proper handling of PII. There are eight privacy control families with each family aligning with one of the FIPPs. The privacy control families can be implemented at the organization, department, agency, component, office, program, or information system level. The privacy controls are structured in a similar manner to the information system security controls in Appendix F of NIST SP 80053. The Privacy Appendix of NIST SP 800-53, Rev. 4 [22], provides a structured set of privacy controls, based on international standards and best practices to help organizations enforce requirements derived from federal privacy legislation, policies, regulations, directives, standards, and guidance. Additionally, it establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements that may overlap in concept and in implementation within federal information systems, programs, and organizations. The privacy controls are intended primarily for use by an organizationâs Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) when working with program managers, information system developers, and information security personnel to determine how best to incorporate effective privacy protections and practices within those programs and/or systems. These controls facilitate the organizationâs efforts to comply with privacy requirements affecting those programs and/or systems that collect, use, maintain, share, or dispose of PII. This promotes closer cooperation between privacy and security officials within the federal government to help achieve the objectives of senior leaders/executives in enforcing the requirements in federal privacy legislation, policies, regulations, directives, standards, and guidance. The 8 privacy control families include: ïŒ Authority and Purpose (AP). ïŒ Accountability, Audit, and Risk Management (AR). ïŒ Data Quality and Integrity (DI). ïŒ Data Minimization and Retention (DM). ïŒ Individual Participation and Redress (IP). ïŒ Security (SE). ïŒ Transparency (TR). ïŒ Use Limitation (UL). 211 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãã©ã€ãã·ãŒç®¡çã¯ãPII ã«å¯Ÿããä¿è·ãšé©æ£ãªåæ±ã確ä¿ããããã«çµç¹å ã§æ¡çšããã管ç äžã®æè¡çã»ç©ççå®å šå¯Ÿçã§ããããã©ã€ãã·ãŒç®¡çã® 8 ãã¡ããªãããããã® FIPPS ã«æŽå ããŠããããã©ã€ãã·ãŒç®¡çåéã¯ãçµç¹ã»éšçœ²ã»æ©é¢ã»ã³ã³ããŒãã³ãããªãã£ã¹ãããã°ã© ã åã¯æ å ±ã·ã¹ãã ã¬ãã«ã§å®æœã§ããããã©ã€ãã·ãŒç®¡çã¯ãNIST SP 800- 53 ä»é² F ã«ããæ å ±ã·ã¹ãã ã®ã»ãã¥ãªãã£å¯Ÿçãšåæ§ã®æ¹æ³ã§æ§ç¯ãããã NIST SP 800-53 æ¹èšç¬¬ 4 ç[22]ã«ã¯ãåœéèŠæ Œåã³é©æ§èŠç¯ã«åºã¥ããŠæ§ç¯ããããã©ã€ãã· ãŒç®¡çããããçµç¹ãé£éŠãã©ã€ãã·ãŒæ³ãæ¿çãèŠåãåœä»€ãèŠæ Œåã³ã¬ã€ãã³ã¹ããçã ãèŠä»¶ãå®æœããå©ããšãªãããŸããé£éŠæ å ±ã·ã¹ãã ãããã°ã©ã åã³çµç¹å ã§æŠå¿µäžãå® æœäžãéãªãåãããã©ã€ãã·ãŒèŠä»¶ãšã»ãã¥ãªãã£èŠä»¶ãæœè¡ããäžã§ããã©ã€ãã·ãŒç®¡ç ãšã»ãã¥ãªãã£å¯Ÿçã®çµã³ã€ããé¢ä¿ã«ã€ããŠãèšè¿°ããŠããã ãã©ã€ãã·ãŒç®¡çã®ç®çã¯ãäž»ã«çµç¹ã®ãã©ã€ãã·ãŒæ åœäžçŽå®åïŒSAOPïŒ/ãã©ã€ãã·ãŒæ åœ äž»ä»»ïŒCPOïŒãããã°ã©ã 管çè ãæ å ±ã·ã¹ãã éçºè åã³æ å ±ã»ãã¥ãªãã£è·å¡ãšååããé ã«ãå¹æçãªãã©ã€ãã·ãŒä¿è·ã»èŠç¯ããããããã°ã©ã ãã·ã¹ãã ã«çµã¿èŸŒãæåã®æ¹æ³ã® å€å®ã«äœ¿çšããããšã«ããããã®ãããªç®¡çã«ãã£ãŠãPII ãåéã»å©çšã»ç¶æã»å ±æã»å»æ£ ããããã°ã©ã ãã·ã¹ãã ã«åœ±é¿ãäžãããã©ã€ãã·ãŒèŠä»¶éµå®ã«å¯Ÿããçµç¹ã®åçµã容æã« ãªããããã«ããé£éŠæ¿åºã®ãã©ã€ãã·ãŒæ åœè ãšã»ãã¥ãªãã£æ åœè éã®é£æºãç·å¯ã«ãªãã å¹¹éšãé£éŠãã©ã€ãã·ãŒæ³ãæ¿çãèŠå¶ãæ什ãèŠæ Œåã³ã¬ã€ãã³ã¹ã®èŠä»¶ãæœè¡ããŠç®æšã éæã§ããããã«ããã 8 ã€ã®ãã©ã€ãã·ãŒç®¡çåéã¯æ¬¡ã®ãšããã ïŒ æš©éåã³ç®çïŒAPïŒ ïŒ èª¬æ責任ãç£æ»åã³ãªã¹ã¯ç®¡çïŒARïŒ ïŒ ããŒã¿å質åã³å®å šæ§ïŒDIïŒ ïŒ ããŒã¿ã®æå°ååã³ä¿æïŒDMïŒ ïŒ å人ã®åå åã³è³ åïŒIPïŒ ïŒ ã»ãã¥ãªãã£ïŒSEïŒ ïŒ éææ§ïŒTRïŒ ïŒ äœ¿çšéçïŒULïŒ 212 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix AâAcronyms and Abbreviations Selected acronyms and abbreviations used in the Guide to Industrial Control Systems (ICS) Security are defined below. AC ACL AGA API ARP Alternating Current Access Control List American Gas Association American Petroleum Institute Address Resolution Protocol BCP Business Continuity Plan CIDX CIGRE CIP CMVP COTS CPNI CPU CSE CSRC CSSC CVE Chemical Industry Data Exchange International Council on Large Electric Systems Critical Infrastructure Protection Cryptographic Module Validation Program Commercial Off-the-Shelf Centre for the Protection of National Infrastructure Central Processing Unit Communications Security Establishment Computer Security Resource Center Control System Security Center Common Vulnerabilities and Exposures DCOM DCS DETL DHS DMZ DNP3 DNS DOE DoS DRP Distributed Component Object Model Distributed Control System(s) Distributed Energy Technology Laboratory Department of Homeland Security Demilitarized Zone DNP3 Distributed Network Protocol (published as IEEE 1815) Domain Name System Department of Energy Denial of Service Disaster Recovery Plan EAP EMS EPRI ERP Extensible Authentication Protocol Energy Management System Electric Power Research Institute Enterprise Resource Planning FIPS FISMA FTP Federal Information Processing Standards Federal Information Security Modernization Act File Transfer Protocol GAO GPS Government Accountability Office Global Positioning System HMI HSPD HTTP Human-Machine Interface Homeland Security Presidential Directive Hypertext Transfer Protocol 213 SP800-82 第 2 ç ä»é² A ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã é åèªåã³ç¥èª ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ãã§äœ¿çšããäž»ãªé åèªåã³ç¥èªã®å®çŸ©ã¯ä»¥äžã® ãšããã AC äº€æµ ACL ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ã AGA ç±³åœã¬ã¹åäŒ API ç±³åœç³æ²¹åäŒ ARP ã¢ãã¬ã¹è§£æ±ºãããã³ã« BCP äºæ¥ç¶ç¶èšç»æž CIDX CIGRE CIP CMVP COTS CPNI CPU CSE CSRC CSSC CVE ååŠæ¥çããŒã¿äº€æ åœé倧é»åã·ã¹ãã äŒè° éèŠã€ã³ãã©ä¿è· æå·ã¢ãžã¥ãŒã«åŠ¥åœæ§æ€èšŒããã°ã©ã æ°çå åœå®¶ã€ã³ãã©ä¿è·ã»ã³ã¿ãŒ äžå€®æŒç®è£ 眮 éä¿¡ã»ãã¥ãªãã£å± ã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ãªãœãŒã¹ã»ã³ã¿ãŒ å¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ã»ã³ã¿ãŒ å ±éè匱æ§æé² DCOM DCS DETL DHS DMZ DNP3 DNS DOE DoS DRP åæ£åã³ã³ããŒãã³ããªããžã§ã¯ãã¢ãã« åæ£å¶åŸ¡ã·ã¹ãã åæ£ãšãã«ã®ãŒæè¡ç 究æ åœåå®å šä¿éç éæŠè£ å°åž¯ DNP3 åæ£ãããã¯ãŒã¯ãããã³ã«ïŒIEEE 1815 ãšããŠçºè¡) é ååã·ã¹ãã ãšãã«ã®ãŒç ãµãŒãã¹åŠšå®³ çœå®³åŸ©æ§èšç»æž EAP EMS EPRI ERP æ¡åŒµå¯èœèªèšŒãããã³ã« ãšãã«ã®ãŒç®¡çã·ã¹ãã é»åç 究æ äŒæ¥è³æºèšç» FIPS FISMA FTP é£éŠæ å ±åŠçèŠæ Œ é£éŠæ å ±ã»ãã¥ãªãã£åŒ·åæ³ ãã¡ã€ã«è»¢éãããã³ã« GAO GPS æ¿åºèª¬æè²¬ä»»å± ã°ããŒãã«ããžã·ã§ãã³ã°ã·ã¹ãã HMI HSPD HTTP ãã³ãã·ã³ã€ã³ã¿ãã§ãŒã¹ åœåå®å šä¿é倧統é åœä»€ ãã€ããŒããã¹ã転éãããã³ã« 214 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY HTTPS HVAC Hypertext Transfer Protocol Secure Heating, Ventilation, and Air Conditioning I/O I3P IACS IAONA ICCP ICMP ICS ICS-CERT IDS IEC IED IEEE IETF IGMP INL IP IPS IPsec ISA ISID ISO IT ITL Input/Output Institute for Information Infrastructure Protection Industrial Automation and Control System Industrial Automation Open Networking Association Inter-control Center Communications Protocol Internet Control Message Protocol Industrial Control System(s) Industrial Control Systems - Cyber Emergency Response Team Intrusion Detection System International Electrotechnical Commission Intelligent Electronic Device Institute of Electrical and Electronics Engineers Internet Engineering Task Force Internet Group Management Protocol Idaho National Laboratory Internet Protocol Intrusion Prevention System Internet Protocol Security International Society of Automation Industrial Security Incident Database International Organization for Standardization Information Technology Information Technology Laboratory LAN Local Area Network MAC MES MIB MTU Media Access Control Manufacturing Execution System Management Information Base Master Terminal Unit (also Master Telemetry Unit) NAT NCCIC NCSD NERC NFS NIC NISCC NIST NSTB Network Address Translation National Cybersecurity and Communications Integration Center National Cyber Security Division North American Electric Reliability Council Network File System Network Interface Card National Infrastructure Security Coordination Centre National Institute of Standards and Technology National SCADA Testbed OLE OMB OPC OS OSI Object Linking and Embedding Office of Management and Budget OLE for Process Control Operating System Open Systems Interconnection 215 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã HTTPS HVAC ãã€ããŒããã¹ã転éãããã³ã«ã»ãã¥ã¢ å·ææ¿ç©ºèª¿èšå I/O I3P IACS IAONA ICCP ICMP ICS ICS-CERT IDS IEC IED IEEE IETF IGMP INL IP IPS IPsec ISA ISID ISO IT ITL å ¥åºå æ å ±ã€ã³ãã©ä¿è·åäŒ ç£æ¥çšãªãŒãã¡ãŒã·ã§ã³å¶åŸ¡ã·ã¹ãã ç£æ¥ãªãŒãã¡ãŒã·ã§ã³ãªãŒãã³ãããã¯ãŒã¯ã¢ãœã·ãšãŒã·ã§ã³ å¶åŸ¡éã»ã³ã¿ãŒéä¿¡ãããã³ã« ã€ã³ã¿ãŒãããã³ã³ãããŒã«ã¡ãã»ãŒãžãããã³ã« ç£æ¥çšå¶åŸ¡ã·ã¹ãã ç£æ¥çšå¶åŸ¡ã·ã¹ãã - ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã äŸµå ¥æ€ç¥ã·ã¹ãã åœéé»æ°æè¡å§å¡äŒ ã€ã³ããªãžã§ã³ãé»åæ©åš é»æ°é»åæè¡è åäŒ ã€ã³ã¿ãŒããããšã³ãžãã¢ãªã³ã°ã¿ã¹ã¯ãã©ãŒã¹ ã€ã³ã¿ãŒãããã°ã«ãŒã管çãããã³ã« ã¢ã€ããåœç«ç 究æ ã€ã³ã¿ãŒããããããã³ã« äŸµå ¥é²æ¢ã·ã¹ãã ã€ã³ã¿ãŒããããããã³ã«ã»ãã¥ãªã㣠åœéãªãŒãã¡ãŒã·ã§ã³åäŒ ç£æ¥ã»ãã¥ãªãã£ã€ã³ã·ãã³ãããŒã¿ããŒã¹ åœéæšæºåæ©æ§ æ å ±æè¡ æ å ±æè¡ç 究æ LAN ããŒã«ã«ãšãªã¢ãããã¯ãŒã¯ MAC MES MIB MTU ã¡ãã£ã¢ã¢ã¯ã»ã¹å¶åŸ¡ çç£å®è¡ã·ã¹ãã 管çæ å ±ããŒã¹ ãã¹ã¿ãŒç«¯æ«è£ 眮ïŒãã¹ã¿ãŒãã¬ã¡ããªè£ 眮ãšãããïŒ NAT NCCIC NCSD NERC NFS NIC NISCC NIST NSTB ãããã¯ãŒã¯ã¢ãã¬ã¹å€æ ç±³åœãµã€ããŒã»ãã¥ãªãã£éä¿¡çµ±åã»ã³ã¿ãŒ ç±³åœãµã€ããŒã»ãã¥ãªãã£éš åç±³é»åä¿¡é ŒåºŠåè°äŒ ãããã¯ãŒã¯ãã¡ã€ã«ã·ã¹ãã ãããã¯ãŒã¯ã€ã³ã¿ãã§ãŒã¹ã«ãŒã ç±³åœã€ã³ãã©ã»ãã¥ãªãã£èª¿æŽã»ã³ã¿ãŒ ç±³åœæšæºæè¡å± ç±³åœ SCADA ãã¹ãããã OLE OMB OPC OS OSI ãªããžã§ã¯ãã®ãªã³ã¯ãšåã蟌㿠管çäºç®å± ããã»ã¹å¶åŸ¡çš OLE ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãªãŒãã³ã·ã¹ãã çžäºæ¥ç¶ 216 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PCII PDA PIN PID PIV PLC PP PPP Protected Critical Infrastructure Information Personal Digital Assistant Personal Identification Number Proportional â Integral - Derivative Personal Identity Verification Programmable Logic Controller Protection Profile Point-to-Point Protocol R&D RADIUS RBAC RFC RMA RMF RPC RPO RTO RTU Research and Development Remote Authentication Dial In User Service Role-Based Access Control Request for Comments Reliability, Maintainability, and Availability Risk Management Framework Remote Procedure Call Recovery Point Objective Recovery Time Objective Remote Terminal Unit (also Remote Telemetry Unit) SC SCADA SCP SFTP SIS SMTP SNL SNMP SP SPP-ICS SQL SSH SSID SSL Security Category Supervisory Control and Data Acquisition Secure Copy Secure File Transfer Protocol Safety Instrumented System Simple Mail Transfer Protocol Sandia National Laboratories Simple Network Management Protocol Special Publication System Protection Profile for Industrial Control Systems Structured Query Language Secure Shell Service Set Identifier Secure Sockets Layer TCP TCP/IP TFTP TLS Transmission Control Protocol Transmission Control Protocol/Internet Protocol Trivial File Transfer Protocol Transport Layer Security UDP UPS US-CERT USB User Datagram Protocol Uninterruptible Power Supply United States Computer Emergency Readiness Team Universal Serial Bus VFD VLAN VPN Variable Frequency Drive Virtual Local Area Network Virtual Private Network WAN Wide Area Network XML Extensible Markup Language 217 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã PCII PDA PIN PID PIV PLC PP PPP ä¿è·ãããéèŠã€ã³ãã©æ å ± æºåž¯æ å ±ç«¯æ« å人èå¥çªå· æ¯äŸã»ç©åã»åŸ®å å人ã®èº«å ç¢ºèª ããã°ã©ããã«è«çå¶åŸ¡è£ 眮 ä¿è·ãããã¡ã€ã« ãã€ã³ãããŒãã€ã³ããããã³ã« R&D RADIUS RBAC RFC RMA RMF RPC RPO RTO RTU ç 究éçº é éèªèšŒãã€ã¢ã«ã€ã³ãŠãŒã¶ãµãŒã㹠圹å²ããŒã¹ã¢ã¯ã»ã¹å¶åŸ¡ ã³ã¡ã³ãèŠæ±ïŒãªã¯ãšã¹ã ãã©ãŒ ã³ã¡ã³ãïŒ ä¿¡é Œæ§ã»ä¿å®æ§ã»å¯çšæ§ ãªã¹ã¯ç®¡çäœå¶ é éæé åŒåºã ç®æšåŸ©æ§ç¹ ç®æšåŸ©æ§æé é é端æ«è£ 眮ïŒé éãã¬ã¡ããªè£ 眮ãšãããïŒ SC SCADA SCP SFTP SIS SMTP SNL SNMP SP SPP-ICS SQL SSH SSID SSL ã»ãã¥ãªãã£åé¡ ç£èŠå¶åŸ¡ããŒã¿ååŸïŒã¹ãã£ãïŒ ã»ãã¥ã¢ã³ã㌠ã»ãã¥ã¢ãã¡ã€ã«è»¢éãããã³ã« å®å šèšè£ ã·ã¹ãã ã·ã³ãã«ã¡ãŒã«è»¢éãããã³ã« ãµã³ãã£ã¢åœç«ç 究æ ã·ã³ãã«ãããã¯ãŒã¯ç®¡çãããã³ã« ç¹å¥åºçç© ç£æ¥å¶åŸ¡ã·ã¹ãã çšã·ã¹ãã ä¿è·ãããã¡ã€ã« æ§é åç §äŒèšèª ã»ãã¥ã¢ã·ã§ã« ãµãŒãã¹ã»ããèå¥å ã»ãã¥ã¢ãœã±ããã¬ã€ã€ãŒ TCP TCP/IP TFTP TLS éä¿¡å¶åŸ¡ãããã³ã« éä¿¡å¶åŸ¡ãããã³ã«/ã€ã³ã¿ãŒããããããã³ã« ããªãã¢ã«ãã¡ã€ã«è»¢éãããã³ã« ãã©ã³ã¹ããŒãå±€ã»ãã¥ãªã㣠UDP UPS US-CERT USB ãŠãŒã¶ããŒã¿ã°ã©ã ãããã³ã« ç¡åé»é»æºè£ 眮 ç±³åœã³ã³ãã¥ãŒã¿ç·æ¥æå³å¿ããŒã ãŠãããŒãµã«ã·ãªã¢ã«ãã¹ VFD VLAN VPN å¯å€åšæ³¢æ°é§å ä»®æ³ LAN ä»®æ³ãã©ã€ããŒããããã¯ãŒã¯ WAN åºåãããã¯ãŒã¯ XML æ¡åŒµããŒã¯ã¢ããèšèª 218 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix BâGlossary of Terms Selected terms used in the Guide to Industrial Control Systems (ICS) Security are defined below. Source References for certain definitions are listed at the end of this appendix. Alternating Current Drive Synonymous with Variable Frequency Drive (VFD). SOURCE: NIST IR 6859 [2] Access Control List (ACL) A mechanism that implements access control for a system resource by enumerating the identities of the system entities that are permitted to access the resources. SOURCE: RFC 4949 [75] Accreditation The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. SOURCE: NIST SP 800-53 [22] Actuator A device for moving or controlling a mechanism or system. It is operated by a source of energy, typically electric current, hydraulic fluid pressure, or pneumatic pressure, and converts that energy into motion. An actuator is the mechanism by which a control system acts upon an environment. The control system can be simple (a fixed mechanical or electronic system), software-based (e.g. a printer driver, robot control system), or a human or other agent. Alarm A device or function that signals the existence of an abnormal condition by making an audible or visible discrete change, or both, so as to attract attention to that condition. SOURCE: ANSI/ISA-5.1-2009 Antivirus Tools Software products and technology used to detect malicious code, prevent it from infecting a system, and remove malicious code that has infected the system. Application Server A computer responsible for hosting applications to user workstations. Attack An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity, availability, or confidentiality. SOURCE: CNSSI-4009 219 SP800-82 第 2 ç ä»é² B ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã çšèªé ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ãã§äœ¿çšããäž»ãªçšèªã®å®çŸ©ã¯ä»¥äžã®ãšãããã ãã€ãã®å®çŸ©ã«ã€ããŠã¯ãæ¬ä»é²ã®æ«å°Ÿã«ãã®åºå žãæ²èŒãããŠããã Alternating Current DriveïŒ å¯å€åšæ³¢æ°é§åïŒVFDïŒãšå矩 亀æµé§å åºå žïŒNIST IR 6859 [2] Access Control List (ACL)ïŒ ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèš±å¯ãããã·ã¹ãã å®äœã®äžèŽç¹ãåæãã ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ã ããšã«ããã·ã¹ãã ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹å¶åŸ¡ãè¡ãã¡ã«ããºã ã åºå žïŒRFC 4949 [75] AccreditationïŒèªå® åæãããã»ãã¥ãªãã£å¯Ÿçã®å®è£ ã«åºã¥ããæ å ±ã·ã¹ãã ã®éçšã èªå¯ããæ¿åºæ©é¢ã®æ¥åïŒä»»åãæ©èœãã€ã¡ãŒãžãè©å€çïŒãæ¿åºæ© é¢ã®è³ç£åã¯å人ã®ãªã¹ã¯ãæ瀺çã«åãå ¥ããããæ¿åºæ©é¢ã®äžçŽ å®åãäžãå ¬ç管ç決å®ã åºå žïŒNIST SP 800-53 [22] ActuatorïŒã¢ã¯ãã¥ãšãŒã¿ æ©æ§åã¯ã·ã¹ãã ãåããåã¯å¶åŸ¡ããããã®ããã€ã¹ãäžè¬ã«é» æµãæ²¹å§ã空æ°å§çã®ãšãã«ã®ãŒæºã§äœåãããã®ãšãã«ã®ãŒãéå ã«å€ãããã¢ã¯ãã¥ãšãŒã¿ã¯ãå¶åŸ¡ã·ã¹ãã ãç°å¢ã«åããããæ©æ§ ã§ãããå¶åŸ¡ã·ã¹ãã ã¯åçŽã§ïŒåºå®æ©æ§ãé»åã·ã¹ãã ïŒããœãã ãŠãšã¢ããŒã¹ïŒããªã³ã¿ãã©ã€ããããããå¶åŸ¡ã·ã¹ãã çïŒã人ã ã®ä»ã«ããã AlarmïŒã¢ã©ãŒã ç°åžžç¶æ ãç¥ãããããã€ã¹åã¯æ©èœã§ãé³ãèŠèŠçå€åã«ããç°åžž ç¶æ ã«æ³šæãåŒãã åºå žïŒANSI/ISA-5.1-2009 Antivirus ToolsïŒ ã¢ã³ããŠã€ã«ã¹ããŒã« ãœãããŠãšã¢è£œååã³æè¡ã§ãæªæããã³ãŒããæ€åºããŠã·ã¹ãã ãž ã®ææãé²ããææããŠããå Žåã«ã¯æªæããã³ãŒããæé€ããã Application ServerïŒ ã¢ããªã±ãŒã·ã§ã³ãµãŒã ãŠãŒã¶ã¯ãŒã¯ã¹ããŒã·ã§ã³ã«ã¢ããªã±ãŒã·ã§ã³ããã¹ãã£ã³ã°ããã³ ã³ãã¥ãŒã¿ã AttackïŒæ»æ ã·ã¹ãã ãµãŒãã¹ããªãœãŒã¹è¥ããã¯æ å ±ã«ç¡æã§ã¢ã¯ã»ã¹ããããš ãããããã¿åã¯ã·ã¹ãã ã®å®å šæ§ãå¯çšæ§è¥ããã¯æ©å¯æ§ãäœäžã ããããšãããããã¿ã åºå žïŒCNSSI-4009 220 SPECIAL PUBLICATION 800-82 REVISION 2 Authentication Authorization GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. SOURCE: NIST SP 800-53 [22] The right or a permission that is granted to a system entity to access a system resource. SOURCE: RFC 4949 [75] Backdoor An undocumented way of gaining access to a computer system. A backdoor is a potential security risk. Batch Process A process that leads to the production of finite quantities of material by subjecting quantities of input materials to an ordered set of processing activities over a finite time using one or more pieces of equipment. SOURCE: ANSI/ISA-88.01-1995 Broadcast Transmission to all devices in a network without any acknowledgment by the receivers. SOURCE: IEC/PAS 62410 Buffer Overflow A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Adversaries exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. SOURCE: NIST SP 800-28 [69] Certification A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. SOURCE: NIST SP 800-37 [21] Clear Text Information that is not encrypted. Communications Router A communications device that transfers messages between two networks. Common uses for routers include connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication. Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. SOURCE: NIST SP 800-53 [22] 221 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã AuthenticationïŒèªèšŒ ãŠãŒã¶ãããã»ã¹åã¯ããã€ã¹ã®åäžæ§ãæ€èšŒããããšã§ãæ å ±ã·ã¹ ãã äžã®ãªãœãŒã¹ãžã®åæãšãªãããšãå€ãã åºå žïŒNIST SP 800-53 [22] AuthorizationïŒæš©éä»äž ã·ã¹ãã ã®å®åšè ãã·ã¹ãã ãªãœãŒã¹ã«ã¢ã¯ã»ã¹ããããã«äžããã ãæš©å©åã¯èš±å¯ã åºå žïŒRFC 4949 [75] BackdoorïŒããã¯ã㢠ã³ã³ãã¥ãŒã¿ã·ã¹ãã ãžã®ã¢ã¯ã»ã¹ãåŸãäžæ£ãªæ¹æ³ãããã¯ãã¢ã¯ ã»ãã¥ãªãã£ãªã¹ã¯ãšãªãã Batch ProcessïŒ ãããããã»ã¹ 倧éã®å ¥åç©ã 1 ã€åã¯è€æ°ã®è£ ååãçšããŠãããæéããããŠé çªã«äžé£ã®åŠçã«ãããããšã«ãããéå®ãããéã«ããããã»ã¹ã åºå žïŒANSI/ISA-88.01-1995 BroadcastïŒ ãããŒããã£ã¹ã ãããã¯ãŒã¯å ã®å šãŠã®ããã€ã¹ã«ãåãæåŽã®äºè§£ãåŸãããšãªã éä¿¡ããããšã åºå žïŒIEC/PAS 62410 Buffer OverflowïŒ ãããã¡ãªãŒããŒãã㌠å²ãåœãŠããã容éãè¶ ããŠå ¥åããããã¡åã¯ããŒã¿ä¿æé åã«çœ® ãããä»ã®æ å ±ãäžæžãããã€ã³ã¿ãã§ãŒã¹ã®ç¶æ ã æ»æåŽã¯ãã®ãããªç¶æ ãå©çšããŠãã·ã¹ãã ãã¯ã©ãã·ã¥ãããç¹ æ®ã³ãŒããæ¿å ¥ããŠã·ã¹ãã ã®å¶åŸ¡ãåŸãããšãã§ããã åºå žïŒNIST SP 800-28 [69] CertificationïŒèšŒæ ã»ãã¥ãªãã£èªå®ãæ¯æŽããããã«è¡ãæ å ±ã·ã¹ãã ã®ç®¡çãéçšå ã³æè¡äžã®ã»ãã¥ãªãã£å¯Ÿçã«å¯Ÿããå æ¬çè©äŸ¡ã§ãã³ã³ãããŒã«ã ã©ã®çšåºŠé©æ£ã«å®è£ ãããŠããããäºå®ã©ããã«çšŒåããŠããããã· ã¹ãã ã»ãã¥ãªãã£èŠä»¶ã«åèŽããçµæã«ãªã£ãŠãããå€å®ããã åºå žïŒNIST SP 800-37 [21] Clear TextïŒå¹³æ æå·åãããŠããªãæ å ±ã Communications RouterïŒ 2 ã€ã®ãããã¯ãŒã¯éã§ã¡ãã»ãŒãžã転éããéä¿¡ããã€ã¹ãã«ãŒã¿ éä¿¡ã«ãŒã¿ ã®äžè¬çãªäœ¿çšæ¹æ³ãšããŠãLAN ãš WAN ã®æ¥ç¶ããSCADA éä¿¡çš ã® MTU åã³ RTU ãšé è·é¢ãããã¯ãŒã¯åªäœã®æ¥ç¶ãããã ConfidentialityïŒæ©å¯æ§ æ å ±ã®å©çšåã³æŒæŽ©ã«å ¬èªã®å¶éã課ãããšã§ãå人æ å ±åã³å°ææ å ±ãä¿è·ããæ段ãå«ãŸããã åºå žïŒNIST SP 800-53 [22] 222 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Configuration (of a system or device) Step in system design; for example, selecting functional units, assigning their locations, and defining their interconnections. SOURCE: IEC/PAS 62409 Configuration Control Process for controlling modifications to hardware, firmware, software, and documentation to ensure the information system is protected against improper modifications before, during, and after system implementation. SOURCE: CNSSI-4009 Continuous Process A process that operates on the basis of continuous flow, as opposed to batch, intermittent, or sequenced operations. Control Algorithm A mathematical representation of the control action to be performed. SOURCE: The Automation, Systems, and Instrumentation Dictionary Control The part of the ICS used to perform the monitoring and control of the physical process. This includes all control servers, field devices, actuators, sensors, and their supporting communication systems. Control Center An equipment structure or group of structures from which a process is measured, controlled, and/or monitored. SOURCE: ANSI/ISA-51.1-1979 Control Loop A control loop consists of sensors for measurement, controller hardware such as PLCs, actuators such as control valves, breakers, switches and motors, and the communication of variables. Controlled variables are transmitted to the controller from the sensors. The controller interprets the signals and generates corresponding manipulated variables, based on set points, which it transmits to the actuators. Process changes from disturbances result in new sensor signals, identifying the state of the process, to again be transmitted to the controller. Control Network Those networks of an enterprise typically connected to equipment that controls physical processes and that is time or safety critical. The control network can be subdivided into zones, and there can be multiple separate control networks within one enterprise and site. SOURCE: ISA99 [34] A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs), over an ICS network. In a SCADA system, this is often called a SCADA server, MTU, or supervisory controller. Control Server 223 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Configuration (of a system or device)ïŒ ïŒã·ã¹ãã åã¯ããã€ã¹ ã®ïŒæ§æ ã·ã¹ãã èšèšã«ä»å ¥ããããšãäŸãã°ãæ©èœãŠãããã®éžå®ãå Žæã® å²åœããããã®çžäºæ¥ç¶çã åºå žïŒIEC/PAS 62409 Configuration ControlïŒ æ§æ管ç ã·ã¹ãã å®è£ åã»äžã»åŸã®äžé©åãªæ¹å€ããæ å ±ã·ã¹ãã ãä¿è·ãã ããã«ãããŒããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»ãœãããŠãšã¢ã»ææžãžã®å€ æŽã管çããããã»ã¹ã åºå žïŒCNSSI-4009 Continuous ProcessïŒ ç¶ç¶ããã»ã¹ ç¶ç¶çãªæµããåºæ¬ãšããæäœããã»ã¹ã§ãããããéæ¬ åã¯äžé£æ äœã®å察ã Control AlgorithmïŒ å¶åŸ¡ã¢ã«ãŽãªãºã å®æœãã¹ãå¶åŸ¡è¡çºã®æ°åŠçè¡šçŸãåºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ã ã ã»èšè£ äºå ž ControlïŒå¶åŸ¡ ç©çããã»ã¹ã®ç£èŠåã³å¶åŸ¡ãè¡ãããã«çšãã ICS ã®äžéšãå šãŠã® å¶åŸ¡ãµãŒãããã£ãŒã«ãããã€ã¹ãã¢ã¯ãã¥ãšãŒã¿ãã»ã³ãµåã³ãã ãã®æ¯æŽéä¿¡ã·ã¹ãã ãå«ãã Control CenterïŒ å¶åŸ¡ã»ã³ã¿ãŒ 1 ã€åã¯äžçŸ€ã®è£ ååæ§é äœã§ãããããããã»ã¹ãèšæž¬ããå¶åŸ¡ ããç£èŠããã åºå žïŒANSI/ISA-51.1-1979 Control LoopïŒ å¶åŸ¡ã«ãŒã å¶åŸ¡ã«ãŒãã¯èšæž¬ã»ã³ãµãå¶åŸ¡ããŒããŠãšã¢ïŒPLC çïŒãã¢ã¯ãã¥ãš ãŒã¿ïŒå¶åŸ¡åŒããã¬ãŒã«ãã¹ã€ãããã¢ãŒã¿çïŒåã³å€æ°ã®éä¿¡ã§æ§ æããããå¶åŸ¡å€æ°ã¯ã»ã³ãµçµç±ã§ã³ã³ãããŒã©ã«è»¢éããããã³ã³ ãããŒã©ã¯ä¿¡å·ã解éããèšå®ç¹ãåºã«å¯Ÿå¿ããæäœå€æ°ãçæãã ã¢ã¯ãã¥ãšãŒã¿ã«éä¿¡ããã 劚害ã®çµæããã»ã¹ãå€æŽããããšãã»ã³ãµä¿¡å·ãå€ãããããã»ã¹ ç¶æ ãèå¥ããŠãå床ã³ã³ãããŒã©ã«éä¿¡ããã Control NetworkïŒ å¶åŸ¡ãããã¯ãŒã¯ ãã®ãããªäŒæ¥ãããã¯ãŒã¯ã¯ãäžè¬ã«ç©çããã»ã¹ãã»ããããè£ ååã«æ¥ç¶ãããæéãå®å šæ§ã®ç¹ã§éèŠã§ãããå¶åŸ¡ãããã¯ãŒã¯ ã¯ãŸãŒã³ã«åããããŸãŒã³ããšã« 1 ã€ã®äŒæ¥åã¯çŸå Žå ã«å¥ã ãªè€æ° ã®å¶åŸ¡ãããã¯ãŒã¯ãååšããã åºå žïŒISA99 [34] Control ServerïŒ å¶åŸ¡ãµãŒã ãµãŒããšããŠæ©èœããã³ã³ãããŒã©ã§ãICS ãããã¯ãŒã¯äžã§äžäœã¬ ãã«ã®ããã€ã¹ïŒRTUãPLC çïŒãšã®éä¿¡ãè¡ãå¶åŸ¡ãœãããŠãšã¢ã ãã¹ããããSCADA ã·ã¹ãã ã§ã¯ SCADA ãµãŒããMTU åã¯ç£èŠã³ ã³ãããŒã©ãšåŒã°ããããšãå€ãã 224 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Control system A system in which deliberate guidance or manipulation is used to achieve a prescribed value for a variable. Control systems include SCADA, DCS, PLCs and other types of industrial measurement and control systems. Controlled Variable The variable that the control system attempts to keep at the set point value. The set point may be constant or variable. SOURCE: The Automation, Systems, and Instrumentation Dictionary Controller A device or program that operates automatically to regulate a controlled variable. SOURCE: ANSI/ISA-51.1-1979 Cycle Time The time, usually expressed in seconds, for a controller to complete one control loop where sensor signals are read into memory, control algorithms are executed, and corresponding control signals are transmitted to actuators that create changes the process resulting in new sensor signals. SOURCE: The Automation, Systems, and Instrumentation Dictionary Data Diode A data diode (also referred to as a unidirectional gateway, deterministic one-way boundary device or unidirectional network) is a network appliance or device allowing data to travel only in one direction. Database A repository of information that usually holds plant-wide information including process data, recipes, personnel data, and financial data. SOURCE: NIST IR 6859 [2] Data Historian A centralized database supporting data analysis using statistical process control techniques. DC Servo Drive A type of drive that works specifically with servo motors. It transmits commands to the motor and receives feedback from the servo motor resolver or encoder. SOURCE: NIST IR 6859 [2] 225 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Control SystemïŒ å¶åŸ¡ã·ã¹ãã ããå€æ°ã®äºå®å€ãå®çŸããããã«ãèšç»çãªã¬ã€ãã³ã¹åã¯æäœã å©çšããã·ã¹ãã ãå¶åŸ¡ã·ã¹ãã ã«ã¯ SCADAãDCSãPLC ãã®ä»ã® ç£æ¥çšèšæž¬å¶åŸ¡ä»æ§ãããã Controlled VariableïŒ å¶åŸ¡å€æ° å¶åŸ¡ã·ã¹ãã ãèšå®ç¹ãç¶æããããšããå€æ°ãèšå®ç¹ã¯å®æ°åã¯å€ æ°ãšãªãã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž ControllerïŒ ã³ã³ãããŒã© å¶åŸ¡å€æ°ãèªåçã«èª¿æŽããããã€ã¹åã¯ããã°ã©ã ãåºå žïŒ ANSI/ISA-51.1-1979 Cycle TimeïŒ ãµã€ã¯ã«æé ã³ã³ãããŒã©ã 1 ã€ã®å¶åŸ¡ã«ãŒããå®äºããããã®ãéåžžç§åäœã§ç€º ãããæéã§ãã»ã³ãµä¿¡å·ãã¡ã¢ãªã«èªã¿èŸŒãŸããå¶åŸ¡ã¢ã«ãŽãªãºã ãå®è¡ããã察å¿ããå¶åŸ¡ä¿¡å·ãã¢ã¯ãã¥ãšãŒã¿ã«éãããŠããã»ã¹ ãå€æŽããæ°ããªã»ã³ãµä¿¡å·ãçããã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Data DiodeïŒ ããŒã¿ãã€ãªãŒã ããŒã¿ãã€ãªãŒãïŒåæ¹åã²ãŒããŠã§ã€ã決å®è«çäžæ¹éè¡å¢çãã ã€ã¹åã¯åæ¹åãããã¯ãŒã¯ãšãåŒã°ããïŒã¯ãããã¯ãŒã¯æ©åšå㯠ããã€ã¹ã§ãããŒã¿ãäžæ¹åã«æµããããã«ããã DatabaseïŒ ããŒã¿ããŒã¹ æ å ±ãèãããããã®ã§ãéåžžããã»ã¹ããŒã¿ãã¬ã·ãã人äºã㌠ã¿ãäŒèšããŒã¿çã®ãã©ã³ãå šäœã®æ å ±ãèç©ãããŠããã åºå žïŒNIST IR 6859 [2] Data HistorianïŒ ããŒã¿ãã¹ããªã¢ã³ éäžããŒã¿ããŒã¹ã§ãéçããã»ã¹ç®¡çæè¡ãçšããŠããŒã¿è§£æãè¡ ãã DC Servo DriveïŒ çŽæµãµãŒãé§å ç¹ã«ãµãŒãã¢ãŒã¿ã§äœåããé§åã®çš®é¡ãã³ãã³ããã¢ãŒã¿ã«éä¿¡ ãããµãŒãã¢ãŒã¿ãªãŸã«ãåã¯ãšã³ã³ãŒããããã£ãŒãããã¯ãåä¿¡ ããã åºå žïŒNIST IR 6859 [2] 226 SPECIAL PUBLICATION 800-82 REVISION 2 Demilitarized Zone (DMZ) GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY An interface on a routing firewall that is similar to the interfaces found on the firewallâs protected side. Traffic moving between the DMZ and other interfaces on the protected side of the firewall still goes through the firewall and can have firewall protection policies applied. SOURCE: SP 800-41 [85] A host or network segment inserted as a âneutral zoneâ between an organizationâs private network and the Internet. SOURCE: SP 800-45 [91] Perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal networkâs Information Assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks. SOURCE: CNSSI-4009 Denial of Service (DoS) The prevention of authorized access to a system resource or the delaying of system operations and functions. SOURCE: RFC 4949 [75] Diagnostics Information concerning known failure modes and their characteristics. Such information can be used in troubleshooting and failure analysis to help pinpoint the cause of a failure and help define suitable corrective measures. SOURCE: The Automation, Systems, and Instrumentation Dictionary Disaster Recovery Plan (DRP) A written plan for processing critical applications in the event of a major hardware or software failure or destruction of facilities. SOURCE: NIST SP 800-34 [52] Discrete Process A type of process where a specified quantity of material moves as a unit (part or group of parts) between work stations and each unit maintains its unique identity. SOURCE: The Automation, Systems, and Instrumentation Dictionary Distributed Control System (DCS) In a control system, refers to control achieved by intelligence that is distributed about the process to be controlled, rather than by a centrally located single unit. SOURCE: The Automation, Systems, and Instrumentation Dictionary Distributed Plant A geographically distributed factory that is accessible through the Internet by an enterprise. SOURCE: NIST IR 6859 [2] 227 SP800-82 第 2 ç Demilitarized Zone (DMZ)ïŒ éæŠè£ å°åž¯ ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã«ãŒãã£ã³ã°ãã¡ã€ã¢ãŠã©ãŒã«äžã®ã€ã³ã¿ãã§ãŒã¹ã§ããã¡ã€ã¢ãŠã© ãŒã«ã®ä¿è·åŽã®ã€ã³ã¿ãã§ãŒã¹ã«äŒŒãŠãããDMZ ãšãã¡ã€ã¢ãŠã©ãŒ ã«ã®ä¿è·åŽã«ããå¥ã®ã€ã³ã¿ãã§ãŒã¹éã®ãã©ãã£ãã¯ã¯ããã¡ã€ã¢ ãŠã©ãŒã«ãééãããã¡ã€ã¢ãŠã©ãŒã«ä¿è·ããªã·ãŒãé©çšãããã åºå žïŒSP 800-41 [85] ãäžç«å°åž¯ããšããŠçµç¹ã®ãã©ã€ããŒããããã¯ãŒã¯ãšã€ã³ã¿ãŒãã ãéã«æ¿å ¥ããããã¹ãåã¯ãããã¯ãŒã¯ã»ã°ã¡ã³ãã åºå žïŒSP 800-45 [91] å éšãããã¯ãŒã¯ãšå€éšãããã¯ãŒã¯ã®éã«è«ççã«ããåšèŸºããã ã¯ãŒã¯ã»ã°ã¡ã³ããç®çã¯ãå€éšãšã®æ å ±äº€æçšå éšãããã¯ãŒã¯ã® æ å ±ä¿èšŒããªã·ãŒãæœè¡ããå éšãããã¯ãŒã¯ãå€éšè åšããã·ãŒã« ããã€ã€ãå€éšã®ä¿¡é Œã®çœ®ããªãèŠæ±ãœãŒã¹ã«ããæ å ±ãžã®ã¢ã¯ã»ã¹ ã«å¶éã課ããããšã«ããã åºå žïŒCNSSI-4009 Denial of Service (DoS)ïŒ ãµãŒãã¹åŠšå®³ ã·ã¹ãã ãªãœãŒã¹ãžã®å ¬èªã¢ã¯ã»ã¹ã劚ãåã¯ã·ã¹ãã ã®éçšåã³æ© èœãé ãããããšã åºå žïŒRFC 4949 [75] DiagnosticsïŒèšºæ æ¢ç¥ã®é害æ æ§åã³ãã®ç¹åŸŽã«é¢ããæ å ±ããã®ãããªæ å ±ã¯ãã©ã ã«ã·ã¥ãŒãã£ã³ã°ãæ é解æã«äœ¿çšã§ããåå ãé©æ£ãªå¯Ÿçãå²ãåº ãå©ããšãªãã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Disaster Recovery Plan (DRP)ïŒçœå®³åŸ©æ§èšç»æž 倧èŠæš¡ãªããŒããŠãšã¢/ãœãããŠãšã¢é害ãæœèšç Žå£ã®éã«éèŠäºé ãåŠçããããã®ææžã åºå žïŒNIST SP 800-34 [52] Discrete ProcessïŒ é¢æ£ããã»ã¹ æå®éã®ææãããåäœïŒããŒãåã¯ããŒãã°ã«ãŒãïŒãšããŠã¯ãŒã¯ ã¹ããŒã·ã§ã³éã移åããååäœããã®åºæã®ã¢ã€ãã³ãã£ãã£ãä¿ æããããã»ã¹ã®çš®é¡ãåºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äº å ž Distributed Control System å¶åŸ¡ã·ã¹ãã ã«ãã£ãŠãäžå€®ã«çœ®ããã 1 ã€ã®è£ 眮ã§ã¯ãªããå¶åŸ¡ã (DCS)ïŒ ãããã»ã¹ã«ã€ããŠåæ£ãããã€ã³ããªãžã§ã³ã¹ã«ãã£ãŠè¡ãããå¶ åæ£å¶åŸ¡ã·ã¹ãã 埡ããããåºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Distributed PlantïŒ åæ£ãã©ã³ã äŒæ¥ãã€ã³ã¿ãŒããããéããŠã¢ã¯ã»ã¹ã§ããå°ççã«åæ£ãããå·¥ å Žã åºå žïŒNIST IR 6859 [2] 228 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Disterbance An undesired change in a variable being applied to a system that tends to adversely affect the value of a controlled variable. SOURCE: ANSI/ISA-51.1-1979 Domain An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. See Security Domain. SOURCE: CNSSI-4009; SP 800-53 [22]; SP 800-37 [21] Domain Controller A server responsible for managing domain information, such as login identification and passwords. SOURCE: NIST IR 6859 [2] Encryption Cryptographic transformation of data (called âplaintextâ) into a form (called âciphertextâ) that conceals the dataâs original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called âdecryption,â which is a transformation that restores encrypted data to its original state. SOURCE: RFC 4949 [75] Enterprise An organization that coordinates the operation of one or more processing sites. SOURCE: ANSI/ISA-88.01-1995 Enterprise Resource Planning (ERP) System A system that integrates enterprise-wide information including human resources, financials, manufacturing, and distribution as well as connects the organization to its customers and suppliers. Extensible Markup Language (XML) A specification for a generic syntax to mark data with simple, humanreadable tags, enabling the definition, transmission, validation, and interpretation of data between applications and between organizations. Fault Tolerant Of a system, having the built-in capability to provide continued, correct execution of its assigned function in the presence of a hardware and/or software fault. Field Device Equipment that is connected to the field side on an ICS. Types of field devices include RTUs, PLCs, actuators, sensors, HMIs, and associated communications. Field Site A subsystem that is identified by physical, geographical, or logical segmentation within the ICS. A field site may contain RTUs, PLCs, actuators, sensors, HMIs, and associated communications. 229 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã DisturbanceïŒæ¹ä¹± å¶åŸ¡ãããå€æ°å€ã«æªåœ±é¿ãäžããããã·ã¹ãã ã«å ããããæãŸã ããªãå€æ°ã®å€æŽã åºå žïŒANSI/ISA-51.1-1979 DomainïŒé å ã·ã¹ãã ãªãœãŒã¹åã³å ±éæ¥ç¶ããªã·ãŒãæ¥ç¶ã¢ãã«åã¯æ¥ç¶ã¢ãŒã ãã¯ãã£ã®èŠå®ã©ãããªãœãŒã¹ãžã®ã¢ã¯ã»ã¹æš©ãæã€ã·ã¹ãã å®äœã å«ãç°å¢åã¯ã³ã³ããã¹ããã»ãã¥ãªãã£é åãåç §ã åºå žïŒCNSSI-4009; SP 800-53 [22]; SP 800-37 [21] Domain ControllerïŒ é åã³ã³ãããŒã© ãã°ã€ã³èå¥ããã¹ã¯ãŒããšãã£ãé åæ å ±ã管çãããµãŒãã åºå žïŒNIST IR 6859 [2] EncryptionïŒæå·å æå·å€æã¯ããŒã¿ïŒå¹³æãšåŒã°ããïŒãæå·å€æããŠããã圢æ ïŒæ å·æãšåŒã°ããïŒã«ããããšã§ãããŒã¿ã®å ã®æå³ãç§å¿ããç¥ãã ããå©çšããããã§ããªãããã«ãããå€æãéå€æãå¯èœãªå Žåã ãã®ããã»ã¹ã¯åŸ©å·ãšåŒã°ããæå·åãããããŒã¿ãå ã®ç¶æ ã«æ» ãã åºå žïŒRFC 4949 [75] EnterpriseïŒäŒæ¥ 1 ã€ãŸãã¯ãã以äžã®åŠççŸå Žã®éçšã調æŽããçµç¹ã åºå žïŒANSI/ISA-88.01-1995 Enterprise Resource Planning (ERP) SystemïŒ äŒæ¥è³æºèšç»ã·ã¹ãã 人çè³æºã財æ¿ãçç£ãæµéçã®å šäŒæ¥çæ å ±ãäžäœåããçµç¹ãã ã®é¡§å®¢ããµãã©ã€ã€ã«æ¥ç¶ããã·ã¹ãã ã Extensible Markup Language (XML)ïŒ æ¡åŒµããŒã¯ã¢ããèšèª ããŒã¿ãåçŽã§äººãèªããã¿ã°ãä»ããŠèšè¿°ããæ±çšæ§æä»æ§ã§ã㢠ããªã±ãŒã·ã§ã³éåã³çµç¹éã§ã®ããŒã¿ã®å®çŸ©ãéä¿¡ã劥åœæ§æ€èšŒå ã³è§£éãå¯èœã«ããã Fault TolerantïŒ ãã©ãŒã«ããã¬ã©ã³ã ã·ã¹ãã ã§ãããŒããŠãšã¢åã³ãœãããŠãšã¢ãæ éãããšãã§ããå² ãåœãŠãããæ©èœãç¶ç¶ããŠæ£ããå®è¡ã§ãããçµã¿èŸŒã¿ã®èœåã Field DeviceïŒ ãã£ãŒã«ãããã€ã¹ ICS ã®ãã£ãŒã«ãåŽã«æ¥ç¶ãããè£ ååãçš®é¡ãšã㊠RTUãPLCã㢠ã¯ãã¥ãšãŒã¿ãã»ã³ãµãHMI åã³é¢é£éä¿¡æ©åšãããã Field SiteïŒ ãã£ãŒã«ããµã€ã ICS å ã®ç©ççãå°ççåã¯è«ççåºç»ã«ããèå¥ããããµãã·ã¹ã ã ããã£ãŒã«ããµã€ãã«ã¯ RTUãPLCãã¢ã¯ãã¥ãšãŒã¿ãã»ã³ãµã HMI åã³é¢é£éä¿¡æ©åšãããã 230 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Fieldbus A digital, serial, multi-drop, two-way data bus or communication path or link between low-level industrial field equipment such as sensors, transducers, actuators, local controllers, and even control room devices. Use of fieldbus technologies eliminates the need of point-to-point wiring between the controller and each device. A protocol is used to define messages over the fieldbus network with each message identifying a particular sensor on the network. File Transfer Protocol (FTP) FTP is an Internet standard for transferring files over the Internet. FTP programs and utilities are used to upload and download Web pages, graphics, and other files between local media and a remote server which allows FTP access. SOURCE: API 1164 Firewall An inter-network gateway that restricts data communication traffic to and from one of the connected networks (the one said to be âinsideâ the firewall) and thus protects that networkâs system resources against threats from the other network (the one that is said to be âoutsideâ the firewall). SOURCE: RFC 4949 [75] Human-Machine Interface (HMI) An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network. Typically firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open. SOURCE: ISA-62443-1-1 [34] The hardware or software through which an operator interacts with a controller. An HMI can range from a physical control panel with buttons and indicator lights to an industrial PC with a color graphics display running dedicated HMI software. SOURCE: NIST IR 6859 [2] Software and hardware that allows human operators to monitor the state of a process under control, modify control settings to change the control objective, and manually override automatic control operations in the event of an emergency. The HMI also allows a control engineer or operator to configure set points or control algorithms and parameters in the controller. The HMI also displays process status information, historical information, reports, and other information to operators, administrators, managers, business partners, and other authorized users. Operators and engineers use HMIs to monitor and configure set points, control algorithms, send commands, and adjust and establish parameters in the controller. The HMI also displays process status information and historical information. Identification The process of verifying the identity of a user, process, or device, usually as a prerequisite for granting access to resources in an IT system. SOURCE: NIST SP 800-47 [92] 231 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã FieldbusïŒãã£ãŒã«ããã¹ ã»ã³ãµããã©ã³ã¹ãã¥ãŒãµãã¢ã¯ãã¥ãšãŒã¿ãããŒã«ã«ã³ã³ãã㌠ã©ãå¶åŸ¡å®€ããã€ã¹çã®äœã¬ãã«ç£æ¥çšãã£ãŒã«ãè£ ååéã®ããžã¿ ã«ãã·ãªã¢ã«ããã«ããããããåæ¹åããŒã¿ãã¹ãéä¿¡çµè·¯åã¯ãª ã³ã¯ããã£ãŒã«ããã¹æè¡ãå©çšãããšãã³ã³ãããŒã©ãšåããã€ã¹ éã§ã® 2 å°ç¹éé ç·ã®å¿ èŠããªããªãããããã³ã«ã䜿çšããŠãã£ãŒ ã«ããã¹ãããã¯ãŒã¯äžã®ã¡ãã»ãŒãžãå®çŸ©ããåã¡ãã»ãŒãžã¯ãã ãã¯ãŒã¯äžã®ç¹å®ã®ã»ã³ãµã§èå¥ããã File Transfer Protocol (FTP)ïŒ ãã¡ã€ã«è»¢éãããã³ã« ã€ã³ã¿ãŒãããäžã§ãã¡ã€ã«ã転éããã€ã³ã¿ãŒãããèŠæ ŒãFTP ã ãã°ã©ã åã³ãŠãŒãã£ãªãã£ã䜿çšããŠããŠã§ãããŒãžãã°ã©ãã£ã ã¯ãã®ä»ã®ãã¡ã€ã«ãããŒã«ã«ã¡ãã£ã¢ãš FTP ã¢ã¯ã»ã¹ãèš±å¯ãã é éãµãŒãã§ã¢ããããŒã/ããŠã³ããŒãããã åºå žïŒAPI 1164 FirewallïŒ ãã¡ã€ã¢ãŠã©ãŒã« ãããã¯ãŒã¯éã²ãŒããŠã§ã€ã§ãæ¥ç¶ããããããã¯ãŒã¯ïŒãã¡ã€ã¢ ãŠã©ãŒã«ã®ãäžãã«ããïŒéã§ã®ããŒã¿éä¿¡ãã©ãã£ãã¯ãå¶éãã åœè©²ãããã¯ãŒã¯ã®ã·ã¹ãã ãªãœãŒã¹ãä»ã®ãããã¯ãŒã¯ïŒãã¡ã€ã¢ ãŠã©ãŒã«ã®ãå€ãã«ããïŒããã®è åšããå®ãã åºå žïŒRFC 4949 [75] æ¥ç¶ããã 2 ã€ã®ãããã¯ãŒã¯éã§ããŒã¿éä¿¡ãã©ãã£ãã¯ãå¶éã ããããã¯ãŒã¯éæ¥ç¶ããã€ã¹ããã¡ã€ã¢ãŠã©ãŒã«ã¯ãæ±çšã³ã³ã㥠ãŒã¿åã¯å°çšãã©ããããŒã ïŒæ©åšïŒã«ã€ã³ã¹ããŒã«ãããã¢ããªã± ãŒã·ã§ã³ã§ããããã¯ãŒã¯äžã®ãã±ããã転éåã¯æ絶/ããããã ããäžè¬ã«ãã¡ã€ã¢ãŠã©ãŒã«ã¯ãŸãŒã³å¢çãå®ããã®ã«äœ¿çšãããã ã¡ã€ã¢ãŠã©ãŒã«ã¯ã©ã®ããŒããéæŸããããå¶éããã åºå žïŒISA-62443-1-1 [34] Human-Machine Interface æäœå¡ãã³ã³ãããŒã©ãšçžäºäœçšãè¡ãããã«äœ¿çšããããŒããŠãšã¢ (HMI)ïŒ åã¯ãœãããŠãšã¢ããã¿ã³ãã€ã³ãžã±ãŒã¿ã©ã€ãã®ä»ããç©ççå¶åŸ¡ ãã³ãã·ã³ã€ã³ã¿ãã§ãŒã¹ ããã«ãããã«ã©ãŒã°ã©ãã£ãã¯ãã£ã¹ãã¬ã€ã®ä»ããå°çš HMI 㜠ãããŠãšã¢ãå®è¡ããç£æ¥çš PC ãŸã§å€æ§ã§ããã åºå žïŒNIST IR 6859 [2] æäœå¡ãå¶åŸ¡äžã®ããã»ã¹ç¶æ ãç£èŠããå¶åŸ¡èšå®ãå€ããŠå¶åŸ¡å¯Ÿè±¡ ãå€æŽããç·æ¥æã«èªåå¶åŸ¡é転ãæåã«å€æŽã§ãããœãããŠãšã¢å ã³ããŒããŠãšã¢ãå¶åŸ¡ãšã³ãžãã¢ãæäœå¡ã¯ãã³ã³ãããŒã©ã®èšå®ç¹ åã¯å¶åŸ¡ã¢ã«ãŽãªãºã åã³ãã©ã¡ãŒã¿ãå€æŽããããšãã§ããããŸã HMI ã¯ããã»ã¹ç¶æ ãå±¥æŽæ å ±ãã¬ããŒããã®ä»ã®æ å ±ãæäœå¡ã管 çè ããããŒãžã£ãããžãã¹ããŒãããŒãã®ä»èš±å¯ããããŠãŒã¶ã«è¡š 瀺ãããæäœå¡åã³ãšã³ãžãã¢ã¯ HMI ãå©çšããèšå®ç¹ãç£èŠã»èš å®ããã¢ã«ãŽãªãºã ãå¶åŸ¡ããã³ãã³ããéä¿¡ããã³ã³ãããŒã©ã®ã ã©ã¡ãŒã¿ã調æŽã»èšå®ããããŸã HMI ã¯ããã»ã¹ã®ã¹ããŒã¿ã¹æ å ± åã³å±¥æŽæ å ±ã衚瀺ããã IdentificationïŒèå¥ ãŠãŒã¶ãããã»ã¹åã¯ããã€ã¹ã®åäžæ§ãæ€èšŒããããã»ã¹ã§ãéåžž IT ã·ã¹ãã äžã®ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ä»äžã®åæãšãªãã åºå žïŒNIST SP 800-47 [92] 232 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Incident An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies SOURCE: FIPS 200 [16]; SP 800-53 [22] Industrial Control System (ICS) General term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). Information Security Program Plan Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. SOURCE: NIST SP 800-53 [22] Input/Output (I/O) A general term for the equipment that is used to communicate with a computer as well as the data involved in the communications. SOURCE: The Automation, Systems, and Instrumentation Dictionary Insider An entity inside the security perimeter that is authorized to access system resources but uses them in a way not approved by those who granted the authorization. SOURCE: RFC 4949 [75] Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. SOURCE: NIST SP 800-53 [22] Intelligent Electronic Device (IED) Any device incorporating one or more processors with the capability to receive or send data/control from or to an external source (e.g., electronic multifunction meters, digital relays, controllers). SOURCE: AGA 12 [5] Internet The single interconnected world-wide system of commercial, government, educational, and other computer networks that share the set of protocols specified by the Internet Architecture Board (IAB) and the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN). SOURCE: RFC 4949 [75] 233 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã IncidentïŒã€ã³ã·ãã³ã æ å ±ã·ã¹ãã åã¯ã·ã¹ãã ãåŠçãä¿ç®¡è¥ããã¯éä¿¡ããæ å ±ã®æ©å¯ æ§ãå®å šæ§è¥ããã¯å¯çšæ§ãçŸå®ã«åã¯å¯èœæ§ãšããŠå±éºã«é¥ããäº è±¡åã¯æ¥ç¶ããªã·ãŒãæ¥ç¶æé è¥ããã¯åŠ¥åœãªäœ¿çšããªã·ãŒã«éåã ãããçŽã¡ã«éåããããªäºè±¡ã åºå žïŒFIPS 200 [16]; SP 800-53 [22] Industrial Control System (ICS)ïŒ ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒ æ°çš®ã®å¶åŸ¡ã·ã¹ãã ãå æ¬ããæ±çšçãªçšèªã§ãããã«ã¯åçš®ç£æ¥éš éãéèŠã€ã³ãã©ã§äœ¿çšãããŠãã SCADAãDCSãPLCããã®ä»ã® å¶åŸ¡ã·ã¹ãã ã®èšå®ãå«ãŸãããICS ã¯ç£æ¥äžã®ç®çïŒç©åããšãã« ã®ãŒã®çç£ã»èŒžéçïŒãéæããããã«äœµçšãããå¶åŸ¡çšã³ã³ããŒã ã³ãïŒé»æ°ã»æ©æ¢°ã»æ²¹å§ã»ç©ºæ°çïŒãçµã¿åããã£ãŠæ§æãããŠã ãã å šçµç¹çæ å ±ã»ãã¥ãªãã£ããã°ã©ã ã®ã»ãã¥ãªãã£èŠä»¶ã«ã€ããŠæŠ Information Security Program PlanïŒ èª¬ããèŠä»¶ãæºè¶³ããããã«å®æœäžåã¯èšç»äžã®ããã°ã©ã 管ç察ç æ å ±ã»ãã¥ãªãã£ããã°ã© åã³å ±é管çã«ã€ããŠèšè¿°ããæ£åŒææžã ã èšç»æž åºå žïŒNIST SP 800-53 [22] Input/Output (I/O)ïŒå ¥åºå ã³ã³ãã¥ãŒã¿ãšéä¿¡ããããã®è£ åååã³éä¿¡ã«å«ãŸããããŒã¿ã瀺 ãäžè¬çšèªã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž InsiderïŒã€ã³ãµã€ã㌠ã»ãã¥ãªãã£å¢çå ã«ããŠã·ã¹ãã ãªãœãŒã¹ãžã®ã¢ã¯ã»ã¹ãèš±ãã㊠ããããèš±å¯ããã以å€ã®æ¹æ³ã§äœ¿çšããå®åšè ã åºå žïŒRFC 4949 [75] IntegrityïŒå®å šæ§ äžæ£ãªæ å ±ã®æ¹å€åã¯ç Žå£ãé²ãããšã§ãæ å ±ã®åŠèªé²æ¢åã³æ£åœæ§ ã確ä¿ããã åºå žïŒNIST SP 800-53 [22] Intelligent Electronic Device 1 ã€åã¯è€æ°ã®ããã»ã¹ãçµã¿èŸŒãã ããã€ã¹ã§ãå€éšãœãŒã¹ãšã®é (IED)ïŒ ã§ããŒã¿/å¶åŸ¡ãéåä¿¡ããèœåãæã€ïŒé»åå€æ©èœã¡ãŒã¿ãããžã¿ ã€ã³ããªãžã§ã³ãé»åæ©åš ã«ãªã¬ãŒãã³ã³ãããŒã©çïŒã åºå žïŒAGA 12 [5] InternetïŒã€ã³ã¿ãŒããã ç£å®åŠãã®ä»ã®ãããã¯ãŒã¯ã 1 ã€ã«é£æ¥ããäžççã·ã¹ãã ã§ã〠ã³ã¿ãŒãããã¢ãŒããã¯ãã£å§å¡äŒïŒIABïŒãæå®ãããããã³ã«å ã³ ICANN ã管çããåååã³ã¢ãã¬ã¹ç©ºéãå ±æãããåºå žïŒRFC 4949 [75] 234 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Intrusion Determination System (IDS) A security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner. SOURCE: RFC 4949 [75] Intrusion Prevention System (IPS) A system that can detect an intrusive activity and can also attempt to stop the activity, ideally before it reaches its targets. Jitter The time or phase difference between the data signal and the ideal clock. Key Logger A program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures. Light Tower A device containing a series of indicator lights and an embedded controller used to indicate the state of a process based on an input signal. SOURCE: NIST IR 6859 [2] Local Area Network (LAN) A group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network. Machine Controller A control system/motion network that electronically synchronizes drives within a machine system instead of relying on synchronization via mechanical linkage. Maintenance Any act that either prevents the failure or malfunction of equipment or restores its operating capability. SOURCE: The Automation, Systems, and Instrumentation Dictionary Malware Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code (malware). SOURCE: NIST SP 800-53 [22] Management Controls The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information security. SOURCE: NIST SP 800-18 [19] Manipulated Variable In a process that is intended to regulate some condition, a quantity or a condition that the control alters to initiate a change in the value of the regulated condition. SOURCE: The Automation, Systems, and Instrumentation Dictionary 235 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Intrusion Detection System ã·ã¹ãã ãªãœãŒã¹ã«ç¡æã§ã¢ã¯ã»ã¹ãããããã¿ãçºèŠãããªã¢ã«ã¿ (IDS)ïŒ ã€ã åã¯ã»ãŒãªã¢ã«ã¿ã€ã ã§èŠåããããã«ããããã¯ãŒã¯åã¯ã·ã¹ äŸµå ¥æ€ç¥ã·ã¹ãã ãã ã€ãã³ããç£èŠã»åæããã»ãã¥ãªãã£ãµãŒãã¹ã åºå žïŒRFC 4949 [75] Intrusion Prevention System äŸµå ¥æŽ»åãæ€ç¥ããå¯èœã§ããã°ç®æšã«éããåã«æŽ»åãããããã (IPS)ïŒ ããšãã§ããã·ã¹ãã ã äŸµå ¥é²æ¢ã·ã¹ãã JitterïŒãžãã¿ãŒ ããŒã¿ä¿¡å·ãšçæ³çã¯ããã¯éã®æéå·®åã¯ãã§ãŒãºã Key LoggerïŒããŒãã¬ãŒ ãã¹ã¯ãŒããæå·éµãååŸããä»ã®ã»ãã¥ãªãã£æ段ãè¿åãããã ã«ãã³ã³ãã¥ãŒã¿ã®ããŒããŒãã§æŒãããããŒãèšé²ããããã°ã© ã ã Light TowerïŒã©ã€ãã¿ã¯ãŒå ¥åä¿¡å·ã«åºã¥ããŠããã»ã¹ç¶æ ã衚瀺ãããäžé£ã®ã€ã³ãžã±ãŒã¿ã© ã€ããšçµèŸŒã¿ã³ã³ãããŒã©ãåããããã€ã¹ã åºå žïŒNIST IR 6859 [2] æ¯èŒçéå®ããããšãªã¢å ã«åæ£ããéä¿¡ãªã³ã¯ã§æ¥ç¶ãããããã Local Area Network (LAN)ïŒ ãããããã¯ãŒã¯äžã§é£åããã³ã³ãã¥ãŒã¿ãã®ä»ã®ããã€ã¹ã°ã«ãŒ ããŒã«ã«ãšãªã¢ãããã¯ãŒ ãã 㯠Machine ControllerïŒ ãã·ã³ã³ã³ãããŒã© ãã·ã³ã·ã¹ãã å ã®ãã©ã€ãããæ©æ¢°åŒãªã³ã¯çµç±ã®åæã«äŸåã ããé»åçã«åæããå¶åŸ¡ã·ã¹ãã /ã¢ãŒã·ã§ã³ãããã¯ãŒã¯ã MaintenanceïŒä¿å® è£ ååã®æ éåã¯äžå ·åãé²æ¢åã¯çšŒåç¶æ ã«å埩ããè¡çºã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž MalwareïŒãã«ãŠãšã¢ æ å ±ã·ã¹ãã ã®æ©å¯æ§ãå®å šæ§åã¯å¯çšæ§ã«æªåœ±é¿ããäžæ£ã¢ã¯ã»ã¹ ãè¡ãããã®ãœãããŠãšã¢åã¯ãã¡ãŒã ãŠãšã¢ããŠã€ã«ã¹ãã¯ãŒã ã ããã€ã®æšéŠ¬ãã®ä»ã³ãŒãããŒã¹ã®ãã®ããã¹ããææããããã¹ã ã€ãŠãšã¢ãããã€ãã®åœ¢æ ã®ã¢ããŠã§ã¢ãæªæããã³ãŒãïŒãã«ãŠãš ã¢ïŒã®äŸã§ããã åºå žïŒNIST SP 800-53 [22] Management ControlsïŒ ç®¡ç察ç ãªã¹ã¯ç®¡çåã³æ å ±ã»ãã¥ãªãã£ç®¡çã«ç¹åããæ å ±ã·ã¹ãã ã®ã»ã ã¥ãªãã£å¯ŸçïŒå®å šçåã¯å¯ŸçïŒã åºå žïŒNIST SP 800-18 [19] Manipulated VariableïŒ æäœãããå€æ° ç¹å®ã®ç¶æ ã調æŽããããã®ããã»ã¹ã«ãããŠã調æŽæžã¿ç¶æ ã®å€ã å¶åŸ¡ãå€æŽãããšãã®éåã¯ç¶æ ãåºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ã ã ã»èšè£ äºå ž 236 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Manufacturing Execution System (MES) A system that uses network computing to automate production control and process automation. By downloading recipes and work schedules and uploading production results, a MES bridges the gap between business and plant-floor or process-control systems. SOURCE: NIST IR 6859 [2] Master Terminal Unit (MTU) Modem See Control Server. Motion Control Network The network supporting the control applications that move parts in industrial settings, including sequencing, speed control, point-to-point control, and incremental motion. SOURCE: The Automation, Systems, and Instrumentation Dictionary Network Interface Card (NIC) A circuit board or card that is installed in a computer so that it can be connected to a network. Object Linking and Embedding (OLE) for Process Control (OPC) A set of open standards developed to promote interoperability between disparate field devices, automation/control, and business systems. Operating System An integrated collection of service routines for supervising the sequencing of programs by a computer. An operating system may perform the functions of input/output control, resource scheduling, and data management. It provides application programs with the fundamental commands for controlling the computer. SOURCE: The Automation, Systems, and Instrumentation Dictionary Operational Controls The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems). SOURCE: NIST SP 800-18 [19] Password A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization. Phishing Tricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication (e.g., internet web sites). A device used to convert serial digital data from a transmitting terminal to a signal suitable for transmission over a telephone channel to reconvert the transmitted signal to serial digital data for the receiving terminal. SOURCE: NIST IR 6859 [2] 237 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Manufacturing Execution System (MES)ïŒ çç£å®è¡ã·ã¹ãã ãããã¯ãŒã¯ã³ã³ãã¥ãŒãã£ã³ã°ãå©çšããŠçç£å¶åŸ¡åã³ããã»ã¹ã® èªååãè¡ãã·ã¹ãã ãã¬ã·ããšäœæ¥ã¹ã±ãžã¥ãŒã«ãããŠã³ããŒã ããçç£çµæãã¢ããããŒãããããšã«ãããMES ã¯äºæ¥ã·ã¹ãã ãšãã©ã³ãçŸå Žã·ã¹ãã åã¯ããã»ã¹å¶åŸ¡ã·ã¹ãã éã®ã®ã£ãããå ããã åºå žïŒNIST IR 6859 [2] Master Terminal Unit (MTU)ïŒ ãã¹ã¿ãŒç«¯æ«è£ 眮 å¶åŸ¡ãµãŒããåç §ã ModemïŒã¢ãã é信端æ«ããã®ã·ãªã¢ã«ããžã¿ã«ããŒã¿ãé»è©±ç¶²éä¿¡ã«é©ããä¿¡å·ã« å€æããå信端æ«ã«ã¯ã·ãªã¢ã«ããžã¿ã«ããŒã¿ã«åå€æããããã®ã ãã€ã¹ã åºå žïŒNIST IR 6859 [2] Motion Control NetworkïŒ ç£æ¥ç°å¢ã«ãããŠããŒããåããå¶åŸ¡ã¢ããªã±ãŒã·ã§ã³ã«å¯Ÿå¿ããã åäœå¶åŸ¡ãããã¯ãŒã¯ ããã¯ãŒã¯ã§ãåäœã«ã¯ã·ãŒã±ã³ã·ã³ã°ãé床å¶åŸ¡ã2 ç¹éå¶åŸ¡ãå·® ååäœçãããã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž ã³ã³ãã¥ãŒã¿ã«èšçœ®ãããåè·¯åºæ¿åã¯ã«ãŒãã§ãã³ã³ãã¥ãŒã¿ãã Network Interface Card (NIC)ïŒãããã¯ãŒã¯ã€ã³ ããã¯ãŒã¯ã«æ¥ç¶ããã ã¿ãã§ãŒã¹ã«ãŒã Object Linking and Embedding (OLE) for Process Control (OPC)ïŒ ããã»ã¹å¶åŸ¡çš OLE ç°çš®ãã£ãŒã«ãããã€ã¹éããªãŒãã¡ãŒã·ã§ã³/å¶åŸ¡éåã³äºæ¥ã·ã¹ ãã éã®çžäºéçšæ§ãä¿é²ããããã«éçºããããªãŒãã³èŠæ Œã Operating SystemïŒ ã³ã³ãã¥ãŒã¿ã«ããããã°ã©ã ã®ã·ãŒã±ã³ã·ã³ã°ãç£èŠãããå®åžžãµ ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãŒãã¹ã®éåäœãå ¥åºåå¶åŸ¡ããªãœãŒã¹ã¹ã±ãžã¥ãŒãªã³ã°åã³ããŒã¿ 管çãè¡ããã³ã³ãã¥ãŒã¿ãå¶åŸ¡ããããã®æ©èœã³ãã³ããã¢ããªã± ãŒã·ã§ã³ããã°ã©ã ã«æäŸããã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Operational ControlsïŒ éçšå¶åŸ¡ äž»ã«äººéïŒã·ã¹ãã ã§ã¯ãªãïŒãå®è£ ãå®è¡ããæ å ±ã·ã¹ãã ã®ã»ã ã¥ãªãã£å¯ŸçïŒå®å šçåã¯å¯ŸçïŒã åºå žïŒNIST SP 800-18 [19] PasswordïŒãã¹ã¯ãŒã 身åãèªèšŒåã¯ã¢ã¯ã»ã¹æš©éã確èªããããã®æååïŒæåãæ°åã ã®ä»èšå·ïŒã PhishingïŒãã£ãã·ã³ã° é»åéä¿¡ïŒã€ã³ã¿ãŒããããŠã§ããµã€ãçïŒã«ãããŠä¿¡é Œã§ããå®äœ ã§ãããšäž»åŒµããããšã«ããã欺ããŠå人æ å ±ãé瀺ãããããšã 238 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Photo Eye A light sensitive sensor utilizing photoelectric control that converts a light signal into an electrical signal, ultimately producing a binary signal based on an interruption of a light beam. SOURCE: NIST IR 6859 [2] Plant The physical elements necessary to support the physical process. This can include many of the static components not controlled by the ICS; however, the operation of the ICS may impact the adequacy, strength, and durability of the plantâs components. Port The entry or exit point from a computer for connecting communications or peripheral devices. SOURCE: The Automation, Systems, and Instrumentation Dictionary Port Scanning Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports). SOURCE: NIST SP 800-61 [59] Predisposing Condition A condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, will result in undesirable consequences or adverse impact to organizational operations and assets, individuals, other organizations, or the Nation. SOURCE: SP 800-30 [79] Pressure Regulator A device used to control the pressure of a gas or liquid. SOURCE: NIST IR 6859 [2] Pressure Sensor A sensor system that produces an electrical signal related to the pressure acting on it by its surrounding medium. Pressure sensors can also use differential pressure to obtain level and flow measurements. SOURCE: NIST IR 6859 [2] Printer A device that converts digital data to human-readable text on a paper medium. SOURCE: NIST IR 6859 [2] Process Controller A type of computer system, typically rack-mounted, that processes sensor input, executes control algorithms, and computes actuator outputs. SOURCE: NIST IR 6859 [2] 239 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Photo EyeïŒãã©ãã¢ã€ å ä¿¡å·ãé»åä¿¡å·ã«å€æããå é»åå¶åŸ¡ãå©çšããæå ã»ã³ãµã§ãå ç·ãäžæããŠãã€ããªä¿¡å·ãçæããã åºå žïŒNIST IR 6859 [2] PlantïŒãã©ã³ã ç©çããã»ã¹ãæ¯ããããã®ç©çèŠçŽ ãICS ã§å¶åŸ¡ãããªãå€ãã®é çã³ã³ããŒãã³ããå«ãŸãåŸãããICS ã®éçšã¯ãã©ããããŒã ã³ã³ ããŒãã³ãã®é©åæ§ã匷床åã³èä¹ æ§ã«åœ±é¿ããã PortïŒããŒã ã³ã³ãã¥ãŒã¿ãéä¿¡æ©åšåã¯åšèŸºããã€ã¹ã«æ¥ç¶ããããã®åºå ¥å£ãš ãªãç¹ã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Port ScanningïŒ ããŒãã¹ãã£ãã³ã° ããã°ã©ã ãå©çšããŠéæŸãããŠããããŒãïŒããããã·ã¹ãã ã«æ¥ ç¶ã§ãããïŒãå€å®ããããšã åºå žïŒNIST SP 800-61 [59] Predisposing ConditionïŒ çŽ å çç¶æ çµç¹ãä»»åã»äºæ¥ãäŒæ¥ã¢ãŒããã¯ãã£åã¯æ å ±ã·ã¹ãã å ã«ååšã ãç¶æ ã®ããšã§ããã£ããçºåãããšãçµç¹ã®éå¶åã³è³ç£ãå人ã ä»ã®çµç¹åã¯åœã«æªåœ±é¿ãäžããè åšäºè±¡ã«å¯äžïŒå¢æžïŒããéçšç° å¢ãå«ãŸããã åºå žïŒSP 800-30 [79] Pressure RegulatorïŒ å§åã¬ã®ã¥ã¬ãŒã¿ ã¬ã¹åã¯æ¶²äœã®å§åãå¶åŸ¡ããããã€ã¹ãåºå žïŒNIST IR 6859 [2] Pressure SensorïŒ å§åã»ã³ãµ åšèŸºåªäœããåããå§åã«é¢ããé»æ°ä¿¡å·ãçºçããã»ã³ãµã·ã¹ã ã ãå§åã»ã³ãµã¯å·®å§ãå©çšããŠã¬ãã«åã³æµéã®èšæž¬ãè¡ãã åºå žïŒNIST IR 6859 [2] PrinterïŒããªã³ã¿ ããžã¿ã«ããŒã¿ã人ãèªããçŽã®ããã¹ãã«å€æããããã€ã¹ãåº å žïŒNIST IR 6859 [2] Process ControllerïŒ ããã»ã¹ã³ã³ãããŒã© éåžžã©ãã¯ã«èšçœ®ããã 1 çš®ã®ã³ã³ãã¥ãŒã¿ã·ã¹ãã ã§ãã»ã³ãµå ¥å ãåŠçããå¶åŸ¡ã¢ã«ãŽãªãºã ãå®è¡ããã¢ã¯ãã¥ãšãŒã¿åºåãèšç®ã ãã åºå žïŒNIST IR 6859 [2] 240 SPECIAL PUBLICATION 800-82 REVISION 2 Programmable Logic Controller (PLC) Protocol GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY A solid-state control system that has a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode (PID) control, communication, arithmetic, and data and file processing. SOURCE: The Automation, Systems, and Instrumentation Dictionary A small industrial computer originally designed to perform the logic functions executed by electrical hardware (relays, switches, and mechanical timer/counters). PLCs have evolved into controllers with the capability of controlling complex processes, and they are used substantially in SCADA systems and DCS. PLCs are also used as the primary controller in smaller system configurations. PLCs are used extensively in almost all industrial processes. A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems. SOURCE: RFC 4949 [75] Protocol Analyzer A device or software application that enables the user to analyze the performance of network data so as to ensure that the network and its associated hardware/software are operating within network specifications. SOURCE: The Automation, Systems, and Instrumentation Dictionary Proximity Sensor A non-contact sensor with the ability to detect the presence of a target within a specified range. SOURCE: NIST IR 6859 [2] Proxy Server A server that services the requests of its clients by forwarding those requests to other servers. SOURCE: CNSSI-4009 Real-Time Pertaining to the performance of a computation during the actual time that the related physical process transpires so that the results of the computation can be used to guide the physical process. SOURCE: NIST IR 6859 [2] Redundant Control Server A backup to the control server that maintains the current state of the control server at all times. SOURCE: NIST IR 6859 [2] Relay An electromechanical device that completes or interrupts an electrical circuit by physically moving conductive contacts. The resultant motion can be coupled to another mechanism such as a valve or breaker. SOURCE: The Automation, Systems, and Instrumentation Dictionary 241 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãœãªããã¹ããŒãå¶åŸ¡ã·ã¹ãã ã§ããŠãŒã¶ãããã°ã©ã å¯èœãªã¡ã¢ãª Programmable Logic Controller (PLC)ïŒ ããããI/O å¶åŸ¡ãè«çãã¿ã€ãã³ã°ãã«ãŠã³ãã3 ã¢ãŒãïŒPIDïŒã® ããã°ã©ããã«è«çå¶åŸ¡è£ å¶åŸ¡ãéä¿¡ãæŒç®ãããŒã¿ããã¡ã€ã«ã®åŠççã®å ·äœçãªæ©èœãå®è£ 眮 ããããã®åœä»€ãæ ŒçŽããã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž å ã ã¯é»æ°çããŒããŠãšã¢ïŒãªã¬ãŒãã¹ã€ããåã³æ©æ¢°çã¿ã€ããŒ/ ã«ãŠã³ã¿ãŒïŒã«ããå®è¡ãããè«çæ©èœãå®è¡ããããã«èšèšããã å°åã®ç£æ¥çšã³ã³ãã¥ãŒã¿ãè€éãªããã»ã¹ã®å¶åŸ¡èœåãæã£ãã³ã³ ãããŒã©ã«é²åããSCADA ã·ã¹ãã åã³ DCS ã§å€çšãããããŸãã ããå°åã®ã·ã¹ãã æ§æäžã§ãã©ã€ããªã³ã³ãããŒã©ãšããŠãå©çšã ããŠãããPLC ã¯ã»ãšãã©å šãŠã®ç£æ¥ããã»ã¹ã§åºç¯ã«å©çšãããã ProtocolïŒãããã³ã« ã·ã¹ãã éã®ããçš®ã®é¢ä¿ïŒéä¿¡çïŒãå®è¡ãå¶åŸ¡ããããã®äžé£ã® èŠåïŒåœ¢åŒåã³æé ïŒã åºå žïŒRFC 4949 [75] Protocol AnalyzerïŒ ãããã³ã«åæåš ãããã¯ãŒã¯åã³é¢é£ããŒããŠãšã¢/ãœãããŠãšã¢ããããã¯ãŒã¯ä» æ§å ã§åäœããããã«ããŠãŒã¶ããããã¯ãŒã¯ããŒã¿ã®ããã©ãŒãã³ ã¹ãåæã§ããããã«ããããã€ã¹ãŸãã¯ãœãããŠãšã¢ã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Proximity SensorïŒ è¿æ¥ã»ã³ãµ ç®æšå€ãæå®ç¯å²ã«ããããšãæ€åºã§ããéæ¥è§Šåã»ã³ãµã åºå žïŒNIST IR 6859 [2] Proxy ServerïŒ ãããã·ãµãŒã ã¯ã©ã€ã¢ã³ãããã®èŠæ±ãä»ã®ãµãŒãã«è»¢éãããµãŒãã åºå žïŒCNSSI-4009 Real-TimeïŒãªã¢ã«ã¿ã€ã èšç®ã«é¢ä¿ããç©çããã»ã¹ãçºçããŠãèšç®çµæãç©çããã»ã¹ã® å¶åŸ¡ã«å©çšã§ããå®æéèšç®ãããã åºå žïŒNIST IR 6859 [2] Redundant Control ServerïŒ åé·å¶åŸ¡ãµãŒã å¶åŸ¡ãµãŒãã®ããã¯ã¢ããã§ãå¶åŸ¡ãµãŒãã®çŸåšã®ç¶æ ãåžžæä¿æã ãã åºå žïŒNIST IR 6859 [2] RelayïŒãªã¬ãŒ æ¥ç¹ãç©ççã«åãããŠé»æ°åè·¯ãæ¥ç¶åã¯äžæããé»åæ©æ¢°åŒãã ã€ã¹ããã®çµæçããéåã¯ããã«ãããã¬ãŒã«ãšãã£ãå¥ã®ãã〠ã¹ã«é£æºããã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž 242 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Remote Access Access by users (or information systems) communicating external to an information system security perimeter. SOURCE: NIST SP 800-53 [22] Remote Access Point Distinct devices, areas and locations of a control network for remotely configuring control systems and accessing process data. Examples include using a mobile device to access data over a LAN through a wireless access point, and using a laptop and modem connection to remotely access an ICS system. Remote Diagnostics Diagnostics activities conducted by individuals communicating external to an information system security perimeter. Remote Maintenance Maintenance activities conducted by individuals communicating external to an information system security perimeter. Remote Terminal Unit (RTU) A computer with radio interfacing used in remote situations where communications via wire is unavailable. Usually used to communicate with remote field equipment. PLCs with radio communication capabilities are also used in place of RTUs. Special purpose data acquisition and control unit designed to support DCS and SCADA remote stations. RTUs are field devices often equipped with network capabilities, which can include wired and wireless radio interfaces to communicate to the supervisory controller. Sometimes PLCs are implemented as field devices to serve as RTUs; in this case, the PLC is often referred to as an RTU. Resource Starvation A condition where a computer process cannot be supported by available computer resources. Resource starvation can occur due to the lack of computer resources or the existence of multiple processes that are competing for the same computer resources. Risk The level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system, given the potential impact of a threat and the likelihood of that threat occurring. SOURCE: NIST SP 800-30 [79] Risk Assessment The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses. SOURCE: NIST SP 800-30 [79] 243 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Remote AccessïŒ ãªã¢ãŒãã¢ã¯ã»ã¹ æ å ±ã·ã¹ãã ã®ã»ãã¥ãªãã£åšèŸºå€ããéä¿¡ãè¡ããŠãŒã¶ïŒåã¯æ å ± ã·ã¹ãã ïŒã®ã¢ã¯ã»ã¹ã åºå žïŒNIST SP 800-53 [22] Remote Access PointïŒ ãªã¢ãŒãã¢ã¯ã»ã¹ç¹ å¶åŸ¡ã·ã¹ãã ãé éèšå®ããããã»ã¹ããŒã¿ã«ã¢ã¯ã»ã¹ããããã®å¶ 埡ãããã¯ãŒã¯ã®æ確ãªããã€ã¹ããšãªã¢åã³å ŽæãäŸãã°ã¢ãã€ã« ããã€ã¹ãå©çšããŠãã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ç¹ãã LAN çµç±ã®ããŒã¿ ã¢ã¯ã»ã¹ãã©ãããããåã³ã¢ãã ãå©çšãã ICS ã·ã¹ãã ã¢ã¯ã»ã¹ ãããã Remote DiagnosticsïŒ ãªã¢ãŒã蚺æ æ å ±ã·ã¹ãã ã»ãã¥ãªãã£åšèŸºå€ããå人ãè¡ã蚺æ掻åã Remote MaintenanceïŒ é éä¿å® æ å ±ã·ã¹ãã ã»ãã¥ãªãã£åšèŸºå€ããå人ãè¡ãä¿å®æŽ»åã Remote Terminal Unit (RTU)ïŒ é é端æ«è£ 眮 æç·éä¿¡ãå©çšã§ããªãé éç°å¢ã§äœ¿çšããç¡ç·ã€ã³ã¿ãã§ãŒã¹ä»ã ã³ã³ãã¥ãŒã¿ãéåžžãé éãã£ãŒã«ãè£ ååãšã®éä¿¡ã«äœ¿çšãããç¡ ç·éä¿¡æ©èœä»ã PLC ã RTU ã®ä»£ããã«äœ¿çšãããã DCS åã³ SCADA é éã¹ããŒã·ã§ã³ããµããŒãããããã®ç¹æ®ç®ç㧠ã®ããŒã¿ååŸå¶åŸ¡è£ 眮ãRTU ã¯ãç£èŠã³ã³ãããŒã©ãšã®éä¿¡çšæç·ã» ç¡ç·ã€ã³ã¿ãã§ãŒã¹çããããã¯ãŒã¯æ©èœãè£ åããŠããå Žåãå€ ããPLC ã¯ãã£ãŒã«ãããã€ã¹ãšããŠå®è£ ãã RTU ãšããŠå©çšãã ãããšããããPLC 㯠RTU ãšåŒã°ããããšãå€ãã Resource StarvationïŒ ãªãœãŒã¹æ¯æž å©çšå¯èœãªã³ã³ãã¥ãŒã¿ãªãœãŒã¹ã§ã¯ã³ã³ãã¥ãŒã¿ããã»ã¹ããµã㌠ãã§ããªãç¶æ ãã³ã³ãã¥ãŒã¿ãªãœãŒã¹ã®æ¬ ä¹åã¯åãã³ã³ãã¥ãŒã¿ ãªãœãŒã¹ããããè€æ°ããã»ã¹ã®ç«¶åã«ããçããããšãããã RiskïŒãªã¹ã¯ è åšã®æœåšç圱é¿åã³åœè©²è åšãçããèç¶æ§ã«éã¿ãæ å ±ã·ã¹ãã ã®éçšããçããæ¿åºæ©é¢ã®æ¥åïŒä»»åãæ©èœãã€ã¡ãŒãžãè©å€ çïŒãæ¿åºæ©é¢ã®è³ç£åã¯å人ãžã®åœ±é¿åºŠã åºå žïŒNIST SP 800-30 [79] Risk AssessmentïŒ ãªã¹ã¯è©äŸ¡ çºç確çããã®åœ±é¿ã圱é¿ãç·©åããããã®ä»å çã»ãã¥ãªãã£å¯Ÿç ã®å€å®ãéããæ¿åºæ©é¢ã®æ¥åïŒä»»åãæ©èœãã€ã¡ãŒãžãè©å€çïŒã è³ç£åã¯å人ã«å¯Ÿãããªã¹ã¯èå¥ããã»ã¹ããªã¹ã¯ç®¡çã®äžéšã§ã㪠ã¹ã¯åæãšå矩ãè åšåæåã³è匱æ§åæãåãå ¥ããã åºå žïŒNIST SP 800-30 [79] 244 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Risk Management The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system, and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system. SOURCE: FIPS 200, Adapted [16] Risk Management Framework The Risk Management Framework (RMF), presented in NIST SP 800-37, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. SOURCE: SP 800-37 [21] Router A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets. SOURCE: RFC 4949 [75] Router Flapping A router that transmits routing updates alternately advertising a destination network first via one route, then via a different route. Safety Instrumented System (SIS) A system that is composed of sensors, logic solvers, and final control elements whose purpose is to take the process to a safe state when predetermined conditions are violated. Other terms commonly used include emergency shutdown system (ESS), safety shutdown system (SSD), and safety interlock system (SIS). SOURCE: ANSI/ISA-84.00.01 SCADA Server The device that acts as the master in a SCADA system. SOURCE: NIST IR 6859 [2] Security Audit Independent review and examination of a systemâs records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures. SOURCE: ISO/IEC 7498 Security Controls The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. SOURCE: FIPS PUB 199 [15] 245 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Risk ManagementïŒ ãªã¹ã¯ç®¡ç æ å ±ã·ã¹ãã ã®éçšããçãããçµç¹ã®éå¶ïŒä»»åãæ©èœãã€ã¡ãŒ ãžãè©å€çïŒåã³è³ç£ãå人ãä»ã®çµç¹åã¯åœãžã®ãªã¹ã¯ã管çãã ããã»ã¹ã§ã以äžãå«ããïŒ1ïŒãªã¹ã¯è©äŸ¡ã®å®æœãïŒ2ïŒãªã¹ã¯ç·©å çã®å®æœãïŒ3ïŒæ å ±ã·ã¹ãã ã®ã»ãã¥ãªãã£ç¶æ ãåžžç¶ç£èŠããã ãã®æè¡åã³æé ã®æ¡çšã åºå žïŒFIPS 200, Adapted [16] Risk Management FrameworkïŒ ãªã¹ã¯ç®¡çäœå¶ NIST SP 800-37 ã«ç€ºããããªã¹ã¯ç®¡çäœå¶ïŒRMFïŒã¯ãæ å ±ã»ãã¥ãª ãã£æŽ»åãšãªã¹ã¯ç®¡ç掻åãã·ã¹ãã éçºã©ã€ããµã€ã¯ã«ã«çµ±ååã ãããã®çµ±å¶ã®åããçµç¹åãããããã»ã¹ãšå®ããŠããã åºå žïŒSP 800-37 [21] RouterïŒã«ãŒã¿ OSI ã¬ã€ã€ãŒ3 ã§ã®ãããã¯ãŒã¯ãšããŒã¿ããã±ãŒãžãäžç¶æåãã ãããã¯ãŒã¯éã®ã²ãŒããŠã§ã€ãšãªãã³ã³ãã¥ãŒã¿ãæãäžè¬çãªåœ¢ æ ã®ã«ãŒã¿ã¯ IP ãã±ããã§åäœããã åºå žïŒRFC 4949 [75] Router FlappingïŒ ã«ãŒã¿ãã©ããã³ã° çµè·¯æŽæ°ã亀äºã«éä¿¡ããã«ãŒã¿ãå®å ãããã¯ãŒã¯ããŸãããçµè·¯ ã§åºåãã次ãã§å¥çµè·¯ã§è¡ãã Safety Instrumented System ã»ã³ãµãããžãã¯ãœã«ããŒåã³æçµå¶åŸ¡ãšã¬ã¡ã³ãã§æ§æãããã·ã¹ (SIS)ïŒå®å šèšè£ ã·ã¹ãã ãã ã§ãç®çã¯äºãå®ããããæ¡ä»¶ããéžè±ããéã«ãããã»ã¹ãå® å šç¶æ ã«æ»ãããšã«ãããäžè¬ã«äœ¿çšããããã®ä»ã®çšèªãšããŠç·æ¥ é®æã·ã¹ãã ïŒESSïŒãå®å šé®æã·ã¹ãã ïŒSSDïŒãå®å šé£åã·ã¹ã ã ïŒSISïŒçãããã åºå žïŒANSI/ISA-84.00.01 SCADA ServerïŒ SCADA ãµãŒã SCADA ã·ã¹ãã ã§ãã¹ã¿ãŒãšãªãããã€ã¹ã åºå žïŒNIST IR 6859 [2] Security AuditïŒ ã»ãã¥ãªãã£ç£æ» ã·ã¹ãã å¶åŸ¡ã®é©åæ§ãå€å®ããèŠå®ã®ã»ãã¥ãªãã£ããªã·ãŒåã³æ é ã®éµå®ã確ä¿ããã»ãã¥ãªãã£ãµãŒãã¹éåãæ€åºãã察çãšã㊠瀺åãããå€æŽå 容ãå§åããããã®ã·ã¹ãã ã®èšé²åã³æŽ»åã«å¯Ÿã ãç¬ç«çãªå¯©æ»åã³æ€èšŒã åºå žïŒISO/IEC 7498 Security ControlsïŒ ã»ãã¥ãªãã£å¯Ÿç ã·ã¹ãã ãšãã®æ å ±ã®æ©å¯æ§ãå®å šæ§åã³å¯çšæ§ãä¿è·ããããã®æ å ±ã·ã¹ãã çšç®¡çã»éçšã»æè¡å¯ŸçïŒå®å šçã察ææ段çïŒã åºå žïŒFIPS PUB 199 [15] 246 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Security Plan Formal document that provides an overview of the security requirements for the information system and describes the security controls in place or planned for meeting those requirements. SOURCE: NIST SP 800-53 [22] Security Policy Security policies define the objectives and constraints for the security program. Policies are created at several levels, ranging from organization or corporate policy to specific operational constraints (e.g., remote access). In general, policies provide answers to the questions âwhatâ and âwhyâ without dealing with âhow.â Policies are normally stated in terms that are technology-independent. SOURCE: ISA99 Sensor A device that produces a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow). SOURCE: The Automation, Systems, and Instrumentation Dictionary A device that measures a physical quantity and converts it into a signal which can be read by an observer or by an instrument. A sensor is a device, which responds to an input quantity by generating a functionally related output usually in the form of an electrical or optical signal. Servo Valve An actuated valve whose position is controlled using a servo actuator. SOURCE: NIST IR 6859 [2] Set Point An input variable that sets the desired value of the controlled variable. This variable may be manually set, automatically set, or programmed. SOURCE: The Automation, Systems, and Instrumentation Dictionary Simple Network Management Protocol (SNMP) A standard TCP/IP protocol for network management. Network administrators use SNMP to monitor and map network availability, performance, and error rates. To work with SNMP, network devices utilize a distributed data store called the Management Information Base (MIB). All SNMP-compliant devices contain a MIB which supplies the pertinent attributes of a device. Some attributes are fixed or âhard-codedâ in the MIB, while others are dynamic values calculated by agent software running on the device. SOURCE: API 1164 Single Loop Controller A controller that controls a very small process or a critical process. SOURCE: NIST IR 6859 [2] Social Engineering An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks. SOURCE: NIST SP 800-61 [59] 247 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Security PlanïŒ ã»ãã¥ãªãã£èšç»æž æ å ±ã·ã¹ãã ã®ã»ãã¥ãªãã£èŠä»¶ãæŠèª¬ããæ£åŒææžã§ããã®èŠä»¶ã æºè¶³ããå®æœäžåã¯èšç»äžã®ã»ãã¥ãªãã£å¯Ÿçã«ã€ããŠèšè¿°ããã ã®ã åºå žïŒNIST SP 800-53 [22] Security PolicyïŒ ã»ãã¥ãªãã£ããªã·ãŒ ã»ãã¥ãªãã£ããªã·ãŒã¯ã»ãã¥ãªãã£ããã°ã©ã ã®ç®çãšå¶çŽäºé ã å®çŸ©ãããããªã·ãŒã¯ããã€ãã®ã¬ãã«ã§äœæãããçµç¹åã¯äŒæ¥ã ãªã·ãŒããå ·äœçãªéçšäžã®å¶çŽäºé ïŒãªã¢ãŒãã¢ã¯ã»ã¹çïŒãŸã§ã ããç·ããŠããªã·ãŒã¯ãäœãããšãããªããã«ã¯çãããããã©ã®ã ãã«ããšãã質åã«ã¯çããŠããªããéåžžãæè¡ãšã¯ç¡é¢ä¿ã®çšèªã§ èšè¿°ãããã åºå žïŒISA99 SensorïŒã»ã³ãµ èšæž¬äžã®ç©çç¹æ§ïŒé床ã枩床ãæµéçïŒãè¡šããé»å§åã¯é»æµåºå ãçºçãããããã€ã¹ã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž ç©ççéãèšæž¬ããŠä¿¡å·ã«å€æããããã€ã¹ã§ãä¿¡å·ã¯èŠ³å¯è ãèšåš ã§èªã¿åãããšãã§ãããæ©èœçã«é¢ããã®ããåºåããéåžžãé»æ° åã¯å åŠä¿¡å·ãšããŠçæããããšã«ãããå ¥åã«å¯Ÿå¿ããããã€ã¹ã Servo ValveïŒ ãµãŒããã«ã ãµãŒãã¢ã¯ãã¥ãšãŒã¿ã䜿çšããŠäœçœ®ãå¶åŸ¡ããäœååŒã åºå žïŒNIST IR 6859 [2] Set PointïŒèšå®ç¹ å¶åŸ¡å€æ°ã®ææã®å€ãèšå®ããå ¥åå€æ°ããã®å€æ°ã¯ããã¥ã¢ã«æ äœãèªåãããã°ã©ã åã®ãããã«ãã£ãŠãèšå®å¯èœã§ããã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž ãããã¯ãŒã¯ç®¡ççšæšæº TCP/IP ãããã³ã«ããããã¯ãŒã¯ç®¡çè 㯠Simple Network Management Protocol ãã®ãããã³ã«ã䜿çšããŠãããã¯ãŒã¯ã®å¯çšæ§ãããã©ãŒãã³ã¹å (SNMP)ïŒ ã³ãšã©ãŒçãç£èŠãããSNMP ã«å¯Ÿå¿ããŠããããã¯ãŒã¯ããã€ã¹ã¯ ã·ã³ãã«ãããã¯ãŒã¯ç®¡ç 管çæ å ±ããŒã¹ïŒMIBïŒãšåŒã°ããåæ£ããŒã¿ã¹ãã¢ã䜿çšãããå š ãããã³ã« ãŠã® SNMP é©åããã€ã¹ã¯ MIB ãæã£ãŠãããããã€ã¹ã®é¢é£å±æ§ ãäŸçµŠãããããå±æ§ã¯ MIB ã«åºå®åã¯ãããŒãã³ãŒããããã㟠ããããã®ã¯ããã€ã¹ã§å®è¡äžã®ãšãŒãžã§ã³ãã«ããèšç®ãããåç å€ãšãªãã åºå žïŒAPI 1164 Single Loop ControllerïŒ åäžã«ãŒãã³ã³ãããŒã© 極ããŠå°ããªããã»ã¹åã¯éèŠããã»ã¹ãå¶åŸ¡ããã³ã³ãããŒã©ãåº å žïŒNIST IR 6859 [2] Social EngineeringïŒ ã·ã¹ãã ããããã¯ãŒã¯ã®æ»æã«äœ¿çšããããã人ã欺ããŠæ å ±ïŒã ãœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ ã¹ã¯ãŒãçïŒãæŒæŽ©ããããããã¿ã ã° åºå žïŒNIST SP 800-61 [59] 248 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Solenoid Value A valve actuated by an electric coil. A solenoid valve typically has two states: open and closed. SOURCE: NIST IR 6859 [2] Spyware Software that is secretly or surreptitiously installed onto an information system to gather information on individuals or organizations without their knowledge; a type of malicious code. SOURCE: NIST SP 800-53 [22] Statistical Process Control (SPC) The use of statistical techniques to control the quality of a product or process. SOURCE: The Automation, Systems, and Instrumentation Dictionary Steady State A characteristic of a condition, such as value, rate, periodicity, or amplitude, exhibiting only negligible change over an arbitrarily long period of time. SOURCE: ANSI/ISA-51.1-1979 Supervisory Control A term that is used to imply that the output of a controller or computer program is used as input to other controllers. See Control Server SOURCE: The Automation, Systems, and Instrumentation Dictionary Supervisory Control and Data Acquisition (SCADA) A generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated. SOURCE: The Automation, Systems, and Instrumentation Dictionary System Security Plan Formal document that provides an overview of the security requirements for a system and describes the security controls in place or planned for meeting those requirements. SOURCE: NIST SP 800-18, Adapted [19] Technical Controls The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. SOURCE: NIST SP 800-18 [19] Temperature Sensor A sensor system that produces an electrical signal related to its temperature and, as a consequence, senses the temperature of its surrounding medium. SOURCE: NIST IR 6859 [2] 249 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã Solenoid ValveïŒ ãœã¬ãã€ããã«ã é»æ°ã³ã€ã«ã§äœåããåŒãéåžžãéããšãéãã® 2 ã€ã®ç¶æ ãããã åºå žïŒNIST IR 6859 [2] SpywareïŒã¹ãã€ãŠãšã¢ æ°ã¥ãããã«å人åã¯çµç¹ã®æ å ±ãåéãããããç§å¯è£ã«åã¯äžæ£ ã«æ å ±ã·ã¹ãã ã«åãä»ãããããœãããŠãšã¢ã§ãæªæããã³ãŒãã® 1 çš®ã åºå žïŒNIST SP 800-53 [22] Statistical Process Control (SPC)ïŒ çµ±èšçããã»ã¹ç®¡ç 補ååã¯ããã»ã¹ã®å質ã管çããããã®çµ±èšæè¡ã®äœ¿çšã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Steady StateïŒå®åžžç¶æ å€ãçãåšæãèŠæš¡çã®ç¶æ ç¹æ§ããããä»»æã®é·æéã«ãããå€å ãç¡èŠã§ããããšã åºå žïŒANSI/ISA-51.1-1979 Supervisory ControlïŒ ç£èŠå¶åŸ¡ ã³ã³ãããŒã©åã¯ã³ã³ãã¥ãŒã¿ããã°ã©ã ã®åºåãä»ã®ã³ã³ãããŒã© ã®å ¥åãšããŠäœ¿çšãããŠããããšã瀺ãçšèªãå¶åŸ¡ãµãŒããåç § åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Supervisory Control and Data Acquisition (SCADA)ïŒ ç£èŠå¶åŸ¡ããŒã¿ååŸ é·è·é¢ã®ããŒã¿åéåŠçãšéçšå¶åŸ¡ãè¡ããã³ã³ãã¥ãŒã¿å¶åŸ¡ã·ã¹ã ã ã®æ±çšçãªå称ãéé é»åã³ãã€ãã©ã€ã³çã«ããå©çšããããé» è©±åç·ããã€ã¯ãæ³¢ã人工è¡æçã§äœ¿çšãããå€æ§ãªåªäœã«ç¹æã®é ä¿¡åé¡ïŒé 延ãããŒã¿æŽåæ§çïŒã«å¯Ÿå¿ããŠèšèšããããéåžžå°çšã§ ã¯ãªãå ±æãããããšãå€ãã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž System Security PlanïŒ ã·ã¹ãã ã»ãã¥ãªãã£èŠä»¶ã®æŠèŠã瀺ããèŠä»¶ãéµå®ããããã«æœè¡ ã·ã¹ãã ã»ãã¥ãªãã£èšç» äžåã¯èšç»äžã®ã»ãã¥ãªãã£å¯Ÿçã«ã€ããŠèª¬æããæ£åŒææžã æž åºå žïŒNIST SP 800-18, Adapted [19] Technical ControlsïŒ æè¡å¶åŸ¡ ã·ã¹ãã ã®ããŒããŠãšã¢ããœãããŠãšã¢åã¯ãã¡ãŒã ãŠãšã¢ã³ã³ã㌠ãã³ãã«å«ãŸããã¡ã«ããºã ãéããŠãäž»ã«æ å ±ã·ã¹ãã ã«ããå®è£ ããå®æœãããæ å ±ã·ã¹ãã çšã®ã»ãã¥ãªãã£å¯ŸçïŒå®å šçåã¯å¯Ÿæ æ段ïŒã åºå žïŒNIST SP 800-18 [19] Temperature SensorïŒ æž©åºŠã»ã³ãµ 枩床ã«é¢ããé»æ°ä¿¡å·ãçºçããããã®çµæåšèŸºåªäœã®æž©åºŠãæ€ç¥ã ãã»ã³ãµã·ã¹ãã ã åºå žïŒNIST IR 6859 [2] 250 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Threat Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, image, or reputation), agency assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. SOURCE: NIST SP 800-53 [22] Threat Event An event or situation that has the potential for causing undesirable consequences or impact. SOURCE: SP 800-30 [79] Threat Source The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with Threat Agent. SOURCE: FIPS 200 [16]; SP 800-53 [22]; SP 800-53A [23]; SP 800-37 [21] Transmission Control Protocol (TCP) TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. SOURCE: API 1164 Trojan Horse A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program. SOURCE: RFC 4949 [75] Unauthorized Access A person gains logical or physical access without permission to a network, system, application, data, or other resource. SOURCE: NIST SP 800-61 [59] Unidirectional Gateway Unidirectional gateways are a combination of hardware and software. The hardware permits data to flow from one network to another, but is physically unable to send any information at all back into the source network. The software replicates databases and emulates protocol servers and devices. Valve An in-line device in a fluid-flow system that can interrupt flow, regulate the rate of flow, or divert flow to another branch of the system. SOURCE: The Automation, Systems, and Instrumentation Dictionary Variable Frequency Drive (VFD) A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not. SOURCE: NIST IR 6859 [2] 251 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ThreatïŒè åš äžæ£ã¢ã¯ã»ã¹ãç Žå£ãé瀺ãæ å ±ã®æ¹å€åã¯ãµãŒãã¹åŠšå®³ãéããŠã æ¿åºæ©é¢ã®æ¥åïŒä»»åãæ©èœãã€ã¡ãŒãžãè©å€çïŒãæ¿åºæ©é¢ã®è³ç£ åã¯å人ã«æªåœ±é¿ãåãŒããããªãç¶æ³åã¯äºè±¡ã åºå žïŒNIST SP 800-53 [22] Threat EventïŒè åšäºè±¡ æãŸãããªãçµæã圱é¿ãçããããªãäºè±¡åã¯ç¶æ³ã åºå žïŒSP 800-30 [79] Threat SourceïŒè åšæº è匱æ§åã¯ç¶æ³åã³æ¹æ³ãæ æã«å©çšããããšãããããææåã³æ¹ æ³ã§ãå¶çºçã«è匱æ§ãçããããåå ãšãªãåŸããè åšãšãŒãžã§ã³ ããšå矩ã åºå žïŒFIPS 200 [16]; SP 800-53 [22]; SP 800-53A [23]; SP 800-37 [21] Transmission Control Protocol (TCP)ïŒ éä¿¡å¶åŸ¡ãããã³ã« TCP/IP ãããã¯ãŒã¯ã«ãããäž»ãªãããã³ã«ã® 1 ã€ãIP ãããã³ã« ããã±ããåŠçã ããªã®ã«å¯ŸããTCP 㯠2 å°ã®ãã¹ããæ¥ç¶ã確ç«ã ãŠããŒã¿ã¹ããªãŒã ã亀æã§ããããã«ãããããŒã¿ã®é éãä¿èšŒ ãããã±ãããéä¿¡é ã«å±ãããã«ã§ããã åºå žïŒAPI 1164 Trojan HorseïŒ ããã€ã®æšéŠ¬ ã³ã³ãã¥ãŒã¿ããã°ã©ã ã§ã䟿å©ãªæ©èœãæã€ããé ããæªæããæ© èœããããããã°ã©ã ãèµ·åããã·ã¹ãã å®åšè ã®é©æ Œæ§ãå©çšã ãŠãã»ãã¥ãªãã£æ©æ§ã«äŸµå ¥ããã åºå žïŒRFC 4949 [75] Unauthorized AccessïŒ äžæ£ã¢ã¯ã»ã¹ ãããã¯ãŒã¯ãã·ã¹ãã ãã¢ããªã±ãŒã·ã§ã³ãããŒã¿ãã®ä»ã®ãªãœãŒ ã¹ã«ã人ãèš±å¯ãªãè«ççåã¯ç©ççã¢ã¯ã»ã¹ããããšã åºå žïŒNIST SP 800-61 [59] Unidirectional GatewayïŒ åæ¹åã²ãŒããŠã§ã€ åæ¹åæ§ã²ãŒããŠã§ã€ã¯ããŒããŠãšã¢ãšãœãããŠãšã¢ãçµã¿åããã ãã®ã§ãããããŒããŠãšã¢ã¯ããŒã¿ãäžæ¹ã®ãããã¯ãŒã¯ããä»æ¹ã® ãããã¯ãŒã¯ãžæµããã®ãèš±å¯ãããããœãŒã¹ãããã¯ãŒã¯ã«æ å ±ã è¿ãããšã¯ç©ççã«äžå¯èœã§ããããœãããŠãšã¢ã¯ããŒã¿ããŒã¹ãè€ è£œããŠããããã³ã«ãµãŒãåã³ããã€ã¹ããšãã¥ã¬ãŒãããã ValveïŒãã«ãïŒåŒïŒ æµäœã·ã¹ãã äžã®ã€ã³ã©ã€ã³ããã€ã¹ã§ãæµããé®æããæµéãèª¿ç¯ ããã·ã¹ãã äžã§ã®æµãã®æ¹åãå€ããããšãã§ããã åºå žïŒãªãŒãã¡ãŒã·ã§ã³ã»ã·ã¹ãã ã»èšè£ äºå ž Variable Frequency Drive (VFD)ïŒå¯å€åšæ³¢æ°é§å ã¢ãŒã¿ãžã®é»æ°åšæ³¢æ°ãå€ããããšã«ãããéãµãŒãåã®äº€æµã¢ãŒã¿ ã®é床ãå¶åŸ¡ããé§åã® 1 çš®ã§ã粟確ãªäœçœ®ã¯å¶åŸ¡ã§ããªããäžè¬ã« é床ãšé»åãéèŠããã粟確ãªäœçœ®ã¯éèŠã§ãªãçšéã«å©çšãããã åºå žïŒNIST IR 6859 [2] 252 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Virtual Private Network (VPN) A restricted-use, logical (i.e., artificial or simulated) computer network that is constructed from the system resources of a relatively public, physical (i.e., real) network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the real network. SOURCE: RFC 4949 [75] Virus A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting (i.e., inserting a copy of itself into and becoming part of) another program. A virus cannot run by itself; it requires that its host program be run to make the virus active. SOURCE: RFC 4949 [75] Virus Definitions Predefined signatures for known malware used by antivirus detection algorithms. Vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. SOURCE: NIST SP 800-53 [22] Whitelist A list of discrete entities, such as hosts or applications that are known to be benign and are approved for use within an organization and/or information system. SOURCE: SP 800-128 [80] Wide Area Network (WAN) A physical or logical network that provides data communications to a larger number of independent users than are usually served by a local area network (LAN) and that is usually spread over a larger geographic area than that of a LAN. SOURCE: API 1164 Wireless Device Any device that can connect to an ICS network via radio or infrared waves, usually to collect or monitor data, but also in some cases to modify control set points. Workstation A computer used for tasks such as programming, engineering, and design. SOURCE: NIST IR 6859 [2] Worm A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively. SOURCE: RFC 4949 [75] 253 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã éå®çã«äœ¿çšãããè«ççïŒäººå·¥çåã¯æš¡æ¬çïŒã³ã³ãã¥ãŒã¿ãŒãã Virtual Private Network (VPN)ïŒ ãã¯ãŒã¯ã§ãæ¯èŒçå ¬éãããç©ççïŒçŸå®çïŒãããã¯ãŒã¯ïŒã€ã³ ä»®æ³ãã©ã€ããŒãããã㯠ã¿ãŒãããçïŒããæ§ç¯ãããæå·åãå©çšããããšãå€ãïŒãã¹ã ãŒã¯ åã¯ã²ãŒããŠã§ã€ã§ïŒãä»®æ³ãããã¯ãŒã¯ãªã³ã¯ãå®ãããã¯ãŒã¯ã« ãã³ããªã³ã°ããããšãå€ãã åºå žïŒRFC 4949 [75] VirusïŒãŠã€ã«ã¹ ã³ã³ãã¥ãŒã¿ãŒãœãããŠãšã¢ã®é ããèªå·±è€è£œã»ã¯ã·ã§ã³ã§ãéåžžæª æããããžãã¯ã§ãããä»ã®ããã°ã©ã ãææãããïŒã³ããŒãæ¿å ¥ ããŠèªåãããã°ã©ã ã®äžéšãšãªãïŒããšã§å¢æ®ããããŠã€ã«ã¹ã¯ã ãèªäœã§å®è¡ããããšã¯ã§ããããã¹ãããã°ã©ã ã«ãã£ãŠã¢ã¯ã㣠ãã«ãããå¿ èŠãããã åºå žïŒRFC 4949 [75] Virus DefinitionsïŒ ãŠã€ã«ã¹å®çŸ© ã¢ã³ããŠã€ã«ã¹æ€ç¥ã¢ã«ãŽãªãºã ã§äœ¿çšãããæ¢ç¥ã®ãã«ãŠãšã¢ã®äº åå®çŸ©ã·ã°ããã£ã VulnerabilityïŒèåŒ±æ§ æ å ±ã·ã¹ãã ãã·ã¹ãã ã»ãã¥ãªãã£æé ãå éšå¶åŸ¡åã¯å®è£ ã«ãã ã匱ç¹ã§ãè åšæºã«ããå©çšåã¯èµ·åãããã åºå žïŒNIST SP 800-53 [22] WhitelistïŒãã¯ã€ããªã¹ã åè¯ã§ããããšãç¥ãããŠãããçµç¹åã¯æ å ±ã·ã¹ãã äžã§ãå©çšã èš±å¯ãããŠãããã¹ããã¢ããªã±ãŒã·ã§ã³çã®åå¥å®äœãªã¹ãã åºå žïŒSP 800-128 [80] Wide Area Network (WAN)ïŒ åºåãããã¯ãŒã¯ éåžžãLAN ãµãŒãã¹ããããŠãŒã¶æ°ãå€ããããåºåã«ãŸããã£ãŠ ããŒã¿éä¿¡ãµãŒãã¹ãè¡ãç©ççåã¯è«ççãããã¯ãŒã¯ã åºå žïŒAPI 1164 Wireless DeviceïŒ ã¯ã€ã€ã¬ã¹ããã€ã¹ éåžžãããŒã¿ã®åéåã¯ç£èŠãç®çã«ç¡ç·åã¯èµ€å€ç·ã§ ICS ããã㯠ãŒã¯ã«æ¥ç¶ã§ããããã€ã¹ã§ãå¶åŸ¡èšå®ç¹ã®å€æŽã«äœ¿çšããããšãã ãã WorkstationïŒ ã¯ãŒã¯ã¹ããŒã·ã§ã³ ããã°ã©ãã³ã°ããšã³ãžãã¢ãªã³ã°ãèšèšçã®ã¿ã¹ã¯ã«äœ¿çšããã³ã³ ãã¥ãŒã¿ã åºå žïŒNIST IR 6859 [2] WormïŒã¯ãŒã ç¬ç«ããŠå®è¡ã§ããã³ã³ãã¥ãŒã¿ããã°ã©ã ã§ãèªåèªèº«ã®å®å šãªå äœããŒãžã§ã³ãä»ã®ãã¹ãäžã«äŒæãããã³ã³ãã¥ãŒã¿ãªãœãŒã¹ãç Ž å£çã«æ¶è²»ããã åºå žïŒRFC 4949 [75] 254 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix CâThreat Sources, Vulnerabilities, and Incidents Several terms are used to describe the inter-related concepts of threat, threat source, threat event, and incident. A threat is any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Threats have some intent or method that may exploit of a vulnerability through either intentional or unintentional means, this intent or method referred to as the threat source. A vulnerability is a weakness in an information system (including an ICS), system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. A threat event is an event or situation that has the potential for causing undesirable consequences or impact. When a threat event occurs it becomes an incident that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. This section will explore ICS-specific threat sources, vulnerabilities, and incidents. Threat Sources Threats to ICS can come from numerous sources, which can be classified as adversarial, accidental, structural, and environmental. Table C-1 lists and defines known threats sources to ICS. It is necessary to create a risk management strategy for the ICS that protects the system against these possible threat sources. The threat source must be well understood in order to define and implement adequate protection. For example, environmental events (e.g. floods, earthquakes) are well understood, but may vary in their magnitude, frequency, and their ability to compound other interconnected events. However, adversarial threats depend on the resources available to the adversary and the emergence of previously unknown vulnerabilities or attacks. Table C-1. Threats to ICS Type of Threat Source Description ADVERSARIAL Individuals, groups, organizations, or states that - Individual seek to exploit the organizationâs dependence on - Outsider cyber resources (e.g., information in electronic - Insider form, information and communications - Trusted Insider technologies, and the communications and - Privileged Insider information-handling capabilities provided by - Group those technologies) Characteristics Capability, Intent, Targeting - Ad hoc - Established - Organization - Competitor - Supplier - Partner - Customer - Nation-State ACCIDENTAL Erroneous actions taken by individuals in the - User course of executing their everyday - Privileged User/Administrator responsibilities. 255 Range of effects SP800-82 第 2 ç ä»é² C ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è åšæºãè匱æ§åã³ã€ã³ã·ãã³ã è åšãè åšæºãè åšäºè±¡åã³ã€ã³ã·ãã³ãã®çžäºã«é¢é£ãåã£ãæŠå¿µã瀺ãã®ã«ããã€ãã®çšèª ãçšãããããè åšãšã¯ãäžæ£ã¢ã¯ã»ã¹ãç Žå£ãé瀺ãæ å ±ã®æ¹å€åã¯ãµãŒãã¹åŠšå®³ã«ãããæ å ±ã·ã¹ãã ãéããŠãçµç¹æ¥åïŒä»»åãæ©èœãã€ã¡ãŒãžãè©å€çïŒãçµç¹è³ç£ãå人ãä»ã®çµç¹ åã¯åœã«æªåœ±é¿ãåãŒããããªãç¶æ³åã¯äºè±¡ããããè åšã«ã¯ãæ æåã¯æå³ããªãæ段ã§è 匱æ§ãå©çšããææåã¯æ¹æ³ãããããã®ææåã¯æ¹æ³ãè åšæºãšãããè匱æ§ãšã¯æ å ±ã·ã¹ã ã ïŒICS ãå«ãïŒãã·ã¹ãã ã»ãã¥ãªãã£æé ãå éšå¶åŸ¡åã¯å®è£ ã«ããã匱ç¹ã§ãè åšæºã«ã ãå©çšåã¯èµ·åããããè åšäºè±¡ã¯ãæãŸãããªãçµæã圱é¿ãçããããªãäºè±¡åã¯ç¶æ³ãã ããè åšäºè±¡ãçèµ·ãããšã€ã³ã·ãã³ããšãªããã€ã³ã·ãã³ãã¯ãæ å ±ã·ã¹ãã åã¯ã·ã¹ãã ã åŠçã»ä¿ç®¡ã»éä¿¡ããæ å ±ã®æ©å¯æ§ã»å®å šæ§ã»å¯çšæ§ãå®éã«å±éºã«é¥ãããããã®å¯èœæ§ãã ãããŸãã»ãã¥ãªãã£ããªã·ãŒãã»ãã¥ãªãã£æé åã¯åãå ¥ããããããªã·ãŒã®äœ¿çšã®éåå ã¯çŽã¡ã«éåãšãªãè åšãæ§æããããã®ã»ã¯ã·ã§ã³ã§ã¯ãICS åºæã®è åšæºãè匱æ§åã³ã€ã³ ã·ãã³ãã«ã€ããŠèª¬æããã è åšæº ICS ã®è åšã«ã¯å€æ§ãªèµ·æºããããæµæ§ãå¶çºæ§ãæ§é æ§åã³ç°å¢æ§ã«åé¡ã§ãããè¡š C-1 ã¯ã ICS ã®æ¢ç¥ã®è åšãšãã®å®çŸ©ã瀺ããã·ã¹ãã ããã®ãããªè åšæºããå®ããããICS ãªã¹ã¯ç®¡ çæŠç¥ãçå®ããå¿ èŠãããããã£ããä¿è·ã§ãããããè åšæºãååç解ããªããã°ãªããªãã äŸãã°ãç°å¢çäºè±¡ïŒæŽªæ°Žãå°éçïŒã«ã€ããŠã¯ããç解ã§ããŠãããã®ãã°ããã¥ãŒããé »åºŠ åã³ä»ã®é¢é£äºè±¡ãšè€åãããšãã®æœåšåã¯äžæ§ã§ãªãããããæµæ§è åšã¯ãæµãå©çšã§ãã㪠ãœãŒã¹ãšã以åç¥ãããŠããè匱æ§åã¯æ»æã®åºçŸã«äŸåããã è¡š C-1. ICS ã®è åš è åšæºã®çš®é¡ æµæ§ - å人 - éšå€è - ã€ã³ãµã€ã㌠- ä¿¡é Œã®çœ®ããã€ã³ãµã€ã㌠- æš©éã®ããã€ã³ãµã€ã㌠- ã°ã«ãŒã - ã¢ããã㯠- åžžå€ - çµç¹ - 競åçžæ - ãµãã©ã€ã€ - ããŒãã㌠- 顧客 - åœã»å· å¶çºæ§ - ãŠãŒã¶ - ç¹æš©ãŠãŒã¶/管çè å 容 çµç¹ã®ãµã€ããŒãªãœãŒã¹ïŒé»åæ å ±ãæ å ±ã»éä¿¡æè¡ããããæè¡ã«ããæäŸãã ãéä¿¡ã»æ å ±åŠçèœåçïŒãžã®äŸåæ§ãå© çšããããšããããå人ãã°ã«ãŒããçµç¹ åã¯åœ å人ãæ¥åžžæ¥åãæããéã®é誀è¡çº 256 ç¹åŸŽ èœåãææãç®æšéžå® 圱é¿ç¯å² SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Type of Threat Source Description STRUCTURAL Failures of equipment, environmental controls, or - Information Technology (IT) Equipment software due to aging, resource depletion, or - Storage other circumstances which exceed expected - Processing operating parameters. Characteristics Range of effects - Communications - Display - Sensor - Controller - Environmental Controls - Temperature/Humidity Controls - Power Supply - Software - Operating System - Networking - General-Purpose Application - Mission-Specific Application ENVIRONMENTAL Natural disasters and failures of critical - Natural or man-made disaster infrastructures on which the organization - Fire depends, but which are outside the control of the - Flood/Tsunami organization. Range of effects - Windstorm/Tornado - Hurricane Note: Natural and man-made disasters can also - Earthquake be characterized in terms of their severity and/or - Bombing duration. However, because the threat source - Overrun and the threat event are strongly identified, - Unusual Natural Event (e.g., sunspots) severity and duration can be included in the - Infrastructure Failure/Outage description of the threat event (e.g., Category 5 - Telecommunications hurricane causes extensive damage to the - Electrical Power facilities housing mission-critical systems, making those systems unavailable for three weeks). Vulnerabilities and Predisposing Conditions This section addresses vulnerabilities and predisposing conditions that may be found in typical ICS. Vulnerabilities are weaknesses in information systems, system procedures, controls, or implementations the can be exploited by a threat source. Predisposing conditions are properties of the organization, mission/business process, architecture, or information systems that contribute to the likelihood of a threat event. The order of these vulnerabilities and predisposing conditions does not necessarily reflect any priority in terms of likelihood of occurrence or severity of impact. Additionally, the vulnerabilities and predisposing conditions identified in this section should not be considered a complete list; it should also not be assumed that these issues are found within every ICS. 257 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è åšæºã®çš®é¡ æ§é ç - æ å ±æè¡ïŒITïŒè£ åå - ã¹ãã¬ãŒãž å 容 çµå¹ŽããªãœãŒã¹äžè¶³ãã®ä»ã®ç¶æ³ã«ããäºæ³é転 ãã©ã¡ãŒã¿ãè¶ ããè£ ååãç°å¢å¶åŸ¡åã¯ãœãã ãŠãšã¢ã®é害 ç¹åŸŽ 圱é¿ç¯å² - åŠç - éä¿¡ - ãã£ã¹ãã¬ã€ - ã»ã³ãµ - ã³ã³ãããŒã© - ç°å¢å¶åŸ¡ - 枩床ã»æ¹¿åºŠå¶åŸ¡ - é»æº - ãœãããŠãšã¢ - ãªãã¬ãŒãã£ã³ã°ã·ã¹ãã - ãããã¯ãŒãã³ã° - æ±çšã¢ããªã±ãŒã·ã§ã³ - ä»»ååºæã¢ããªã±ãŒã·ã§ã³ ç°å¢ç - èªç¶ã»äººçºçœå®³ - ç«çœ - 措氎ã»æŽ¥æ³¢ - æŽé¢šã»ãã«ããŒã - ããªã±ãŒã³ - å°é - çç Ž èªç¶çœå®³åã³çµç¹ãäŸåããéèŠã€ã³ãã©ã®é害 圱é¿ç¯å² ã§ãçµç¹ã®å¶åŸ¡å€ã®ã㮠泚ïŒèªç¶ã»äººçºçœå®³ã¯é倧æ§ãšæéã«ããç¹åŸŽã¥ ããããããããè åšæºåã³è åšäºè±¡ã¯ç¹å®ãã ãŠããã®ã§ãé倧æ§ãšæéã¯ãè åšäºè±¡äžã«å«ã ãããïŒäŸãã°ã«ããŽãªãŒ5 ã®ããªã±ãŒã³ã¯ãä»» åã«äžå¯æ¬ ãªã·ã¹ãã ã®ããæœèšã«ç倧ãªè¢«å®³ã äžããã·ã¹ãã ã 3 é±é䜿çšäžèœã«ãªãïŒã - ãªãŒããŒã©ã³ - ç°åžžå€©ç¶çŸè±¡ïŒå€ªéœé»ç¹çïŒ - ã€ã³ãã©é害/åæ¢ - ç¡ç·éä¿¡ - é»å è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ãã®ã»ã¯ã·ã§ã³ã§ã¯ãäžè¬ç㪠ICS ã«ãããã¡ãªè匱æ§ãšåŒ±ç¹ãšãªãç¶æ ã«ã€ããŠåãäžããã è匱æ§ã¯æ å ±ã·ã¹ãã ãã·ã¹ãã æé ãå¶åŸ¡åã¯å®è£ ã«ããã匱ç¹ã§ãè åšæºã«ããå©çšããã ããã匱ç¹ãšãªãç¶æ ãšã¯ãçµç¹ãä»»åã»äºæ¥ããã»ã¹ãã¢ãŒããã¯ãã£åã¯æ å ±ã·ã¹ãã ã®ç¹ æ§ã§ãè åšäºè±¡ãçããå ¬ç®ãé«ããããã®ãããªè匱æ§ãšåŒ±ç¹ãšãªãç¶æ ã¯ãçºçã®å ¬ç®ãšåœ± é¿ã®é倧æ§ã®ç¹ã§å¿ ãããåªå ã¥ããããããã§ã¯ãªãããŸãããã®ã»ã¯ã·ã§ã³ã§åãäžããã ã®ãå šãŠãšããããã§ããªããéã«ã©ã® ICS ã«ãããããå¿ ããããšãããã®ã§ããªãã 258 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The vulnerabilities and predisposing conditions are grouped according to where they existâsuch as in the organizationâs policy and procedures, or the inadequacy of security mechanisms implemented in hardware, firmware, and software. The former are referred to as being in the organization and the latter as being in the system. Understanding the source of vulnerabilities and predisposing conditions can assist in determining optimal mitigation strategies. The groups of vulnerabilities used in this appendix are: ïŒ Policy and Procedure. ïŒ Architecture and Design. ïŒ Configuration and Maintenance. ïŒ Physical. ïŒ Software Development. ïŒ Communication and Network. Deeper analysis may uncover that causes and observations may not be one-to-one; that is, some underlying causes may exhibit multiple symptoms and some symptoms may come from more than one cause. SP 80053 contains a taxonomy of security controls, or countermeasures, to mitigate vulnerabilities and predisposing conditions. These are categorized in families, where each family contains security controls related to the general security topic of the family. While the families and controls from 800-53 provide a more complete overview of the potential vulnerabilities and predisposing conditions within in an ICS, this section briefly reviews those issues known to be common within ICS. Any given ICS will usually exhibit a subset of the identified vulnerabilities, but may also contain additional vulnerabilities and predisposing conditions unique to the particular ICS implementation that do not appear in this appendix. Specific current information on ICS vulnerabilities can be researched at the Industrial Control System Computer Emergency Response Team (ICS-CERT) Web site. 45 Some vulnerabilities and predisposing conditions can be mitigated; others can only be accepted and controlled by appropriate countermeasures, but will result in some residual risk to the ICS. For example, some existing policies and procedures may be changed with a level of effort that the organization considers acceptable; others are more expeditiously dealt with by instituting additional policies and procedures. Vulnerabilities in products and services acquired from outside the organization are rarely under the direct control of the organization. Changes may be influenced by market forces, but this is a slow and indirect approach. Instead, the organization may change predisposing conditions to reduce the likelihood that a systemic vulnerability will be exploited. Policy and Procedure Vulnerabilities and Predisposing Conditions Vulnerabilities and predisposing conditions are often introduced into the ICS because of incomplete, inappropriate, or nonexistent security policy, including its documentation, implementation guides (e.g., procedures), and enforcement. Management support of security policy and procedures is the cornerstone of any security program. Organization security policy can reduce vulnerabilities by mandating and enforcing proper conduct. Written policy and procedures are mechanisms for informing staff and stakeholders of decisions about behavior that is beneficial to the organization. From this perspective, policy is an educational and instructive way to reduce vulnerabilities. Enforcement is partner to policy, encouraging people to do the ârightâ thing. Various forms of corrective action are the usual consequences 45 http://ics-cert.us-cert.gov.http://ics-cert.us-cert.gov.. 259 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è匱æ§ãšåŒ±ç¹ãšãªãç¶æ ã¯ãã©ãã«ãããã«å¿ããŠã°ã«ãŒãåãã§ãããäŸãã°ãçµç¹ã®ããªã· ãŒåã³æé ãããŒããŠãšã¢ããã¡ãŒã ãŠãšã¢ããœãããŠãšã¢ã®ã»ãã¥ãªãã£ã¡ã«ããºã ã®äžåç ã§ãããåè ã¯çµç¹ãåŸè ã¯ã·ã¹ãã ã«ãããšããããšã«ãªããè匱æ§ãšåŒ±ç¹ãšãªãç¶æ ã®èµ·æº ãç解ãããšãæé©ã®ç·©åçã決ãããããªãããã®ä»é²ã§äœ¿çšããè匱æ§ã®ã°ã«ãŒãã¯ä»¥äžã® ãšããã ïŒ ããªã·ãŒåã³æé ïŒ ã¢ãŒããã¯ãã£åã³èšèš ïŒ æ§æåã³ä¿å® ïŒ ç©çé¢ ïŒ ãœãããŠãšã¢éçº ïŒ éä¿¡åã³ãããã¯ãŒã¯ æ·±ãåæãããšãåå ãšèŠ³å¯çµæã 1 察 1 ã§ãªãããšãåãããã€ãŸããç¹å®ã®æ ¹æ¬åå ããè€ æ°ã®åŸŽåãçããç¹å®ã®åŸŽåã¯è€æ°ã®åå ããçããŠãããSP 800-53 ã«ã¯ã»ãã¥ãªãã£å¯Ÿçã® åé¡ãèšãæããã°è匱æ§ãšåŒ±ç¹ãšãªãç¶æ ãç·©åãã察çãèŒããããŠããããã¡ããªå¥ã«å é¡ãããåãã¡ããªã«ã¯ãã®ãã¡ããªã®å šè¬çã»ãã¥ãªãã£åé¡ã«é¢ããã»ãã¥ãªãã£å¯Ÿçãå« ãŸããŠããã800-53 ã®ç³»åãšç®¡çã¯ãICS å ã®è匱æ§ãšåŒ±ç¹ãšãªãç¶æ ã«é¢ããããå®æ床ã®é« ãæŠèª¬ãããããã®ã»ã¯ã·ã§ã³ã§ã¯ãICS ã«å ±éçãªåé¡ãæçã«æ¯ãè¿ãã ã©ã® ICS ã§ãéåžžæããã«ãªã£ãŠããè匱æ§ã®äžéšãé²åããŠããããç¹å®ã® ICS å®è£ ã«åºæã®ã ãã®ä»é²ã§ã¯åãäžããããŠããªãè匱æ§ãšåŒ±ç¹ãšãªãç¶æ ããããICS ã®è匱æ§ã«é¢ããç¹å® ã®çŸè¡æ å ±ãç£æ¥çšå¶åŸ¡ã·ã¹ãã ã³ã³ãã¥ãŒã¿ç·æ¥æ察å¿ããŒã ïŒICS-CERTïŒã®ãµã€ãã«ã ã 46ã ããã€ãã®è匱æ§ãšåŒ±ç¹ãšãªãç¶æ ã¯ç·©åã§ããããã®ä»ã«ã€ããŠã¯ã蚱容ãããé©åœãªå¯Ÿç㧠管çãããããªãããICS ã®æ®çãªã¹ã¯ãšãªããäŸãã°ãæ¢åããªã·ãŒåã³æé ã¯ãçµç¹ã蚱容 ã§ããããã¬ãã«ã®åçµã§å€æŽããããã®ãããã°ãè£è¶³çãªããªã·ãŒåã³æé ãå¶å®ããŠãã ã£ãšè¿ éã«åŠçã§ãããã®ãããã çµç¹å€ããååŸãã補åããµãŒãã¹ã®è匱æ§ã¯ãçµç¹ã®çŽæ¥ã®ç®¡çäžã«çœ®ãããããšã¯ãŸããªãã å€æŽã¯åžå Žåã«åœ±é¿ãããããç·©æ ¢ã§éæ¥çã§ããã代ããã«ãçµç¹ã¯åŒ±ç¹ãšãªãç¶æ ãå€ããŠã ã·ã¹ãã ã®è匱æ§ãã€ãããå¯èœæ§ãäœãããããšãã§ãããã ããªã·ãŒåã³æé ã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ã¯ãã»ãã¥ãªãã£ããªã·ãŒã®äžåãäžé©ååã¯æ¬ åŠã«ãã ICS ã«æ㡠蟌ãŸããããšãå€ããäŸãã°ææžãå®æœã¬ã€ãïŒæé çïŒãæœè¡çã§ãããã»ãã¥ãªãã£åã³æ é ã«å¯Ÿããçµå¶é£ã«ããæ¯æŽã¯ãããããã»ãã¥ãªãã£ããã°ã©ã ã®åå°ãšãªããçµç¹ã®ã»ã㥠ãªãã£ããªã·ãŒã¯ãé©æ£ãªè¡åã矩åã¥ããŠæœè¡ããããšã§ãè匱æ§ãæžããããšãã§ãããæž é¢ã«ããããªã·ãŒåã³æé ã¯ãè·å¡åã³é¢ä¿è ã«ãçµç¹ã®å©çãšãªãè¡åã«é¢ãã決å®äºé ãç¥ ããããã¡ã«ããºã ãšãªãããã®èŠ³ç¹ãããããªã·ãŒã¯è匱æ§ãæžããããã®æè²çã»æèšçæ¹ æ³ãšãªããæœè¡ã¯ããªã·ãŒã®ãããŒãããŒãã§ããããæ£ãããããšãè¡ããã人ã奚å±ããã å€æ§ãªåœ¢æ ã®æ¯æ£åŠçœ®ã¯ãããªã·ãŒåã³æé ãéµå®ããŠããªãè·å¡ã«å¯ŸããŠéåžžãé©çšãããã 46 http://ics-cert.us-cert.gov.http://ics-cert.us-cert.gov. 260 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY to personnel not following policy and procedures. Policies should be explicit about the consequences to individuals or organizations that do not conform. There is usually a complex policy and procedure environment that includes laws and regulations, overlapping jurisdictions and spheres of influence, economics, custom, and history. The larger enterprise is often subdivided into organizational units that should work together to reduce vulnerabilities. The scope and hierarchical relationship among policies and procedures needs to be managed for maximum effectiveness. Certain controls in SP 800-53 and the ICS overlay in Appendix Gâ specify responsibilities and requirements for the organization, while others focus on the capabilities and operation of the various systems within the organization. For example, the control AC-6, Least Privilege, states âThe organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.â The organization has to make decisions that get codified in policy and procedures. Some resulting artifacts, such as job descriptions that include roles, responsibilities, and authority, remain in a form suitable for people, while other artifacts, such as attributes, privileges, and access control rules, are implemented in IT. Note that the ICS overlay follows SP 800-53 in employing the term âorganizationâ very flexibly so that its guidance can be used by all sizes of organizational entities up and down an organization chart. Specific organizations should be identified, starting with the organization responsible for issuing and maintaining the policy or procedure. Table C-2 presents examples of observed policy and procedure vulnerabilities for ICS. Table C-2. Policy and Procedure Vulnerabilities and Predisposing Conditions Vulnerability Inadequate security policy for the ICS Description Vulnerabilities are often introduced into ICS due to inadequate policies or the lack of policies specifically for control system security. Every countermeasure should be traceable to a policy. This ensures uniformity and accountability. Policy must include portable and mobile devices used with ICS. No formal ICS security training and awareness A documented formal security training and awareness policy and program is program designed to keep staff up to date on organizational security policies and procedures as well as threats, industry cybersecurity standards, and recommended practices. Without training on specific ICS policies and procedures, staff cannot be expected to maintain a secure ICS environment. Absent or deficient ICS equipment implementation Equipment implementation guidelines should be kept up to date and readily guidelines available. These guidelines are an integral part of security procedures in the event of an ICS malfunction. Lack of administrative mechanisms for security policy Staff responsible for enforcing security should be held accountable for enforcement administering documented security policies and procedures. Inadequate review of the effectiveness of the ICS Procedures and schedules should exist to determine the extent to which the security controls security program and its constituent controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the ICS. The examination is sometimes called an âaudit,â âevaluation,â or âassessment.â Policy should address the stage of the life-cycle, purpose, technical expertise, methodology, and level of independence. 261 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ããªã·ãŒã¯ãéµå®ããŠããªãå人åã¯çµç¹ã«å¯Ÿããçµæã«é¢ããŠæ瀺çã§ããã¹ãã§ããã æ³èŠãå å«ãã圱é¿ãçµæžãç¿æ £åã³æŽå²ã®ç®¡èœåã³ç¯å²ãéãªãåããè€éãªããªã·ãŒåã³æ é ç°å¢ãåžžã«ååšããã倧äŒæ¥ã¯ãè匱æ§ãæžããããã«ååã§ããçµç¹åäœã«çŽ°ååãããã ãšãå€ããããªã·ãŒåã³æé éã®ç¯å²ãšéå±€çé¢ä¿ã管çããŠãæ倧ã®å¹æãäžããã¹ãã§ããã SP 800-53 åã³ä»é² G ã® ICS ãªãŒããŒã¬ã€ã«å«ãŸããŠããç¹å®ã®ç®¡çã«ã¯ã責任ãšçµç¹èŠä»¶ãèš èŒãããŠããããŸãå¥ãªãã®ã¯çµç¹å ã®å€æ§ãªã·ã¹ãã ã®èœåãšéçšãéç¹ã«ãªã£ãŠãããäŸã ã°ã管ç AC-6 æå°æš©éã«ã¯ããçµç¹ã¯æå°æš©éã®ååãæ¡çšããçµç¹ã®ä»»åã»äºæ¥äžã®æ©èœã« å¿ããŠå²ãåœãŠãããä»äºãéè¡ããã®ã«å¿ èŠãªãŠãŒã¶ïŒåã¯ãã®ä»£ãããšãªãããã»ã¹ïŒã ã ã«ã¢ã¯ã»ã¹æš©éãäžããããšãããçµç¹ã¯æ±ºå®ããªããã°ãªããã決å®äºé ã¯ããªã·ãŒåã³æé ã«æèšãããããã®çµæã¯ãäŸãã°åœ¹å²ã»è²¬ä»»ã»æš©éãæèšããè·åæ现æžãšãªããè·å¡ã«é©ã ã圢æ ãåããã®ãããã°ãå±æ§ã»ç¹æš©ã»ã¢ã¯ã»ã¹å¶åŸ¡èŠåã®ããã«ãIT ã«ãããŠå®æœãããã ã®ãããã ICS ãªãŒããŒã¬ã€ã¯ SP 800-53 ã«æºæ ããŠããçµç¹ããšããèªã極ããŠæè»ã«çšããŠããããã ãã®ã¬ã€ãã³ã¹ã¯ãçµç¹ã®å€§å°æ§ã ãªéšçœ²ã§äœ¿çšã§ããããŸãããªã·ãŒåã¯æé ã®çºåºã»ç¶æã æ åœããçµç¹ãç®åãã«ãç¹å®ã®çµç¹ãæããã«ãã¹ãã§ããã è¡š C-2 ã¯ã芳å¯ãããŠãã ICS çšããªã·ãŒåã³æé ã®è匱æ§ã瀺ãã è¡š C-2. ããªã·ãŒåã³æé ã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ èåŒ±æ§ ICS çšã»ãã¥ãªãã£ããªã·ãŒã®äžå å 容 ç¹ã«å¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ãªãã£ã«é¢ããããªã·ãŒã®äžååã¯æ¬ åŠãããICS ã«è匱æ§ãå ¥ã蟌ãããšãå€ããããããã®å¯Ÿçã¯ããªã·ãŒããåºãŠããã¹ ãã§ãããããã«ããçµ±äžæ§ãšèª¬æ責任ã確ä¿ããããããªã·ãŒã¯æºè¡/ã¢ã ã€ã«ããã€ã¹ãå«ããªããã°ãªããªãã æ£èŠã® ICS ã»ãã¥ãªãã£èšç·Žã»æè ææžåãããæ£èŠã®ã»ãã¥ãªãã£èšç·Žã»æèããªã·ãŒèšç»ã¯ãåžžã«ææ°ã®ã» ããã°ã©ã èšç»ã®æ¬ åŠ ãã¥ãªãã£ããªã·ãŒã»æé ãè åšãç£æ¥çšãµã€ããŒã»ãã¥ãªãã£èŠæ Œåã³æš 奚èŠç¯ãè·å¡ã«ç¥ããããããã«ãããå ·äœç㪠ICS ããªã·ãŒåã³æé ã㪠ããã°ãè·å¡ã« ICS ç°å¢ã®ã»ãã¥ãªãã£ãç¶æã§ãããšæåŸ ããããšã¯ã§ã ãªãã ICS è£ ååå®è£ ã¬ã€ãã©ã€ã³ã®æ¬ åŠ åã¯æ¬ é¥ è£ ååå®è£ ã¬ã€ãã©ã€ã³ã¯ææ°ç¶æ ã«ä¿ã¡ãããã«å©çšã§ããã¹ãã§ããã ã¬ã€ãã©ã€ã³ã¯ãICS é害ã®éã«ã»ãã¥ãªãã£æé ã®äžå¯æ¬ ãªäžéšãšãªãã ã»ãã¥ãªãã£ããªã·ãŒãæœè¡ãã管 çæ©æ§ã®æ¬ åŠ ã»ãã¥ãªãã£ã®æœè¡æ åœè·å¡ã¯ãææžåãããã»ãã¥ãªãã£ããªã·ãŒåã³æ é ã®ç®¡çã«èª¬æ責任ãæããã ICS ã»ãã¥ãªãã£å¯Ÿçã®å¹ææ§ã«å¯Ÿ ããèŠçŽãã®äžå ã»ãã¥ãªãã£ããã°ã©ã ãšãã®å¯Ÿçãã©ã®çšåºŠé©æ£ã«å®æœãããŠããããäº å®ã©ãã皌åããŠããããææã®çµæããããããŠãããããICS ã»ãã¥ãª ãã£èŠä»¶ã®éæãšãã芳ç¹ã§å€å®ããæé åã³ã¹ã±ãžã¥ãŒã«ãå®ããã¹ã㧠ããããã®æ€èšŒããç£æ»ãããè©äŸ¡ïŒevaluationïŒãåã¯ãè©äŸ¡ ïŒassessmentïŒããšåŒã¶ããšããããããªã·ãŒã¯ã©ã€ããµã€ã¯ã«ã®æ®µéãç® çãæè¡ç¥èŠãæ¹æ³è«åã³ç¬ç«ã¬ãã«ãåãäžããã¹ãã§ããã 262 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Vulnerability No ICS-specific contingency plan Lack of configuration management policy Lack of adequate access control policy Lack of adequate authentication policy Inadequate incident detection and response plan and procedures Lack of redundancy for critical components Description A contingency plan should be prepared, tested and available in the event of a major hardware or software failure or destruction of facilities. Lack of a specific plan for the ICS could lead to extended downtimes and production loss. Lack of policy and procedures for ICS configuration change management can lead to unmanageable and highly vulnerable inventory of hardware, firmware, and software. Access control enforcement depends of policy the correctly models roles, responsibilities, and authorizations. The policy model must enable the way the organization functions. Authentication policies are needed to define when authentication mechanisms (e.g., passwords, smart cards) must be used, how strong they must be, and how they must be maintained. Without policy, systems might not have appropriate authentication controls, making unauthorized access to systems more likely. Authentication policies should be developed as part of an overall ICS security program taking into account the capabilities of the ICS and its personnel to handle more complex passwords and other mechanisms. Incident detection and response plans, procedures, and methods are necessary for rapidly detecting incidents, minimizing loss and destruction, preserving evidence for later forensic examination, mitigating the weaknesses that were exploited, and restoring ICS services. Establishing a successful incident response capability includes continually monitoring for anomalies, prioritizing the handling of incidents, and implementing effective methods of collecting, analyzing, and reporting data. Lack of redundancy in critical components could provide single point of failure possibilities System Vulnerabilities and Predisposing Conditions Security controls must clearly identify the systems to which they apply. Systems range widely in size, scope, and capability. At the small end of the spectrum, a system may be an individual hardware or software product or service. At the other end of the spectrum we find large complex systems, systems-ofsystems, and networks, all of which incorporate hardware architecture and software framework (including application frameworks), where the combination supports the operation of the ICS. System vulnerabilities can occur in the hardware, firmware, and software used to build the ICS. Sources of vulnerabilities include design flaws, development flaws, misconfigurations, poor maintenance, poor administration, and connections with other systems and networks. Many of the controls in the SP 800-53 and the ICS overlay in Appendix Gâ specify what the system must do to mitigate these vulnerabilities. The potential vulnerabilities and predisposing conditions commonly found within ICS systems are categorized with the following tables: ïŒ Table C-3. Architecture and Design Vulnerabilities and Predisposing Conditions. ïŒ Table C-4. Configuration and Maintenance Vulnerabilities and Predisposing Conditions. ïŒ Table C-5. Physical Vulnerabilities and Predisposing Conditions. 263 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã èåŒ±æ§ å 容 ICS åºæã®ç·æ¥æ察å¿èšç»ã®æ¬ åŠ ç·æ¥æ察å¿èšç»ãäœæããæ€èšŒãã倧èŠæš¡ãªããŒããŠãšã¢åã¯ãœãããŠãšã¢ é害æãæœèšç Žå£æã«å©çšã§ããããã«ãã¹ãã§ãããICS ã®å ·äœçèšç»æž ããªããšãããŠã³ã¿ã€ã ãçç£æ倱ãæ¡å€§ããããªãã æ§æ管çããªã·ãŒã®æ¬ åŠ ICS æ§æ管çããªã·ãŒåã³æé ã®æ¬ åŠã¯ãããŒããŠãšã¢ããã¡ãŒã ãŠãšã¢å ã³ãœãããŠãšã¢ã®ç®¡çã§ããªã倧ããªè匱æ§ã«ã€ãªããã é©æ£ãªã¢ã¯ã»ã¹å¶åŸ¡ããªã·ãŒã®æ¬ åŠ ã¢ã¯ã»ã¹å¶åŸ¡ã®æœè¡ã¯ãããªã·ãŒã®æ£ããã¢ãã«åœ¹å²ã責任åã³æš©éä»äžã« ããã£ãŠãããããªã·ãŒã¢ãã«ã¯ãçµç¹ãæ©èœããããã®æ¹æ³ãå®çŸããªã ãã°ãªããªãã é©æ£ãªèªèšŒããªã·ãŒã®æ¬ åŠ èªèšŒã¡ã«ããºã ïŒãã¹ã¯ãŒããã¹ããŒãã«ãŒãçïŒãå©çšããéã«ãèªèšŒã ãªã·ãŒã¯ã¡ã«ããºã ã®åŒ·åºŠåã³ç¶ææ¹æ³ãæããã«ããå¿ èŠããããããªã· ãŒããªããã°ãã·ã¹ãã ã¯é©æ£ãªèªèšŒç®¡çãã§ãããç¡é§ã¢ã¯ã»ã¹ãèš±ãã ãšã«ãªããèªèšŒããªã·ãŒã¯ãå šäœç㪠ICS ã»ãã¥ãªãã£ããã°ã©ã ã®äžç°ãš ããŠäœæããICS ã®èœåãšãããè€éãªãã¹ã¯ãŒããã®ä»ã®ã¡ã«ããºã ãæ± ãè·å¡ã®èœåãšãèæ ®ã«å ¥ããã¹ãã§ããã ã€ã³ã·ãã³ãæ€ç¥ã»å¯Ÿå¿èšç»æžåã³ æé ã®äžå ã€ã³ã·ãã³ãæ€ç¥ã»å¯Ÿå¿èšç»æžãæé åã³æ¹æ³ã¯ã€ã³ã·ãã³ãã®è¿ éãªæ€ ç¥ãæ倱ã»ç Žå£ã®å±éãåŸæ¥å¿ èŠãšãªã調æ»æ€èšŒçšèšŒæ ã®ä¿åãå©çšããã 匱ç¹ã®ç·©ååã³ ICS ãµãŒãã¹ã®åŸ©æ§ãè¡ãäžã§å¿ èŠã§ãããæå¹ãªã€ã³ã·ã ã³ã察å¿èœåã«ã¯ãç°åžžã«å¯Ÿããç¶ç¶ç£èŠãã€ã³ã·ãã³ãåŠçã®åªå ã¥ãã å¹æçãªããŒã¿åéã»åæã»å ±åæ¹æ³ã®å®æœãå«ãŸããã éèŠã³ã³ããŒãã³ãã®åé·æ§ã®æ¬ åŠ éèŠã³ã³ããŒãã³ãã®åé·æ§ã®æ¬ åŠã¯ãåäžé害ç¹ãšãªããããªãã ã·ã¹ãã ã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ã»ãã¥ãªãã£å¯Ÿçã§ã¯ãé©çšå¯Ÿè±¡ãšãªãã·ã¹ãã ãç¹å®ããªããã°ãªããªããã·ã¹ãã ã®èŠæš¡ã ç¯å²åã³èœåã¯å€çš®å€æ§ã§ãããæå°ã·ã¹ãã ã¯ãåã ã®ããŒããŠãšã¢è¥ããã¯ãœãããŠãšã¢è£œ ååã¯ãµãŒãã¹ã§ããããå察ã«æ倧ã·ã¹ãã ã¯ã倧èŠæš¡è€åã·ã¹ãã ãã·ã¹ãã äžã«ã·ã¹ãã ã®ãããã®åã³ãããã¯ãŒã¯ã§ããããã¯ããŒããŠãšã¢ã¢ãŒããã¯ãã£åã³ãœãããŠãšã¢ãã¬ãŒ ã ã¯ãŒã¯ïŒã¢ããªã±ãŒã·ã§ã³ãã¬ãŒã ã¯ãŒã¯çïŒãå«ã¿ãããããäžäœãšãªã£ãŠ ICS ã®éçšãæ¯ ããã ã·ã¹ãã è匱æ§ã¯ ICS ãæ§ç¯ããããŒããŠãšã¢ããã¡ãŒã ãŠãšã¢åã³ãœãããŠãšã¢ã§çãåŸãã è匱æ§ã®åå ã«ã¯èšèšäžã®æ¬ é¥ãéçºäžã®æ¬ é¥ãèšå®ãã¹ãä¿å®ã®äžåã管çã®äžååã³ä»ã®ã· ã¹ãã ããããã¯ãŒã¯ãžã®æ¥ç¶çããããSP 800-53 åã³ä»é² G ã® ICS ãªãŒããŒã¬ã€ã«å«ãŸã㊠ãã管çã®å€ãã¯ããã®ãããªè匱æ§ãç·©åããããã«ã·ã¹ãã ãè¡ããªããã°ãªããªãäºæã èŠå®ããŠããã ICS ã§äžè¬çã«èŠãããè匱æ§åã³åŒ±ç¹ãšãªãç¶æ ã以äžã®è¡šã«åé¡ããã ïŒ è¡š C-3.ã¢ãŒããã¯ãã£åã³èšèšäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ïŒ è¡š C-4.æ§æåã³ä¿å®äžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ïŒ è¡š C-5.ç©ççè匱æ§åã³åŒ±ç¹ãšãªãç¶æ 264 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Table C-6. Software Development Vulnerabilities and Predisposing Conditions. ïŒ Table C-7. Communication and Network Configuration Vulnerabilities and Predisposing Conditions. Table C-3. Architecture and Design Vulnerabilities and Predisposing Conditions Vulnerability Description Inadequate incorporation of security into architecture and design. Incorporating security into the ICS architecture, design must start with budget, and schedule of the ICS. The security architecture is part of the Enterprise Architecture. The architectures must address the identification and authorization of users, access control mechanism, network topologies, and system configuration and integrity mechanisms. Insecure architecture allowed to evolve The network infrastructure environment within the ICS has often been developed and modified based on business and operational requirements, with little consideration for the potential security impacts of the changes. Over time, security gaps may have been inadvertently introduced within particular portions of the infrastructure. Without remediation, these gaps may represent backdoors into the ICS. If the ICS does not have a security perimeter clearly defined, then it is not possible to ensure that the necessary security controls are deployed and configured properly. This can lead to unauthorized access to systems and data, as well as other problems. No security perimeter defined Control networks used for non-control traffic Control network services not within the control network Inadequate collection of event data history Control and non-control traffic have different requirements, such as determinism and reliability, so having both types of traffic on a single network makes it more difficult to configure the network so that it meets the requirements of the control traffic. For example, non-control traffic could inadvertently consume resources that control traffic needs, causing disruptions in ICS functions. Where IT services such as Domain Name System (DNS), and Dynamic Host Configuration Protocol (DHCP) are used by control networks, they are often implemented in the IT network, causing the ICS network to become dependent on the IT network that may not have the reliability and availability requirements needed by the ICS. Forensic analysis depends on collection and retention of sufficient data. Without proper and accurate data collection, it might be impossible to determine what caused a security incident to occur. Incidents might go unnoticed, leading to additional damage and/or disruption. Regular security monitoring is also needed to identify problems with security controls, such as misconfigurations and failures. Table C-4. Configuration and Maintenance Vulnerabilities and Predisposing Conditions Vulnerability Hardware, firmware, and software not under configuration management. Description The organization doesnât know what it has, what versions it has, where they are, or what their patch status is, resulting in an inconsistent, and ineffective defense posture. A process for controlling modifications to hardware, firmware, software, and documentation should be implemented to ensure an ICS is protected against inadequate or improper modifications before, during, and after system implementation. A lack of configuration change management procedures can lead to security oversights, exposures, and risks. To properly secure an ICS, there should be an accurate listing of the assets in the system and their current configurations. These procedures are critical to executing business continuity and disaster recovery plans. 265 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ è¡š C-6.ãœãããŠãšã¢éçºäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ ïŒ è¡š C-7.éä¿¡åã³ãããã¯ãŒã¯æ§æäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ è¡š C-3.ã¢ãŒããã¯ãã£åã³èšèšäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ èåŒ±æ§ å 容 ã¢ãŒããã¯ãã£åã³èšèšãžã®ã»ã㥠ãªãã£çµèŸŒã¿äžã®äžå æŽã«é²è¡ããããªã»ãã¥ã¢ã§ãªã㢠ãŒããã¯ã㣠ã»ãã¥ãªãã£ã ICS ã¢ãŒããã¯ãã£ã«çµã¿èŸŒãéãäºç®åã³ ICS ã®ã¹ã±ãžã¥ ãŒã«ããèšèšãéå§ããªããã°ãªããªããã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ã¯äŒ æ¥ã¢ãŒããã¯ãã£ã®äžéšãšãªããã¢ãŒããã¯ãã£ã¯ãŠãŒã¶ã®èå¥ã»èªèšŒã㢠ã¯ã»ã¹å¶åŸ¡ã¡ã«ããºã ããããã¯ãŒã¯ããããžãŒåã³ã·ã¹ãã æ§æã»å®å šæ§ ã¡ã«ããºã ãåãäžããªããã°ãªããªãã ICS å ã®ãããã¯ãŒã¯ã€ã³ãã©ç°å¢ã¯ãäºæ¥ã»éçšäžã®èŠä»¶ãåºã«éçºã»æ¹ ä¿®ãããŠããããšãå€ããå€æŽå 容ãã»ãã¥ãªãã£ã«åãŒã圱é¿ã¯ããŸãè æ ®ãããŠããªããæéã®çµéãšãšãã«ãæ³å®å€ã®ã»ãã¥ãªãã£ã®ã£ããã〠ã³ãã©ã®ç¹å®éšäœã«çããããšãããã察çãåããã«ãããšããã®ãã㪠ã®ã£ããã ICS ã®ããã¯ãã¢ã«ãªãããšãããã ã»ãã¥ãªãã£å¢çãæªå®çŸ© ICS ã®ã»ãã¥ãªãã£åšèŸºã®å®çŸ©ãæããã§ãªããšãå¿ èŠãªã»ãã¥ãªãã£å¯Ÿç ã®å±éã»èšå®ãæ£ããå®æœã§ããªãããã®ããã·ã¹ãã ãããŒã¿ãžã®äžæ£ã¢ ã¯ã»ã¹ãèš±ããä»ã®åé¡ãçºçããããªãã å¶åŸ¡ãããã¯ãŒã¯ãå¶åŸ¡ä»¥å€ã®ãã© ãã£ãã¯ã«äœ¿çš 決å®è«ãä¿¡é Œæ§çãå¶åŸ¡ãã©ãã£ãã¯ãšéå¶åŸ¡ãã©ãã£ãã¯ã®èŠä»¶ã¯ç°ãªã ãããåæ¹ã 1 ã€ã®ãããã¯ãŒã¯ã§äœ¿çšãããšãå¶åŸ¡ãã©ãã£ãã¯èŠä»¶ãé æããããã®ãããã¯ãŒã¯èšå®ãé£ãããªããäŸãã°éå¶åŸ¡ãã©ãã£ã㯠ã¯ãå¶åŸ¡ãã©ãã£ãã¯ãå¿ èŠãšãããªãœãŒã¹ãæ³å®å€ã«æ¶è²»ããããšãã ããICS æ©èœã®äžæãæãããšãããã å¶åŸ¡ãããã¯ãŒã¯ãµãŒãã¹ãå¶åŸ¡ã ããã¯ãŒã¯å ã«ãªã å¶åŸ¡ã·ã¹ãã ã«é ååã·ã¹ãã ïŒDNSïŒãåçãã¹ãæ§æãããã³ã« ïŒDHCPïŒçã® IT ãµãŒãã¹ãå©çšããŠããå ŽåããµãŒãã¹ã¯ IT ãããã¯ãŒ ã¯å ã«å®è£ ãããŠããããšãå€ããããICS ãããã¯ãŒã¯ã ICS ã®ä¿¡é Œæ§å ã³å¯çšæ§èŠä»¶ã«æºããªã IT ãããã¯ãŒã¯ã«äŸåããçµæã«ãªãã ã€ãã³ãããŒã¿ãã¹ããªã¢ã³åéã® äžå 調æ»åæã¯ååãªããŒã¿åéã»ä¿æã«äŸåãããé©æ£ãã€æ£ç¢ºãªããŒã¿ã®å éããªããã°ãã»ãã¥ãªãã£ã€ã³ã·ãã³ãã®çºççç±ãå€å¥ã§ããªããã€ã³ ã·ãã³ãã«æ°ã¥ãããæ害ãäžæãæ¡å€§ããããªããèšå®ãã¹ãé害çãã» ãã¥ãªãã£å¯Ÿçã®åé¡ç¹ãèŠæ¥µãããããå®æçãªã»ãã¥ãªãã£ç£èŠãå¿ èŠ ãšãªãã è¡š C-4.æ§æåã³ä¿å®äžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ èåŒ±æ§ ããŒããŠãšã¢/ãã¡ãŒã ãŠãšã¢/ãœã ããŠãšã¢ãæ§æ管çå€ã«ãã å 容 äœã䜿çšããŠããããã©ã®ããŒãžã§ã³ããã©ãã«ãããããããã¹ããŒã¿ã¹ ãã©ããªã£ãŠããããçµç¹ãç¥ãããäžè²«æ§ãšå¹ææ§ã®ãªãé²åŸ¡æ å¢ã«ãª ããããŒããŠãšã¢/ãã¡ãŒã ãŠãšã¢/ãœãããŠãšã¢ã»ææžãžã®å€æŽã管çããã ãã»ã¹ãå®æœããã·ã¹ãã å®è£ åã»äžã»åŸã®äžé©åãªæ¹å€ãã ICS ãä¿è·ã ããæ§æå€æŽç®¡çæé ã®æ¬ åŠã¯ãã»ãã¥ãªãã£ã®ææãããæé²åã³ãªã¹ã¯ ã«ã€ãªãããICS ã®ã»ãã¥ãªãã£ããã£ãã確ä¿ããã«ã¯ãã·ã¹ãã è³ç£ãš ãã®çŸè¡æ§æã®æ£ç¢ºãªãªã¹ããæã€ã¹ãã§ããããã®ãããªæé ãäºæ¥ç¶ç¶ æ§ãšçœå®³åŸ©æ§èšç»ã®å®æœã«éèŠãšãªãã 266 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Vulnerability Description OS and vendor software Because of the tight coupling between ICS software and the underlying ICS, changes must patches may not be undergo expensive and time-consuming comprehensive regression testing. The elapsed time developed until significantly for such testing and subsequent distribution of updated software provides a long window of after security vulnerabilities vulnerability are found OS and application security Out-of-date OSs and applications may contain newly discovered vulnerabilities that could be patches are not maintained or exploited. Documented procedures should be developed for how security patches will be vendor declines to patch maintained. Security patch support may not even be available for ICS that use outdated OSs, vulnerability so procedures should include contingency plans for mitigating vulnerabilities where patches may never be available. Inadequate testing of security Modifications to hardware, firmware, and software deployed without testing could compromise changes normal operation of the ICS. Documented procedures should be developed for testing all changes for security impact. The live operational systems should never be used for testing. The testing of system modifications may need to be coordinated with system vendors and integrators. Poor remote access controls There are many reasons why an ICS may need to be remotely accessed, including vendors and system integrators performing system maintenance functions, and also ICS engineers accessing geographically remote system components. Remote access capabilities must be adequately controlled to prevent unauthorized individuals from gaining access to the ICS. Poor configurations are used Improperly configured systems may leave unnecessary ports and protocols open, these unnecessary functions may contain vulnerabilities that increase the overall risk to the system. Using default configurations often exposes vulnerabilities and exploitable services. All settings should be examined. Critical configurations are not Procedures should be available for restoring ICS configuration settings in the event of stored or backed up accidental or adversary-initiated configuration changes to maintain system availability and prevent loss of data. Documented procedures should be developed for maintaining ICS configuration settings. Data unprotected on portable If sensitive data (e.g., passwords, dial-up numbers) is stored in the clear on portable devices device such as laptops and mobile devices and these devices are lost or stolen, system security could be compromised. Policy, procedures, and mechanisms are required for protection. Passwords generation, use, There is a large body of experience with using passwords in IT that is applicable to ICS. and protection not in accord Password policy and procedure must be followed to be effective. Violations of password with policy policy and procedures can drastically increase ICS vulnerability. Inadequate access controls Access controls must be matched to the way the organization allocates responsibilities and applied privilege to its personnel. Poorly specified access controls can result in giving an ICS user too many or too few privileges. The following exemplify each case: ã» System configured with default access control settings gives an operator ã» administrative privileges System improperly configured results in an operator being unable to take corrective actions in an emergency situation Improper data linking ICS data storage systems may be linked with non-ICS data sources. An example of this is database links, which allow data from one database to be automatically replicated to others. Data linkage may create a vulnerability if it is not properly configured and may allow unauthorized data access or manipulation. Malware protection not Installation of malicious software, or malware, is a common attack. Malware protection installed or up to date software, such as antivirus software, must be kept current in a very dynamic environment. Outdated malware protection software and definitions leave the system open to new malware threats. 267 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã èåŒ±æ§ OS ããã³ããŒã®ãœãããŠãšã¢ããã ã¯ãã»ãã¥ãªãã£ã®è匱æ§ãæãã ã«ãªã£ãŠãã°ããçµã€ãŸã§ã¯éçºã ããªãã å 容 ICS ãœãããŠãšã¢ãšåºæ¬ ICS ã®ç·å¯ãªçµã³ã€ãããããããå€æŽãå ããå Ž åã¯ãæéãšã³ã¹ãã®ããã培åºçãªãªã°ã¬ãã·ã§ã³è©Šéšãè¡ããªããã°ãª ããªãããã®ãããªè©Šéšãšãã®åŸã®ãœãããŠãšã¢æŽæ°çã®é åžãŸã§ã®çµéæ éã«ãããè匱æ§ã®ç©Žã¯å€§ãããªãã OS ãã¢ããªã±ãŒã·ã§ã³ã®ã»ãã¥ãªã æ§åŒ OS ãã¢ããªã±ãŒã·ã§ã³ã«ã¯ãæ°ãã«èŠã€ãã£ãæªçšãããããèåŒ±æ§ ã£ããããä¿å®ãããããã³ããŒã¯ ããããã»ãã¥ãªãã£ãããã®ä¿å®èŠé ã«é¢ããŠãæžé¢ã«ããæé ãäœæã è匱æ§ã顧ã¿ãªã ã¹ãã§ãããæ§ç OS ã䜿ã£ã ICS ã§ã¯ãã»ãã¥ãªãã£ããããµããŒãã¯ãª ãå Žåããããããæé ã«ã¯ãã®å Žåã®è匱æ§ç·©åç·æ¥æ察å¿èšç»ãå«ãã ã¹ãã§ããã ã»ãã¥ãªãã£å€æŽè©Šéšã®äžå è©Šéšãè¡ããã«å±éããããŒããŠãšã¢/ãã¡ãŒã ãŠãšã¢/ãœãããŠãšã¢å€æŽã¯ã ICS ã®æ£åžžéçšèœåãäœäžãããå¯èœæ§ããããå šãŠã®å€æŽå 容ã®ã»ãã¥ãª ãã£åœ±é¿è©Šéšã«é¢ããŠãæžé¢ã«ããæé ãäœæãã¹ãã§ããã皌åäžã®ã·ã¹ ãã ã¯æ±ºããŠè©Šéšã«äœ¿ãã¹ãã§ãªããã·ã¹ãã å€æŽè©Šéšã¯ãã·ã¹ãã ãã³ã ãŒãã€ã³ãã°ã¬ãŒã¿ãšé£æºããŠè¡ãå¿ èŠãããã ãªã¢ãŒãã¢ã¯ã»ã¹å¶åŸ¡ã®äžå ICS ãžã®ãªã¢ãŒãã¢ã¯ã»ã¹ãå¿ èŠãªçç±ã¯æ§ã ã§ãäŸãã°ãã³ããŒãã·ã¹ã ã ã€ã³ãã°ã¬ãŒã¿ã®é éä¿å®ãé æ¹ã«ãã ICS ãšã³ãžãã¢ã«ããã·ã¹ãã ã³ ã³ããŒãã³ãã®å©çšãªã©ãããããªã¢ãŒãã¢ã¯ã»ã¹æ©èœã¯ãã£ãã管çã ãŠãICS ãžã®äžæ£ã¢ã¯ã»ã¹ãé²æ¢ããªããã°ãªããªãã èšå®ã®äžå ã·ã¹ãã èšå®ã«äžåããããäžå¿ èŠã«ããŒãããããã³ã«ãéæŸãããŸãŸã« ããŠãããšãè匱æ§ãšãªãã·ã¹ãã ã®å šäœçãªã¹ã¯ãé«ãŸããããã©ã«ãèš å®ã䜿çšãããšãè匱æ§ãæªçšå¯èœãªãµãŒãã¹ãé²åºããããšã«ãªããå šãŠ ã®èšå®ãæ€èšŒãã¹ãã§ããã éèŠãªèšå®ã®ä¿åãããã¯ã¢ããã ãªãããŠããªã å¶çºçåã¯æ»æã«ããèšå®å€æŽããã£ãéã«ãã·ã¹ãã ã®å¯çšæ§ãç¶æãã ããŒã¿åªå€±ãé²æ¢ãããããICS èšå®ã®å埩æé ãå©çšã§ããããã«ãã¹ã ã§ãããICS èšå®ãç¶æãããããæžé¢ã«ããæé ãäœæãã¹ãã§ããã æºè¡ããã€ã¹ã®ããŒã¿ãä¿è·ãã㊠ããªã 泚æãèŠããããŒã¿ïŒãã¹ã¯ãŒãããã€ã¢ã«ã¢ããçªå·çïŒãå¹³æã®ãŸãŸã© ããããããã¢ãã€ã«ããã€ã¹çã®æºè¡ããã€ã¹äžã«ä¿ç®¡ãããŠããŠããã ã€ã¹ãçŽå€±ãããçãŸãããããå Žåãã·ã¹ãã ã»ãã¥ãªãã£ãå±ãã㪠ããä¿è·ããªã·ãŒãæé åã³ã¡ã«ããºã ãå¿ èŠãšãªãã ãã¹ã¯ãŒãã®çæã䜿çšåã³ä¿è·ã ããªã·ãŒã«åŸã£ãŠããªã ã¢ã¯ã»ã¹å¶åŸ¡ã®äžå ICS ã«ãé©çšå¯èœãª IT ã§ã®ãã¹ã¯ãŒãå©çšçµéšãèç©ãããŠããããã¹ã¯ãŒ ãããªã·ãŒåã³æé ã¯å¹æçã§ãªããã°ãªããªãããã¹ã¯ãŒãããªã·ãŒã»æ é éåã¯ãICS ã®è匱æ§ãèããé«ããã ã¢ã¯ã»ã¹å¶åŸ¡ãšçµç¹ãè·å¡ã«è²¬ä»»åã³ç¹æš©ãäžããæ¹æ³ã¯ãæŽåããŠããªã ãã°ãªããªããã¢ã¯ã»ã¹å¶åŸ¡ããã£ããããŠããªããšãICS ãŠãŒã¶ã®ç¹æš©ã« éäžè¶³ãçããã以äžã¯éäžè¶³ã®äŸã§ããã ⢠⢠ããã©ã«ãã¢ã¯ã»ã¹èšå®ã«ãªã£ãã·ã¹ãã ã¯ãæäœå¡ã«ç®¡çè ç¹æš©ã äžããã ã·ã¹ãã èšå®ã«äžåããããšãæäœå¡ãç·æ¥æã«å¯Ÿçãè¬ããããšã ã§ããªãã ããŒã¿ãªã³ãã³ã°ã®äžå ICS ããŒã¿ã¹ãã¬ãŒãžã·ã¹ãã ã¯ãICS 以å€ã®ããŒã¿ãœãŒã¹ã«ãªã³ã¯ããŠã ãå ŽåããããäžäŸãããŒã¿ããŒã¹ãªã³ã¯ã§ãããããŒã¿ããŒã¹ã®ããŒã¿ã èªåçã«ä»ã®ããŒã¿ããŒã¹ã«è€è£œããããããŒã¿ãªã³ã¯ã¯èšå®ããã£ããã ãŠããªããšãè匱æ§ãçããç¡èš±å¯ã®ããŒã¿ã¢ã¯ã»ã¹ãããŒã¿æäœãèš±ãã ãšã«ãªãã ãã«ãŠãšã¢ä¿è·ãœãããŠãšã¢ãã€ã³ ã¹ããŒã«ãããŠããªããææ°ã§ãªã æªæãããœãããŠãšã¢ïŒãã«ãŠãšã¢ïŒã®ã€ã³ã¹ããŒã«ã¯äžè¬çãªæ»æã§ã ããã¢ã³ããŠã€ã«ã¹çã®ãã«ãŠãšã¢ä¿è·ãœãããŠãšã¢ã¯ãåçç°å¢ã«ãã㊠垞ã«ææ°ç¶æ ã«ä¿ãããªããã°ãªããªããå€ããªã£ããã«ãŠãšã¢ä¿è·ãœãã ãŠãšã¢åã³å®çŸ©ã§ã¯ãã·ã¹ãã ãæ°ãããã«ãŠãšã¢è åšã«ãããããã 268 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Vulnerability Malware protection implemented without sufficient testing Denial of service (DoS) Intrusion detection/prevention software not installed Logs not maintained Description Malware protection software deployed without sufficient testing could impact normal operation of the ICS and block the system from performing necessary control actions. ICS software could be vulnerable to DoS attacks, resulting in the prevention of authorized access to a system resource or delaying system operations and functions. Incidents can result in loss of system availability and integrity; the capture, modification, and deletion of data; and incorrect execution of control commands. IDS/IPS software may stop or prevent various types of attacks, including DoS attacks, and also identify attacked internal hosts, such as those infected with worms. IDS/IPS software must be tested prior to deployment to determine that it does not compromise normal operation of the ICS. Without proper and accurate logs, it might be impossible to determine what caused a security event to occur. Table C-5. Physical Vulnerabilities and Predisposing Conditions Vulnerability Unauthorized personnel have physical access to equipment Description Physical access to ICS equipment should be restricted to only the necessary personnel, taking into account safety requirements, such as emergency shutdown or restarts. Improper access to ICS equipment can lead to any of the following: ã» Physical theft of data and hardware ã» Physical damage or destruction of data and hardware ã» Unauthorized changes to the functional environment (e.g., data connections, ã» ã» Radio frequency, electromagnetic pulse (EMP), static discharge, brownouts and voltage spikes Lack of backup power Loss of environmental control Unsecured physical ports unauthorized use of removable media, adding/removing resources) Disconnection of physical data links Undetectable interception of data (keystroke and other input logging) The hardware used for control systems is vulnerable to radio frequency and electromagnetic pulses (EMP), static discharge, brownouts and voltage spikes.. The impact can range from temporary disruption of command and control to permanent damage to circuit boards. Proper shielding, grounding, power conditioning, and/or surge suppression is recommended. Without backup power to critical assets, a general loss of power will shut down the ICS and could create an unsafe situation. Loss of power could also lead to insecure default settings. Loss of environmental control (e.g., temperatures, humidity) could lead to equipment damage, such as processors overheating. Some processors will shut down to protect themselves; some may continue to operate but in a minimal capacity and may produce intermittent errors, continually reboot, or become permanently incapacitated. Unsecured universal serial bus (USB) and PS/2 ports could allow unauthorized connection of thumb drives, keystroke loggers, etc. 269 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã èåŒ±æ§ å 容 ãã«ãŠãšã¢ä¿è·ãœãããŠãšã¢ãåå è©Šéšããã«å®è£ ããŠãã ååãªè©Šéšãè¡ããã«ãã«ãŠãšã¢ä¿è·ãœãããŠãšã¢ãå±éãããšãICS ã®æ£ åžžéçšã«åœ±é¿ããã·ã¹ãã ã®å¿ èŠãªå¶åŸ¡åäœã劚害ãããã ãµãŒãã¹åŠšå®³ïŒDoSïŒ ICS ãœãããŠãšã¢ã¯ DoS æ»æã«è匱æ§ãããããããããã·ã¹ãã ãªãœãŒã¹ ãžã®èš±å¯ãããã¢ã¯ã»ã¹ã劚ããããã·ã¹ãã ã®åäœãæ©èœãé ããããã ãããšãããã äŸµå ¥æ€ç¥ã»é²æ¢ãœãããŠãšã¢ãã€ã³ ã¹ããŒã«ãããŠããªã ã€ã³ã·ãã³ãã¯ã·ã¹ãã ã®å¯çšæ§åã³å®å šæ§ã®åªå€±ãããŒã¿ã®ãã£ããã£ã» æ¹å€ã»åé€åã³å¶åŸ¡ã³ãã³ãã®äžé©åãªå®è¡ã«çµã³ã€ãããšããããIDS/IPS ãœãããŠãšã¢ã¯ãDoS æ»æçå€æ§ãªæ»æãåæ¢åã¯åŠšå®³ããã¯ãŒã ã«ææã ããã®ãªã©ãæ»æãããå éšãã¹ãã®èå¥ãè¡ããIDS/IPS ãœãããŠãšã¢ã¯å± éåã«è©Šéšãè¡ããICS ã®æ£åžžéçšã«æªåœ±é¿ããªããå€å®ããªããã°ãªã㪠ãã ãã°ãç¶æãããŠããªã é©æ£ãã€æ£ç¢ºãªãã°ããªããã°ãã»ãã¥ãªãã£äºè±¡ã®çºççç±ãå€å¥ã§ã㪠ãã è¡š C-5.ç©ççè匱æ§åã³åŒ±ç¹ãšãªãç¶æ èåŒ±æ§ ç¡èš±å¯ã®äººå¡ãè£ ååã«è¿ã¥ããŠã ã å 容 ICS è£ ååãžã®æ¥è¿ã¯ãç·æ¥åæ¢ãåå§åãšãã£ãå®å šèŠä»¶ãèæ ®ã«å ¥ã ãŠãå¿ èŠãªè·å¡ã ãã«å¶éãã¹ãã§ãããICS è£ ååã«äžçšæã«æ¥è¿ãèš±ã ãšã次ã®ãããªçµæãçããããªãã ⢠⢠⢠⢠⢠ããŒã¿åã³ããŒããŠãšã¢ã®çé£ ããŒã¿åã³ããŒããŠãšã¢ã®æå·ãç Žæ èš±å¯ãããŠããªãæ©èœç°å¢ã®å€æŽïŒããŒã¿æ¥ç¶ãåãå€ãå¯èœã¡ã ã£ã¢ã®ç¡æ䜿çšããªãœãŒã¹ã®è¿œå ã»åé€ïŒ ããŒã¿ãªã³ã¯ã®ç©ççåæ æ€ç¥äžèœã®ããŒã¿ååïŒããŒã¹ãããŒã¯ãã®ä»å ¥åèšé²ïŒ ç¡ç·åšæ³¢æ°ã»é»ç£æ³¢ïŒEMPïŒãéé» å¶åŸ¡ã·ã¹ãã ã«å©çšããããŒããŠãšã¢ã¯ãç¡ç·åšæ³¢æ°ã»é»ç£æ³¢ïŒEMPïŒãé æ°ãé»å§äœäžã»é»å§ãã€ãº é»æ°ãé»å§äœäžã»é»å§ãã€ãºã«åŒ±ãã圱é¿ã¯ãäžæçãªã³ãã³ãã®äžæãã åè·¯åºæ¿ã®æä¹ çæå·ãŸã§å€å²ã«ããããé©åãªã·ãŒã«ããã¢ãŒã¹ãé»å§ç®¡ çåã¯ãµãŒãžé»å§æå¶ãæšå¥šãããã ããã¯ã¢ããé»æºã®æ¬ åŠ åè·¯ãžã®ããã¯ã¢ããé»æºããªããšãé»æºã®åªå€±æãICS ãåæãããŠäžå® å šãªç¶æ³ã«ãªããããªãããŸãã»ãã¥ã¢ã§ãªãããã©ã«ãèšå®ã«æ»ãããšã ããã ç°å¢å¶åŸ¡ã®åªå€± ç°å¢å¶åŸ¡ïŒæž©åºŠã湿床çïŒã®åªå€±ã¯ãããã»ããµã®ãªãŒããŒããŒããªã©è£ å åã®æå·ã«ã€ãªãããããã»ããµã«ãã£ãŠã¯èªå·±é²è·ã®ããåæãããã®ã ããããã®ãŸãŸç¶è¡ãããã®ãããããæ©èœã¯æå°éã§ãéæ¬ çã«ãšã©ãŒãš ãªãããªããŒããç¹°ãè¿ããæä¹ çã«æ éããããšãããã ã»ãã¥ã¢ã§ãªãç©çããŒã ã»ãã¥ã¢ã§ãªã USB åã³ PS/2 ããŒãã¯ããµã ãã©ã€ããããŒã¹ãããŒã¯ã ã¬ãŒçã®ç¡ææ¥ç¶ãèš±ãããšã«ãªãã 270 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Table C-6. Software Development Vulnerabilities and Predisposing Conditions Vulnerability Description Improper Data Validation ICS software may not properly validate user inputs or received data to ensure validity. Invalid data may result in numerous vulnerabilities including buffer overflows, command injections, cross-site scripting, and path traversals. Installed security capabilities not enabled by default Security capabilities that were installed with the product are useless if they are not enabled or at least identified as being disabled. Inadequate authentication, privileges, and access control in software Unauthorized access to configuration and programming software could provide the ability to corrupt a device. Table C-7. Communication and Network Configuration Vulnerabilities and Predisposing Conditions Vulnerability Data flow controls not employed Firewalls nonexistent or improperly configured Inadequate firewall and router logs Standard, welldocumented communication protocols are used in plain text Authentication of users, data or devices is substandard or nonexistent Description Data flow controls, based on data characteristics, are needed to restrict which information is permitted between systems. These controls can prevent exfiltration of information and illegal operations. A lack of properly configured firewalls could permit unnecessary data to pass between networks, such as control and corporate networks, allowing attacks and malware to spread between networks, making sensitive data susceptible to monitoring/eavesdropping, and providing individuals with unauthorized access to systems. Without proper and accurate logs, it might be impossible to determine what caused a security incident to occur. Adversaries that can monitor the ICS network activity can use a protocol analyzer or other utilities to decode the data transferred by protocols such as telnet, File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), and Network File System (NFS). The use of such protocols also makes it easier for adversaries to perform attacks against the ICS and manipulate ICS network activity. Many ICS protocols have no authentication at any level. Without authentication, there is the potential to replay, modify, or spoof data or to spoof devices such as sensors and user identities. Use of unsecure industrywide ICS protocols ICS protocols often have few or no security capabilities, such as authentication and encryption, to protect data from unauthorized access or tampering. Additionally, incorrect implementation of the protocols can lead to additional vulnerabilities. Lack of integrity checking for communications There are no integrity checks built into most industrial control protocols; adversaries could manipulate communications undetected. To ensure integrity, the ICS can use lower-layer protocols (e.g., IPsec) that offer data integrity protection. Strong mutual authentication between wireless clients and access points is needed to ensure that clients do not connect to a rogue access point deployed by an adversary, and also to ensure that adversaries do not connect to any of the ICSâs wireless networks. Sensitive data between wireless clients and access points should be protected using strong encryption to ensure that adversaries cannot gain unauthorized access to the unencrypted data. Inadequate authentication between wireless clients and access points Inadequate data protection between wireless clients and access points 271 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è¡š C-6.ãœãããŠãšã¢éçºäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ èåŒ±æ§ å 容 ããŒã¿æ€èšŒã®äžå ICS ãœãããŠãšã¢ã¯ããŠãŒã¶å ¥åãåä¿¡ããŒã¿ã®åŠ¥åœæ§æ€èšŒãæ£ããè¡ã£ãŠ ããªãããšããããç¡å¹ãªããŒã¿ã¯ãããã¡ãªãŒããŒãããŒãã³ãã³ãã€ã³ ãžã§ã¯ã·ã§ã³ãã¯ãã¹ãµã€ãã¹ã¯ãªããã£ã³ã°ããã¹ãã©ããŒãµã«çãçš®ã ã®è匱æ§ã«ã€ãªããã ã€ã³ã¹ããŒã«ããæ¥ç¶ãœãããŠãšã¢ ãããã©ã«ãã§æ©èœããªã 補åã®ã€ã³ã¹ããŒã«ã«ããã»ãã¥ãªãã£æ©èœã¯ãç¡å¹ç¶æ ã解é€ããŠæå¹ã« ããªããšããŸãã¯å°ãªããšããç¡å¹ç¶æ ã§ããããšãåãããªããšå¹æã㪠ãã ãœãããŠãšã¢ã®èªèšŒã»ç¹æš©ã»ã¢ã¯ã» ã¹å¶åŸ¡ã®äžå èšå®åã³ããã°ã©ãã³ã°ãœãããŠãšã¢ãžã®äžæ£ã¢ã¯ã»ã¹ã¯ãããã€ã¹ã®ç Žå£ ãèš±ãããšã«ãªãã è¡š C-7.éä¿¡åã³ãããã¯ãŒã¯æ§æäžã®è匱æ§åã³åŒ±ç¹ãšãªãç¶æ èåŒ±æ§ å 容 ããŒã¿ãããŒãå¶åŸ¡ãããŠããªã ããŒã¿ç¹æ§ã«åºã¥ãããŒã¿ãããŒå¶åŸ¡ã¯ãã·ã¹ãã éã®æ å ±äº€æãå¶åŸ¡ãã ãã®ã§ãããå¶éãå ããå¿ èŠããããå¶åŸ¡ã«ããæ å ±ã®åŒåºããäžæ³æäœ ãé²æ¢ã§ããã ãã¡ã€ã¢ãŠã©ãŒã«ã®æ¬ åŠåã¯èšå®äž å ãã¡ã€ã¢ãŠã©ãŒã«ãæ£ããèšå®ãããŠããªããšãå¶åŸ¡ãããã¯ãŒã¯ãšäŒæ¥ã ããã¯ãŒã¯çã®ãããã¯ãŒã¯éã§ãããŒã¿ãäžå¿ èŠã«ééãããæ»æåã³ã ã«ãŠãšã¢ããããã¯ãŒã¯éã§æ¡æ£ããèŠæ³šæããŒã¿ãç£èŠã»ååã«ããã ããã·ã¹ãã ãžã®äžæ£ã¢ã¯ã»ã¹ãèš±ãããšã«ãªãã ãã¡ã€ã¢ãŠã©ãŒã«åã³ã«ãŒã¿ã®ãã° ã®äžå é©æ£ãã€æ£ç¢ºãªãã°ããªããã°ãã»ãã¥ãªãã£ã€ã³ã·ãã³ãã®çºççç±ãå€ å¥ã§ããªãã æšæºã®ææžåãããéä¿¡ãããã³ã« ãå¹³æã§äœ¿çšãããŠãã ICS ã®ãããã¯ãŒã¯æŽ»åãç£èŠããæ»æåŽã¯ããããã³ã«ã¢ãã©ã€ã¶ãã®ä» ã®ãŠãŒãã£ãªãã£ãå©çšããŠããã«ããããFTPãHTTPãNFS çã®ãããã³ ã«ã転éããããŒã¿ããã³ãŒãããããã®ãããªãããã³ã«ã䜿çšãããšã æ»æåŽã¯ãICS ãžã®æ»æã ICS ãããã¯ãŒã¯æŽ»åã®æäœã容æã«ã§ãããã ã«ãªãã ãŠãŒã¶ãããŒã¿åã¯ããã€ã¹èªèšŒã® æ¬ åŠåã¯äžé©æ Œ ICS ãããã³ã«ã®å€ãã¯ãã©ã®ã¬ãã«ã§ãèªèšŒæ©èœããªããèªèšŒããªããšã ãŒã¿ã®ãªãã¬ãŒãæ¹å€ããªãããŸãããã»ã³ãµåã³ãŠãŒã¶ ID çã®ããã€ã¹ã® ãªãããŸããçãåŸãã æ¥çã§å€çšãããã»ãã¥ã¢ã§ãªã ICS ã®äœ¿çš ICS ãããã³ã«ã«ã¯ãèªèšŒãæå·åãšãã£ããäžæ£ã¢ã¯ã»ã¹ãæ¹ç«ãé²æ¢ã ãã»ãã¥ãªãã£æ©èœãã»ãšãã©åã¯å šããªããã®ãå€ãããŸããããã³ã«å® è£ ã®äžåã«ãã£ãŠãä»å çãªè匱æ§ãçããã éä¿¡å®å šæ§ç¢ºèªã®æ¬ åŠ ç£æ¥çšå¶åŸ¡ãããã³ã«ã®ã»ãšãã©ã¯å®å šæ§ãã§ãã¯æ©èœããªããæ»æåŽã¯æ€ ç¥ãããã«éä¿¡ãæäœã§ãããå®å šæ§ã確ä¿ããã«ã¯ãããŒã¿å®å šæ§ä¿è·ã® ããäžå±€ãããã³ã«ïŒIPsec çïŒã䜿çšããããšã§ããã ã¯ã€ã€ã¬ã¹ã¯ã©ã€ã¢ã³ããšã¢ã¯ã»ã¹ ãã€ã³ãéã®èªèšŒã®äžå æ»æåŽãå±éããããŒã°ã¢ã¯ã»ã¹ãã€ã³ãã«ã¯ã©ã€ã¢ã³ããæ¥ç¶ããªããã ã«ããæ»æåŽã ICS ã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯ã«æ¥ç¶ã§ããªãããã«ããã« ã¯ãã¯ã€ã€ã¬ã¹ã¯ã©ã€ã¢ã³ããšã¢ã¯ã»ã¹ãã€ã³ãéã«åŒ·åºãªçžäºèªèšŒãå¿ èŠ ãšãªãã ã¯ã€ã€ã¬ã¹ã¯ã©ã€ã¢ã³ããšã¢ã¯ã»ã¹ ãã€ã³ãéã®ããŒã¿ä¿è·ã®äžå ã¯ã€ã€ã¬ã¹ã¯ã©ã€ã¢ã³ããšã¢ã¯ã»ã¹ãã€ã³ãéã®èŠæ³šæããŒã¿ã¯ã匷åºãªæ å·åã«ãããæ»æåŽãæå·åãããŠããªãããŒã¿ã«äžæ£ã¢ã¯ã»ã¹ã§ããªãã ãã«ãã¹ãã§ããã 272 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Incidents A threat event is an event or situations that could potentially cause an undesirable consequence or impact to the ICS resulting from some threat source. In NIST SP 800-30 Rev. 1, Appendix E identifies a broad set of threat events that could potentially impact information systems [79]. The properties of an ICS may also present unique threat events, specifically addressing how the threat events can manipulates the process of the ICS to cause physical damage. Table C-8 provides an overview of potential ICS threat events. Table C-8. Example Adversarial Incidents Threat Event Denial of Control Action Control Devices Reprogrammed Spoofed System Status Information Control Logic Manipulation Safety Systems Modified Malware on Control Systems Description Control systems operation disrupted by delaying or blocking the flow of information, thereby denying availability of the networks to control system operators or causing information transfer bottlenecks or denial of service by IT-resident services (such as DNS) Unauthorized changes made to programmed instructions in PLCs, RTUs, DCS, or SCADA controllers, alarm thresholds changed, or unauthorized commands issued to control equipment, which could potentially result in damage to equipment (if tolerances are exceeded), premature shutdown of processes (such as prematurely shutting down transmission lines), causing an environmental incident, or even disabling control equipment False information sent to control system operators either to disguise unauthorized changes or to initiate inappropriate actions by system operators Control system software or configuration settings modified, producing unpredictable results Safety systems operation are manipulated such that they either (1) do not operate when needed or (2) perform incorrect control actions that damage the ICS Malicious software (e.g., virus, worm, Trojan horse) introduced into the system. In addition, in control systems that cover a wide geographic area, the remote sites are often not staffed and may not be physically monitored. If such remote systems are physically breached, the adversaries could establish a connection back to the control network. Sources of Incidents An accurate accounting of cyber incidents on control systems is difficult to determine. However, individuals in the industry who have been focusing on this issue see similar growth trends between vulnerabilities exposed in traditional IT systems and those being found in control systems. ICS-CERT is a DHS organization that focuses on reducing the risk across critical infrastructure by identifying threats and vulnerabilities, while also providing mitigation strategies. ICS-CERT provides a trusted party where system owners and operators can report information about incidents within their ICS and obtain advice on mitigating their risk. Information submitted by infrastructure owners and operators is protected under the Critical Infrastructure Information Act of 2002 as Protected Critical Infrastructure Information (PCII) from disclosure under the Freedom of Information Act (FOIA), disclosure under state, tribal, and local disclosure laws, use in regulatory actions, and use in civil litigation. In the event of an incident at critical infrastructure facilities, ICS-CERT can also perform onsite deployments to respond to and analyze incidents. ICS-CERT publishes advisories of new security vulnerabilities discovered in common ICS platforms. Figure C-1 demonstrates (1) the number of ICS incidents reported, (2) the number of onsite ICS deployments taken by ICS-CERT, and (3) number of ICS vulnerabilities reported between years 2010 and 2013 47. 47 https://ics-cert.us-cert.gov/ 273 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã€ã³ã·ãã³ã è åšäºè±¡ãšã¯ããªãããã®è åšæºã«èµ·å ããŠãICS ã«æãŸãããªãçµæã圱é¿ãäžããããªãäº è±¡åã¯ç¶æ³ããããNIST SP 800-30 第 1 çä»é² E ã«ã¯ãæ å ±ã·ã¹ãã ã«åœ±é¿ãåãŒãå€çš®å€æ§ãª è åšäºè±¡ãæããã«ãããŠãã[79]ãICS ã®ç¹æ§ãåºæã®è åšäºè±¡ãšãªãããšããããç©ççæ å·ãäžãããããè åšäºè±¡ãã©ã®ããã« ICS ã®ããã»ã¹ãæäœããããåãäžããããŠãããè¡š C-8 ã« ICS è åšäºè±¡ã®æŠèŠã瀺ãã è¡š C-8. æ»æã€ã³ã·ãã³ãã®äŸ è åšäºè±¡ å¶åŸ¡åŠšå®³ å 容 æ å ±ã®æµãã®é 延åã¯åŠšå®³ã«ããå¶åŸ¡ã·ã¹ãã ã®éçšãäžæãããšãå¶åŸ¡ã· ã¹ãã æäœå¡ããããã¯ãŒã¯ã䜿çšã§ããªããªããæ å ±è»¢éãããã«ãã㯠ãšãªã£ãããIT æµææ§ã®ãããµãŒãã¹ïŒDNS çïŒã«ãããµãŒãã¹ã®åŠšå®³ãç ãããããã å¶åŸ¡ããã€ã¹ã®ããã°ã©ã ãå€æŽã PLCãRTUãDCS è¥ãã㯠SCADA ã³ã³ãããŒã©ã®ããã°ã©ã ååœä»€ã«å¯Ÿã ãèš±å¯ãããŠããªãå€æŽãã¢ã©ãŒã éŸã®å€æŽåã¯å¶åŸ¡è£ ååã«å¯Ÿããèš±å¯ã ããŠãã ããŠããªãã³ãã³ãçºè¡ã¯ãè£ ååã®æå·ïŒãã¬ã©ã³ã¹ãè¶ ããå ŽåïŒãã ãã»ã¹ã®éæ©åæïŒéä¿¡ç·çïŒããããããç°å¢ã€ã³ã·ãã³ããšãªãã»ãã å¶åŸ¡è£œåãç¡å¹ã«ããã ã·ã¹ãã ç¶æ æ å ±ã®ãªãããŸã èš±å¯ãããŠããªãå€æŽãé èœããããäžé©æ£è¡çºãã·ã¹ãã æäœå¡ã«éå§ã ãããããåœæ å ±ãå¶åŸ¡ã·ã¹ãã æäœå¡ã«éä¿¡ãããã å¶åŸ¡ããžãã¯ã®æäœ å¶åŸ¡ã·ã¹ãã ãœãããŠãšã¢åã¯æ§æèšå®ãå€æŽãããäºæ³äžèœã®çµæãçã ãã å®å šã·ã¹ãã ã®å€æŽ å®å šã·ã¹ãã ã®åäœãæäœãããïŒ1ïŒå¿ èŠãªãšãã«çšŒåããªããã(2)ICS ãæå·ããäžæ£ç¢ºãªå¶åŸ¡ãè¡ãã å¶åŸ¡ã·ã¹ãã ã«ãã«ãŠãšã¢ æªæãããœãããŠãšã¢ïŒãŠã€ã«ã¹ãã¯ãŒã ãããã€ã®æšéŠ¬çïŒãã·ã¹ãã ã« å ¥ã蟌ãã§ããã ãŸãåºåãç¶²çŸ ããå¶åŸ¡ã·ã¹ãã ã§ãé éãµã€ãã«è·å¡ãé 眮ãããŠããããç©ççç£èŠãã§ã ãŠããªãããã®ãããªé éã·ã¹ãã ãç©ççã«äŸµå®³ããããšãæ»æåŽã¯å¶åŸ¡ãããã¯ãŒã¯ãŸã§æ¥ ç¶ã確ç«ã§ããã ã€ã³ã·ãã³ãã®åå å¶åŸ¡ã·ã¹ãã äžã®ãµã€ããŒã€ã³ã·ãã³ãã®åå ãæ£ç¢ºã«å€å¥ããã®ã¯é£ããããšã¯èšããæ¥ç㧠ãã®åé¡ãšåãçµãã§ãã人ããããåŸæ¥ã® IT ã·ã¹ãã ã§é²åãããè匱æ§ãšå¶åŸ¡ã·ã¹ãã 㧠æããã«ãªã£ãŠããè匱æ§ã«ã¯ãå ±éçãªãã¬ã³ããããããšã«æ°ã¥ããŠãããICS-CERT 㯠DHS ã®çµç¹ã§ãè åšãè匱æ§ãæããã«ããŠéèŠã€ã³ãã©ã®ãªã¹ã¯ã軜æžããç·©åçãæäŸã ãŠãããICS-CERT ã¯ãã·ã¹ãã ã®ä¿æè ãæäœå¡ã ICS å ã®ã€ã³ã·ãã³ãæ å ±ãã¬ããŒããã ãªã¹ã¯ç·©åçã«é¢ããå©èšãåŸãããšãã§ãããä¿¡é Œã®çœ®ããé¢ä¿è ã«æäŸããŠãããã€ã³ãã© ä¿æè åã³æäœå¡ããæåºãããæ å ±ã¯ãéèŠã€ã³ãã©æ å ±æ³ïŒ2002 幎ïŒã«åŸããæ å ±ã®èªç± æ³ïŒFOIAïŒã«åºã¥ãé瀺ãå·ã»éšæã»å°æ¹é瀺æ³ã«åºã¥ãé瀺ãèŠå¶è¡çºã«ããã䜿çšåã³æ° äºèšŽèšã«ããã䜿çšã«åºã¥ããä¿è·ãããéèŠã€ã³ãã©æ å ±ïŒPCIIïŒãšããŠä¿è·ãåãããéèŠ ã€ã³ãã©ã«ãããã€ãã³ãã®éã«ã¯ãICS-CERT ã¯çŸå Žå±éããŠãã€ã³ã·ãã³ãã®å¯Ÿå¿ãšåæã« åœãããICS-CERT ã¯ãICS ãã©ããããŒã ã§å ±éããŠèŠã€ãã£ãæ¥ç¶äžã®è匱æ§ã«ã€ããŠã㢠ããã€ãµãªãŒãçºåããŠãããå³ C-1 ã«ã(1) ICS ã€ã³ã·ãã³ãã®å±åºä»¶æ°ã(2) ICS-CERT ã® ICS çŸå Žå±é件æ°ã(3) 2010 幎ïœ2013 幎 ICS è匱æ§å±åºä»¶æ°ã瀺ã 48ã 48 https://ics-cert.us-cert.gov/ 274 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Other sources of control system impact information show an increase in control system incidents as well. This information should not be assumed to contain all ICS related incidents or discovered vulnerabilities as some information may go unreported. Figure C-1. ICS-CERT Reported Incidents by Year Documented Incidents Numerous ICS incidents have been reported that demonstrate how threat sources can negatively impact an ICS. These events help demonstrate the severity of the threat sources, vulnerabilities, and impacts within the ICS domain. As mentioned in Section C.2, the four broad categories of threat sources are adversarial, accidental, structural, and environmental. Often the incident can be the result of multiple threat sources (e.g. an environmental event causes a system failure, which is responded to incorrectly by an operator resulting in an accidental event). Reported incidents from these categories include the following: Adversarial Events ïŒ Worcester Air Traffic Communications 49. In March 1997, a teenager in Worcester, Massachusetts disabled part of the public switched telephone network using a dial-up modem connected to the system. This knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. Also, the towerâs main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also knocked out phone service to 600 homes and businesses in the nearby town of Rutland. 49 Additional information on the Worcester Air Traffic Communications incident can be found at: http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html 275 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å¶åŸ¡ã·ã¹ãã ã«åœ±é¿ããæ å ±ã®ä»ã®åå ããå¶åŸ¡ã·ã¹ãã ã€ã³ã·ãã³ãã®å¢å ã瀺ããŠãããæª å ±åã®æ å ±ãããããããã®æ å ±ã ICS é¢é£ã€ã³ã·ãã³ãåã¯è§£æãããè匱æ§ã®å šãŠã§ãã㚠解ãã¹ãã§ãªãã ICS ã€ã³ã·ãã³ãã®å±åº â èšåž³ ICS ã€ã³ã·ãã³ã察å¿çŸå Žå±é ICS é¢é£è匱æ§å ±åæž â èšåž³ å³ C-1. ICS-CERT ã«å±åºã®ãã£ã幎床å¥ã€ã³ã·ãã³ãä»¶æ° ææžåãããã€ã³ã·ãã³ã ãããŸã§å€æ°ã® ICS ã€ã³ã·ãã³ãã®å±åºããããè åšæºã ICS ã«ã©ã®ãããªæªåœ±é¿ãäžãåŸãã ãå®èšŒããŠããããããã®äºè±¡ã¯ãè åšæºãè匱æ§åã³ ICS ãã¡ã€ã³å ã§ã®åœ±é¿ã®é倧æ§ãå®èšŒ ããã®ã«åœ¹ç«ã€ãã»ã¯ã·ã§ã³ C.2 ã§èšåããããã«ãè åšæºã¯æµæ§ãå¶çºæ§ãæ§é çåã³ç°å¢ç ã® 4 ã€ã®åé¡ã«å€§å¥ã§ãããã€ã³ã·ãã³ãã¯è€æ°ã®è åšæºã«èµ·å ããããšãå°ãªããªãïŒç°å¢ç äºè±¡ãã·ã¹ãã é害ã®åå ãšãªããããã«å¯Ÿãããªãã¬ãŒã¿ã®å¯Ÿå¿ããŸãããšå¶çºçäºè±¡ãšãª ãïŒãå±åºã®ãã£ãã€ã³ã·ãã³ãã«ã¯ãåé¡å¥ã«æ¬¡ã®ãããªãã®ãããã æµæ§äºè±¡ ïŒ ãŠãŒã¹ã¿ãŒèªç©ºäº€ééä¿¡ 501997 幎 3 æãããµãã¥ãŒã»ããå·ãŠãŒã¹ã¿ãŒã®ãã£ãŒã³ãšã€ãžã£ ãŒããã€ã¢ã«ã¢ããã¢ãã ã§ã·ã¹ãã ã«æ¥ç¶ããå ¬å ±äº€æé»è©±ç¶²ã®äžéšã䜿çšäžèœã«ããã ãã®ãã管å¶å¡ã空枯èŠåã空枯æ¶é²éãæ°è±¡ãµãŒãã¹åã³ç©ºæž¯ãå©çšããèªç©ºäŒç€Ÿã«å¯Ÿã ãé»è©±ãµãŒãã¹ã麻çºããããŸã管å¶å¡ã®äž»ç¡ç·éä¿¡æ©ãæ»èµ°è·¯ç¯ãç¹ç¯ããéä¿¡æ©ãé®æ ãããã»ããé£è¡ã®é²æãç£èŠãã管å¶å®ã®ããªã³ã¿ã䜿ããªããªã£ãããã®æ»æã§ã©ãã© ã³ãçºè¿åã®äžè¬å®¶åº 600 äžåž¯ãšäŒæ¥ã®é»è©±ã䜿çšäžèœã«ãªã£ãã 50 ãŠãŒã¹ã¿ãŒèªç©ºäº€ééä¿¡ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ããã http://www.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html 276 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ Maroochy Shire Sewage Spill 51. In the spring of 2000, a former employee of an Australian organization that develops manufacturing software applied for a job with the local government, but was rejected. Over a two-month period, the disgruntled rejected employee reportedly used a radio transmitter on as many as 46 occasions to remotely break into the controls of a sewage treatment system. He altered electronic data for particular sewerage pumping stations and caused malfunctions in their operations, ultimately releasing about 264 000 gallons of raw sewage into nearby rivers and parks. ïŒ Davis-Besse 52. In August 2003, the Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer infected a private computer network at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours. In addition, the plantâs process computer failed, and it took about six hours for it to become available again. Slammer reportedly also affected communications on the control networks of at least five other utilities by propagating so quickly that control system traffic was blocked. ïŒ Zotob Worm 53. In August 2005, a round of Internet worm infections knocked 13 of DaimlerChryslerâs U.S. automobile manufacturing plants offline for almost an hour, stranding workers as infected Microsoft Windows systems were patched. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware, and Michigan were knocked offline. While the worm affected primarily Windows 2000 systems, it also affected some early versions of Windows XP. Symptoms include the repeated shutdown and rebooting of a computer. Zotob and its variations caused computer outages at heavyequipment maker Caterpillar Inc., aircraft-maker Boeing, and several large U.S. news organizations. ïŒ Stuxnet Worm 54. Stuxnet was a Microsoft Windows computer worm discovered in July 2010 that specifically targeted industrial software and equipment. The worm initially spread indiscriminately, but included a highly specialized malware payload that was designed to target only specific SCADA systems that were configured to control and monitor specific industrial processes ïŒ Brute Force Attacks on Internet-Facing Control Systems 55. On February 22, 2013 ICS-CERT received a report from a gas compressor station owner about an increase in brute force attempts to access their process control network. The forensic evidence contained 10 separate IPs and additional calls of a similar nature from additional natural gas pipeline asset owners, which yielded 39 additional IPs of concern. Log analysis showed a date range from January 16, 2013 but there have been no reports since March 8, 2013. ïŒ Shamoon 56. Saudi Aramco, which is the worldâs 8th largest oil refiner, experienced a malware attack that targeted their refineries and overwrote the attacked systemâs Master Boot Records (MBR), partition tables and other random data files. This caused the systems to become unusable. 51 Additional information on the Maroochy Shire Sewage Spill incident can be found at: http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf and http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ [each accessed 4/16/15]. Additional information on the Davis-Besse incident can be found at: http://www.securityfocus.com/news/6767 [accessed 4/16/15]. Additional information on the Zotob Worm incident can be found at: http://www.eweek.com/c/a/Security/ZotobPnP-Worms-Slam-13-DaimlerChrysler-Plants [accessed 4/16/15]. Additional information on the Stuxnet worm can be found at: http://en.wikipedia.org/wiki/Stuxnet [accessed 4/16/15]. Additional information on ICS-CERT reported incidents can be found at: https://ics-cert.us-cert.gov/Information-Products [accessed 4/16/15]. Additional information on Shamoon can be found at: http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2012.pdf [accessed 4/16/15]. 52 53 54 55 56 277 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ãã«ãŒããŒåžã®äžæ°Žæµåº 57 2000 幎æ¥ã豪å·ã®å ãœãããŠãšã¢éçºäŒç€Ÿç€Ÿå¡ãå°æ¹èªæ²»äœè· å¡ã®åéã«å¿åãããäžæ¡çšã«ãªã£ããäžæºãæ±ããåœäººã¯ã2 ãæéã«ããã 46 åãç¡ ç·éä¿¡æ©ã§äžæ°ŽåŠçè£ çœ®ã«äŸµå ¥ãããããäžæ°Žãã³ãã¹ããŒã·ã§ã³ã®é»åããŒã¿ãæ¹å€ããŠã é転é害ãçºçãããçµå± 26 äž 4,000 ã¬ãã³ãã®äžæ°Žãè¿é£ã®æ²³å·ãå ¬åã«æŸåºãããã ïŒ ãã€ãã¹ã»ãã¹ 58 2003 幎 8 æãåååèŠå¶å§å¡äŒã¯å幎 1 æãã¹ã©ããŒãšããŠç¥ãããã ã€ã¯ããœãã SQL ãµãŒãã®ã¯ãŒã ãããªãã€ãªå·ãªãŒã¯ããŒããŒã«ããé皌åäžã®ãã€ã ã¹ã»ãã¹åååçºé»æã®ãã©ã€ããŒãã³ã³ãã¥ãŒã¿ãããã¯ãŒã¯ã«ææããŠããããšãç¢ºèª ãã5 æéçšåºŠå®å šç£èŠè£ 眮ã䜿çšã§ããªãã£ãããŸããçºé»æã®ããã»ã¹ã³ã³ãã¥ãŒã¿ã æ éãã埩æ§ã«çŽ 6 æéèŠãããå ±åã«ããã°ã¹ã©ããŒã¯ãå°ãªããšãä»ã® 5 ã€ã®å ¬å ±äºæ¥ å£äœã®å¶åŸ¡ãããã¯ãŒã¯ã®éä¿¡ã«ã圱é¿ãåãŒãã極ããŠè¿ éã«äŒæããŠå¶åŸ¡ã·ã¹ãã ãã© ãã£ãã¯ãé®æããã ïŒ Zotob ã¯ãŒã 59 2005 幎 8 æãã€ã³ã¿ãŒãããã¯ãŒã ã«ææãããã€ã ã©ãŒã¯ã©ã€ã¹ã©ãŒã® ç±³åœèªåè»çç£ãã©ã³ã 13 ç®æãçŽ 1 æéã«ããããªãã©ã€ã³ã«ãªããWindows ã·ã¹ãã ãžã®ãããäœæ¥ã®éãäœæ¥å¡ãç«ã¡åŸçãããã€ãªãã€ãã€ã³ãã£ã¢ãããŠã£ã¹ã³ã³ã·ã³ã ãªãã€ãªããã©ãŠã§ã¢ããã·ã¬ã³ã®åå·ã§ã¯ãã©ã³ãããªãã©ã€ã³ã«ãªã£ããææããã®ã¯ 䞻㫠Windows2000 ã ã£ãããWindows XP ã®åæããŒãžã§ã³ãææãããææã®åŸŽåã¯ãå æãšåèµ·åã®ç¹°ãè¿ãã ã£ããZotob åã³ãã®æŽŸçåã¯ã倧åè£ ååã¡ãŒã«ãŒã® Caterpillar Inc.ãèªç©ºæ©ã¡ãŒã«ãŒã® Boeingããã®ä»å€§æã®å ±éæ©é¢ã®ã³ã³ãã¥ãŒã¿ã被害ã«éã£ãã ïŒ Stuxnet ã¯ãŒã 60 Stuxnet 㯠2010 幎 7 æã«èŠã€ãã£ã Windows ã³ã³ãã¥ãŒã¿ã®ã¯ãŒã ã§ã ç£æ¥çšãœãããŠãšã¢åã³è£ ååãäž»ãªæšçãšããŠãããåœåãã®ã¯ãŒã ã¯å¯Ÿè±¡ãéžã°ãæ¡æ£ ããããç¹æ®ãªãã«ãŠãšã¢ãã€ããŒããçµã¿èŸŒãã§ãç¹å®ã®ç£æ¥ããã»ã¹ã®å¶åŸ¡ã»ç£èŠã«ç¹ åãã SCADA ã·ã¹ãã ã ããæšçãšããããã«ãªã£ãã ïŒ ã€ã³ã¿ãŒãããã«å¯Ÿé¢ããå¶åŸ¡ã·ã¹ãã ãžã®åŒ·åæ»æ 61 2013 幎 2 æ 22 æ¥ãICS-CERT 㯠ã¬ã¹ã³ã³ãã¬ããµã¹ããŒã·ã§ã³ã®ä¿æè ãããå¶åŸ¡ç®¡çãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãããã ã匷倧ãªåã®å¢å ãããæšå ±åãåããã調æ»ã®çµæãå¥åã® IP ã 10 ãšãåçš®ã®è£è¶³ç㪠åŒåºããã»ãã®å€©ç¶ã¬ã¹ãã€ãã©ã€ã³ä¿æè ããããããå šéšã§ 39 ã®è¿œå IP äºæ¡ãšãªã£ãã ãã°è§£æã®çµæã2013 幎 1 æ 16 æ¥ããå§ãŸã£ãŠããããå幎 3 æ 8 æ¥ä»¥éã®å±åºã¯ãªã㣠ãã ïŒ ã·ã£ã ãŒã³ 62 äžç第 8 äœã®è£œæ²¹äŒç€Ÿ Saudi Aramco ã¯ãå瀟ã®è£œæ²¹æœèšãæšçãšãããã«ãŠ ãšã¢æ»æã«éããã·ã¹ãã ã®ãã¹ã¿ãŒããŒãã¬ã³ãŒãïŒMBRïŒãããŒãã£ã·ã§ã³ããŒãã« ãã®ä»ã©ã³ãã ããŒã¿ãã¡ã€ã«ãæžãæãããããã·ã¹ãã ã¯äœ¿çšäžèœã«ãªã£ãã 57 58 59 60 61 62 ãã«ãŒããŒåžã®äžæ°Žæµåºã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ããã http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf and http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ [each accessed 4/16/15]. ãã€ãã¹ã»ãã¹ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://www.securityfocus.com/news/6767 [accessed 4/16/15]. Zotob ã¯ãŒã ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://www.eweek.com/c/a/Security/Zotob-PnP-WormsSlam-13-DaimlerChrysler-Plants [accessed 4/16/15]. Stuxnet ã¯ãŒã ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://en.wikipedia.org/wiki/Stuxnet [accessed 4/16/15]. ICS-CERT å±åºã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttps://ics-cert.us-cert.gov/Information-Products [accessed 4/16/15]. ã·ã£ã ãŒã³ã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://ics-cert.us-cert.gov/sites/default/files/Monitors/ICSCERT_Monitor_Sep2012.pdf [accessed 4/16/15]. 278 SPECIAL PUBLICATION 800-82 REVISION 2 ïŒ GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY German Steel Mill Attack 63. In 2014, hackers manipulated and disrupted control systems to such a degree that a blast furnace could not be properly shut down, resulting in âmassiveââthough unspecifiedâdamage. Structural Events ïŒ CSX Train Signaling System 64. In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the east coast of the U.S. The virus infected the computer system at CSX Corp.âs Jacksonville, Florida headquarters, shutting down signaling, dispatching, and other systems. According to Amtrak spokesman Dan Stessel, ten Amtrak trains were affected in the morning. Trains between Pittsburgh and Florence, South Carolina were halted because of dark signals, and one regional Amtrak train from Richmond, Virginia to Washington and New York was delayed for more than two hours. Long-distance trains were also delayed between four and six hours. ïŒ Northeast Power Blackout 65. In August 2003, failure of the alarm processor in First Energyâs SCADA system prevented control room operators from having adequate situational awareness of critical operational changes to the electrical grid. Additionally, effective reliability oversight was prevented when the state estimator at the Midwest Independent System Operator failed due to incomplete information on topology changes, preventing contingency analysis. Several key 345 kV transmission lines in Northern Ohio tripped due to contact with trees. This eventually initiated cascading overloads of additional 345 kV and 138 kV lines, leading to an uncontrolled cascading failure of the grid. A total of 61 800 MW load was lost as 508 generating units at 265 power plants tripped. ïŒ Taum Sauk Water Storage Dam Failure 66. In December 2005, the Taum Sauk Water Storage Dam suffered a catastrophic failure releasing a billion gallons of water. The failure of the reservoir occurred as the reservoir was being filled to capacity or may have possibly been overtopped. The current working theory is that the reservoir's berm was overtopped when the routine nightly pump-back operation failed to cease when the reservoir was filled. According to the utility, the gauges at the dam read differently than the gauges at the Osage plant at the Lake of the Ozarks, which monitors and operates the Taum Sauk plant remotely. The stations are linked together using a network of microwave towers, and there are no operators on-site at Taum Sauk. ïŒ Bellingham, Washington Gasoline Pipeline Failure 67. In June 1999, 900 000 liters (237 000 gallons) of gasoline leaked from a 16 in. (40.64 cm) pipeline and ignited 1.5 hours later causing 3 deaths, 8 injuries, and extensive property damage. The pipeline failure was exacerbated by control systems not able to perform control and monitoring functions. âImmediately prior to and during the incident, the SCADA system exhibited poor performance that inhibited the pipeline controllers from seeing and reacting to the development of an abnormal pipeline operation.â A key recommendation 63 Additional information on the German steel mill incident can be found at: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/ 64 65 66 67 [accessed 4/16/15]. Additional information on the CSX Train Signaling System incident can be found at: http://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml and http://www.informationweek.com/story/showArticle.jhtml?articleID=13100807 [each accessed 4/16/15]. Additional information on the Northeast Power Blackout incident can be found at: http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinalImplementationReport%282%29.pdf [accessed 4/16/15].http://www.oe.energy.gov/DocumentsandMedia/BlackoutFinal-Web.pdf Additional information on the Taum Sauk Water Storage Dam Failure incident can be found at: http://www.ferc.gov/industries/hydropower/safety/projects/taum-sauk/ipoc-rpt/full-rpt.pdf [accessed 4/16/15]. Additional information on the Bellingham, Washington Gasoline Pipeline Failure incident can be found at http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf and http://www.ntsb.gov/investigations/AccidentReports/Reports/PAR0202.pdf [each accessed 4/16/15]. 279 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ ãã€ãéå·¥ææ»æ 68 2014 幎ã«ããã«ãŒã¯å¶åŸ¡ã·ã¹ãã ãæäœããŠäžæããé«çãæ£åžžã«é® æã§ããªããªããç¹å®äžèœã®ã倧èŠæš¡ãæ害ã«è³ã£ãã æ§é çäºè±¡ ïŒ CSX åè»ä¿¡å·ã·ã¹ãã 69 2003 幎 8 æãSobig ã³ã³ãã¥ãŒã¿ãŠã€ã«ã¹ãåå ãšèšããåè»ä¿¡ å·ã·ã¹ãã ã®é®æãç±³åœæ±æµ·å²žäžåž¯ã襲ã£ãããŠã€ã«ã¹ã¯ CSX Corp.ã®ãããªãïŒãžã£ã¯ãœ ã³ãã«ïŒæ¬éšã³ã³ãã¥ãŒã¿ã·ã¹ãã ã«ææããä¿¡å·ããã£ã¹ããããã®ä»ã®ã·ã¹ãã ãé®æ ãããAmtrak ã®ã¹ããŒã¯ã¹ãã³ Dan Stessel ã«ããã°ããã®æåè» 10 äž¡ã«åœ±é¿ãåºãããµãŠ ã¹ã«ãã©ã€ãå·ãããããŒã°ãšãããŒã¬ã³ã¹éã§ãæä¿¡å·ã®ããåè»ãç«ã¡åŸçãããªãã ã¢ã³ããããŒãžãã¢ãã¯ã·ã³ãã³ããã¥ãŒãšãŒã¯éã§ã 2 æé以äžã«ããããã€ã€ã«é ãã çãããé·è·é¢åè»ã«ã 4ïœ6 æéã®é ããåºãã ïŒ åæ±éšã®åé» 70 2003 幎 8 æãFirst Energy ã® SCADA ã·ã¹ãã ã®ã¢ã©ãŒã ããã»ããµãæ é ããé é»ç¶²ã®é倧ãªéçšå€æŽããã£ãããšã«ãå¶åŸ¡å®€æäœå¡ãæ°ã¥ããªãã£ãããŸãã Midwest Independent System Operator ã®æ»å®å®ããããããžãŒå€æŽã«é¢ããæ å ±ã®äžåããè· åãéè¡ã§ãããäžæž¬äºæ åæãäžèœã§ãä¿¡é Œæ§ã«å¯Ÿããå¹æçãªç£ç£æ¥åãé»å®³ãããã ãªãã€ãªå·åéšã®äž»èŠãª 345kV éé»ç·ããæš¹æšãšæ¥è§Šããããã«é®æãããããã®ããé£ éçãªéè² è·ãå¥ã® 345kV åã³ 138kV ã«ããããéé»ç¶²ã®å¶åŸ¡äžèœãªé£éé害ã«è³ã£ãã çµå± 265 ã®çºé»æã®çºé»è£ 眮 508 åºãé®æãããåèš 61,800MW ã倱ãããã ïŒ Taum Sauk 貯氎ãã ã®é害 71 2005 幎 12 æãTaum Sauk 貯氎ãã ãå£æ» çãªè¢«å®³ã«éãã æ°ååã¬ãã³ã®æ°ŽãæŸåºããããé害ã¯ãè²¯æ°Žæ± ãæºæ°Žãããã¯ãããè¶ããããã«çããã çŸåšã®äœæ¥çè«ã§ã¯ãè²¯æ°Žæ± ã®æºæ°Žæã«ãæ¯å€è¡ããããã³ãããã¯æäœãåæ¢ããã貯氎 æ± ã®é éšãã溢ãåºããšãããŠãããäºæ¥è ã«ããã°ããã ã®ã²ãŒãžãšãTaum Sauk çºé»æ ãé éç£èŠã»éçšãã Ozarks æ¹ã«ãã Osage çºé»æã®ã²ãŒãžã®å€è¡šç€ºãéã£ãŠãããåã¹ ããŒã·ã§ã³ã¯ããã€ã¯ãæ³¢ã¿ã¯ãŒã®ãããã¯ãŒã¯ãå©çšããŠçµã°ããŠãããTaum Sauk ã«ã¯ çŸå Žæäœå¡ãããªãã ïŒ ã¯ã·ã³ãã³å·ããªã³ã¬ã ã®ã¬ãœãªã³ãã€ãã©ã€ã³é害 72 1999 幎 6 æãã¬ãœãªã³ 90 äžãªã ãã«ïŒ23 äž 7,000 ã¬ãã³ïŒã 16 ã€ã³ãïŒ40.64cmïŒã®ãã€ãã©ã€ã³ããæŒãã1 æéååŸã« çºç«ããæ»è 3 人ãè² å·è 8 人ã®ã»ãç倧ãªç©æãçãããå¶åŸ¡ã·ã¹ãã ã®å¶åŸ¡ã»ç£èŠæ©èœ ãåããããã€ãã©ã€ã³é害ãæªåããããã€ã³ã·ãã³ãã®çŽååã³æäžã«ãSCADA ã·ã¹ ãã ã®ããã©ãŒãã³ã¹ãå£ãããã€ãã©ã€ã³æäœå¡ã¯ãç°åžžãªãã€ãã©ã€ã³åäœã«å¯ŸããŠã 確èªã察åŠãã§ããªãã£ãã 68 ãã€ãã®éå·¥æã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://www.wired.com/2015/01/german-steel-mill- hack-destruction/ [accessed 4/16/15]. 69 CSX åè»ä¿¡å·ã·ã¹ãã ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ããã http://www.cbsnews.com/stories/2003/08/21/tech/main569418.shtml and http://www.informationweek.com/story/showArticle.jhtml?articleID=13100807 [each accessed 4/16/15]. 70 åæ±éšã®åé»ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ããã http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinalImplementationReport%282 %29.pdf [accessed 4/16/15].http://www.oe.energy.gov/DocumentsandMedia/BlackoutFinal-Web.pdf 71 Taum Sauk 貯氎ãã é害ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ããã http://www.ferc.gov/industries/hydropower/safety/projects/taum-sauk/ipoc-rpt/full-rpt.pdf [accessed 4/16/15]. 72 ã¯ã·ã³ãã³å·ããªã³ã¬ã ã®ã¬ãœãªã³ãã€ãã©ã€ã³é害ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ããã http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf and http://www.ntsb.gov/investigations/AccidentReports/Reports/PAR0202.pdf [each accessed 4/16/15]. 280 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY from the NTSB report issued October 2002 was to utilize an off-line development and testing system for implementing and testing changes to the SCADA database. ïŒ Browns Ferry-3 PLC Failure 73. In August 2006, TVA was forced to manually shut down one of their plant's two reactors after unresponsive PLCs problems caused two water pumps to fail and threatened the stability of the plant itself. Although there were dual redundant PLCs, they were connected to the same Ethernet network. Later testing on the failed devices discovered that they would crash when they encountered excessive network traffic. Environmental Events ïŒ Fukushima Daiichi Nuclear Disaster 74. The Great East Japan Earthquake on 11 March 2011 struck off the coast of Japan, sending a massive tsunami inland towards the nuclear plant. The tsunami compromised the plants seawall, flooding much of the plant including the location housing the emergency generators. This emergency power was critical to operate the control rooms and also to provide coolant water for the reactors. The loss of coolant caused the reactor cores to overheat to the point where the fuel's zirconium cladding reacted with water, releasing hydrogen gas and fueling large explosions in three of the four reactor buildings. This resulted in large-scale radiation leakage that has impacted plant employees, nearby citizens, and the local environment. Post event analysis found that the plantâs emergency response center had insufficient secure communication lines to provide other areas of the plant with information on key safety related instrumentation. Accidental Events ïŒ Vulnerability Scanner Incidents 75. While a ping sweep was being performed on an active SCADA network that controlled 3 meter (9 foot) robotic arms, it was noticed that one arm became active and swung around 180 degrees. The controller for the arm was in standby mode before the ping sweep was initiated. In a separate incident, a ping sweep was being performed on an ICS network to identify all hosts that were attached to the network, for inventory purposes, and it caused a system controlling the creation of integrated circuits in the fabrication plant to hang. This test resulted in the destruction of $50,000 worth of wafers. ïŒ Penetration Testing Incident 76. A natural gas utility hired an IT security consulting organization to conduct penetration testing on its corporate IT network. The consulting organization carelessly ventured into a part of the network that was directly connected to the SCADA system. The penetration test locked up the SCADA system and the utility was not able to send gas through its pipelines for four hours. The outcome was the loss of service to its customer base for those four hours. 73 Additional information on the Browns Ferry -3 PLC Failure incident can be found at: http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-notices/2007/in200715.pdf [accessed 4/16/15]. Additional information can be found at: http://wwwpub.iaea.org/MTCD/meetings/PDFplus/2011/cn200/documentation/cn200_Final-Fukushima-Mission_Report.pdf and http://pbadupws.nrc.gov/docs/ML1414/ML14140A185.pdf [each accessed 4/16/15]. Additional information on the vulnerability scanner incidents can be found at: http://energy.sandia.gov/wp/wpcontent/gallery/uploads/sand_2005_2846p.pdfhttp://www.sandia.gov/scada/documents/sand_2005_2846p.pdf [accessed 4/16/15]. Additional information on penetration testing incidents can be found at: http://energy.sandia.gov/wp/wpcontent/gallery/uploads/sand_2005_2846p.pdf [accessed 4/16/15]. 74 75 76 281 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 2002 幎 10 æçºè¡ã® NTSB å ±åæžã®äž»ãªæšå¥šäºé ã¯ãSCADA ããŒã¿ããŒã¹ãžã®å€æŽã®å®è£ åã³è©Šéšã¯ããªãã©ã€ã³éçºè©Šéšã·ã¹ãã ã䜿çšããããšã«ãªã£ãŠããã ïŒ Browns Ferry-3 å°ã® PLC é害 77 2006 幎 8 æãPLC ãåå¿ããªããªã 2 åºã®æ°Žãã³ããæ¢ ãŸããçºé»æèªäœã®å®å®æ§ç¶æãå±ãããªã£ãããã2 åºã®ååçã®ãã¡ã® 1 åºãæåã§å æ¢ããã2 éåé·æ§ã® PLC ã ã£ãããããããåã Ethernet ãããã¯ãŒã¯ã«æ¥ç¶ãããŠããã æ éããããã€ã¹ãåŸæ¥è©Šéšããçµæããããã¯ãŒã¯ãã©ãã£ãã¯ãé倧ã«ãªããã¯ã©ãã· ã¥ããŠããããšãåãã£ãã ç°å¢çäºè±¡ ïŒ çŠå³¶ç¬¬ 1 ååççœå®³ 78 2011 幎 3 æ 11 æ¥ãæ±æ¥æ¬å€§å°éãæ¥æ¬ã®æ²åã§çºçãã倧åã®æŽ¥ æ³¢ãçºé»æã襲ã£ãã接波ã¯çºé»æã®é²æ³¢å €ãçªç Žããç·æ¥çšçºé»æ©ãå容ããå Žæãå«ãã çºé»æã®å€§éšåã浞氎ããããã®ç·æ¥çšé»åã¯ãå¶åŸ¡å®€ã®éçšãšååççšå·åŽæ°Žã®çµŠæ°Žã«äž å¯æ¬ ã ã£ããå·åŽæ°Žã倱ãããããçå¿ãéç±ããçæã®ãžã«ã³ããŠã 被èŠãæ°Žãšåå¿ããŠ æ°ŽçŽ ãæŸåºãã4 æ£ãã建å±ã® 3 æ£ã§ççºãçããããã®ãã倧èŠæš¡ã®æŸå°èœæŒããçãã çºé»æåŸæ¥å¡ãè¿é£äœäººåã³å°å ç°å¢ã«åœ±é¿ãåãã ãäºåŸè§£æã®çµæãéèŠãªå®å šé¢é£èš è£ æ å ±ãçºé»æã®ä»ã®ãšãªã¢ã«äŒããããã®ç·æ¥æ察å¿ã»ã³ã¿ãŒã®éä¿¡ç·ã«äžåããã£ãã å¶çºçäºè±¡ ïŒ è匱æ§ã¹ãã£ããŒã€ã³ã·ãã³ã 79 3mïŒ9 ãã£ãŒãïŒã®ããããã¢ãŒã ãå¶åŸ¡ããã¢ã¯ã㣠ã SCADA ã·ã¹ãã ãããã¯ãŒã¯ã§ããã³ã¹ã€ãŒããè¡ã£ãŠãããšããã1 æ¬ã®ã¢ãŒã ã㢠ã¯ãã£ãã«ãªãã»ãŒ 180°æ¯ããããã³ã¹ã€ãŒãã®éå§åãã¢ãŒã æäœå¡ã¯ã¹ã¿ã³ãã€ã¢ãŒ ãã ã£ããå¥ã®ã€ã³ã·ãã³ãã§ã¯ãICS ãããã¯ãŒã¯ã§ãã³ã¹ã€ãŒããè¡ããåšåº«ç®¡çç®ç ã§ããããã¯ãŒã¯ã«æ¥ç¶ããŠããå šãŠã®ãã¹ããèå¥ããŠãããšãããIC ã®äœæãå¶åŸ¡ã ãŠãã補é ãã©ã³ãã®ã·ã¹ãã ããã³ã°ããããçµæãšããŠã5 äžãã«åã®ãŠã§ããŒãç Žæ ããã ïŒ ãããã¬ãŒã·ã§ã³ã»ãã¹ãã»ã€ã³ã·ãã³ã 80 倩ç¶ã¬ã¹äºæ¥äœã¯ãèªç€Ÿ IT ãããã¯ãŒã¯ã® ãããã¬ãŒã·ã§ã³ã»ãã¹ãå®æœã®ãããIT æ¥ç¶ã³ã³ãµã«ãã£ã³ã°çµç¹ãéçšãããã³ã³ãµ ã«ãã£ã³ã°çµç¹ã¯ãäžæ³šæã«ã SCADA ã·ã¹ãã ã«çŽæ¥ã€ãªãã£ããããã¯ãŒã¯ã®äžéšã«å ¥ ã£ãããããã¬ãŒã·ã§ã³ã»ãã¹ãã®ãã㧠SCADA ã·ã¹ãã ãããã¯ããåäºæ¥äœã¯ 4 æé ã«ãããã¬ã¹ãé éã§ããªãã£ããçµæ㯠4 æéã«ããã顧客ãžã®ãµãŒãã¹æäŸã®åªå€±ãšãª ã£ãã 77 78 79 80 Browns Ferry-3 å°ã® PLC é害ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://www.nrc.gov/reading-rm/doccollections/gen-comm/info-notices/2007/in200715.pdf [accessed 4/16/15]. 詳现ã¯æ¬¡ã®ãµã€ãã«ãããhttp://wwwpub.iaea.org/MTCD/meetings/PDFplus/2011/cn200/documentation/cn200_Final-FukushimaMission_Report.pdf and http://pbadupws.nrc.gov/docs/ML1414/ML14140A185.pdf [each accessed 4/16/15]. è匱æ§ã¹ãã£ããŒã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://energy.sandia.gov/wp/wpcontent/gallery/uploads/sand_2005_2846p.pdfhttp://www.sandia.gov/scada/documents/sand_2005_2846p. pdf [accessed 4/16/15]. ãããã¬ãŒã·ã§ã³ã»ãã¹ãã»ã€ã³ã·ãã³ãã®è©³çŽ°ã¯æ¬¡ã®ãµã€ãã«ãããhttp://energy.sandia.gov/wp/wpcontent/gallery/uploads/sand_2005_2846p.pdf [accessed 4/16/15]. 282 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix DâCurrent Activities in Industrial Control System Security This appendix contains abstracts of some of the many activities that are addressing ICS cybersecurity. Please be aware that organization descriptions and related information provided in this appendix has been drawn primarily from the listed organizationsâ Web sites and from other reliable public sources, but has not been verified. Readers are encouraged to contact the organizations directly for the most up-to-date and complete information. American Gas Association (AGA) Standard 12, âCryptographic Protection of SCADA Communicationsâ American Gas Association: http://www.aga.org/ The American Gas Association, representing 195 local energy utility organizations that deliver natural gas to more than 56 million homes, businesses, and industries throughout the United States, advocates the interests of its energy utility members and their customers, and provides information and services. The AGA 12 series of documents recommends practices designed to protect SCADA communications against cyber incidents. The recommended practices focus on ensuring the confidentiality of SCADA communications. The purpose of the AGA 12 series is to save SCADA system ownersâ time and effort by recommending a comprehensive system designed specifically to protect SCADA communications using cryptography. The AGA 12 series may be applied to water, wastewater, and electric SCADA-based distribution systems because of their similarities with natural gas systems, however timing requirements may be different. Recommendations included in the series 12 documents may also apply to other ICS. Additional topics planned for future addendums in this series include key management, protection of data at rest, and security policies. American Petroleum Institute (API) Standard 1164, âPipeline SCADA Securityâ American Petroleum Institute: http://www.api.org/ The American Petroleum Institute represents more than 400 members involved in all aspects of the oil and natural gas industry. API 1164 provides guidance to the operators of oil and natural gas pipeline systems for managing SCADA system integrity and security. The guideline is specifically designed to provide operators with a description of industry practices in SCADA security, and to provide the framework needed to develop sound security practices within the operatorâs individual organizations. It stresses the importance of operators understanding system vulnerability and risks when reviewing the SCADA system for possible system improvements. API 1164 provides a means to improve the security of SCADA pipeline operations by: ïŒ Listing the processes used to identify and analyze the SCADA systemâs susceptibility to incidents. ïŒ Providing a comprehensive list of practices to harden the core architecture. ïŒ Providing examples of industry recommended practices. The guideline targets small to medium pipeline operators with limited IT security resources. The guideline is applicable to most SCADA systems, not just oil and natural gas SCADA systems. The appendices of the document include a checklist for assessing a SCADA system and an example of a SCADA control system security plan. 283 SP800-82 第 2 ç ä»é² D ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ã«ãããçŸåšã®æŽ»å ãã®ä»é²ã§ã¯ãICS ãµã€ããŒã»ãã¥ãªãã£ã察象ãšãã諞掻åã®ããã€ããåããŸãšãããèšèŒ ãããŠããçµç¹ãšé¢é£æ å ±ã¯ãäž»ã«èšèŒãããŠããçµç¹ã®ãŠã§ããµã€ããã®ä»ä¿¡é Œã§ããå ¬éã® åºæããåã£ããã®ã§ãæªæ€èšŒã§ããããšã«çæãããããçŽæ¥ãããçµç¹ã«åãåãããææ° æ å ±ãå ¥æããããã«å¥šå±ããã ç±³åœã¬ã¹åäŒïŒAGAïŒèŠæ Œ 12ãSCADA éä¿¡ã®æå·åä¿è·ã ç±³åœã¬ã¹åäŒïŒhttp://www.aga.org/ 195 ã®å°æ¹ãšãã«ã®ãŒäŸçµŠäºæ¥äœã代衚ããç±³åœã¬ã¹åäŒã¯ãå šç±³ã®äžè¬å®¶åº 5,600 äžäžåž¯ãäŒ æ¥åã³æ¥çã«å€©ç¶ã¬ã¹ãäŸçµŠããäºæ¥è ãšé¡§å®¢åæ¹ã®å©çãæè·ããæ å ±åã³ãµãŒãã¹ãæäŸã ãŠãããAGA12 ã·ãªãŒãºã¯ãSCADA ã·ã¹ãã ããµã€ããŒã€ã³ã·ãã³ãããå®ãããã®èŠç¯ãæš å¥šããŠãããæšå¥šèŠç¯ã¯ãSCADA éä¿¡ã®æ©å¯æ§ã®ç¢ºä¿ã«éç¹ã眮ããŠããã åã·ãªãŒãºã®ç®çã¯ãæå·ãå©çšã㊠SCADA éä¿¡ãä¿è·ããå æ¬çã·ã¹ãã ã®æšå¥šã«ããã SCADA ã·ã¹ãã ä¿æè ã®æéãšåŽåãç¯çŽããããšã«ãããåã·ãªãŒãºã¯ã倩ç¶ã¬ã¹ã·ã¹ãã ãšã®å ±éæ§ãå€ãæ°Žéãäžæ°Žåã³ SCADA ããŒã¹ã®é é»ã·ã¹ãã ã«é©çšã§ããããã¿ã€ãã³ã°ã« é¢ããèŠä»¶ã¯ç°ãªãããšãããã æšå¥šäºé ã¯ä»ã® ICS ã«ãé©çšã§ãããè£éºãšããŠå°æ¥èšç»ãããŠãããã®ã«ã¯ãéèŠç®¡çäºé ã äŒç äžã®ããŒã¿ä¿è·ãã»ãã¥ãªãã£ããªã·ãŒçãããã ç±³åœç³æ²¹åäŒïŒAPIïŒèŠæ Œ 1164ããã€ãã©ã€ã³ SCADA ã»ãã¥ãªãã£ã ç±³åœç³æ²¹åäŒïŒhttp://www.api.org/ ç±³åœç³æ²¹åäŒã¯ãç³æ²¹åã³å€©ç¶ã¬ã¹æ¥çã®ããããé¢ã«åŸäºãã 400 以äžã®ã¡ã³ããŒã代衚ã㊠ãããAPI1164 ã¯ãSCADA ã·ã¹ãã ã®å®å šæ§åã³ã»ãã¥ãªãã£ã®ç®¡çã«æºãããç³æ²¹åã³å€©ç¶ ã¬ã¹ãã€ãã©ã€ã³ã·ã¹ãã æäœå¡åãã¬ã€ãã³ã¹ãšãªããç¹ã« SCADA ã»ãã¥ãªãã£ã®æ¥çèŠç¯ ã«ã€ããŠèª¬æããæäœå¡ã®çµç¹ã«ãããå¥å šãªã»ãã¥ãªãã£èŠç¯ãçå®ããããã®åºæ¬æ§æã瀺 ããŠãããSCADA ã·ã¹ãã ã粟æ»ããŠæ¹åãå³ãéã«ãæäœå¡ãã·ã¹ãã ã®è匱æ§ãšãªã¹ã¯ã ç解ãã倧åãã匷調ããŠãããAPI1164 ã¯ãSCADA ãã€ãã©ã€ã³éçšã®ã»ãã¥ãªãã£ãåäž ãããæ段ãšããŠã以äžãæããŠããã ïŒ SCADA ã·ã¹ãã ã®ã€ã³ã·ãã³ãæåæ§ãèå¥ã»åæããããã®ããã»ã¹ã®åæ ïŒ ã³ã¢ã¢ãŒããã¯ãã£ã匷åºã«ããããã®å æ¬çèŠç¯ãªã¹ãã®äœæ ïŒ æ¥çæšå¥šèŠç¯ã®äŸç€º ãã®ã¬ã€ãã©ã€ã³ã¯ãIT ã»ãã¥ãªãã£ãªãœãŒã¹ãéãããäžå°èŠæš¡ã®ãã€ãã©ã€ã³äºæ¥è ã察象 ãšããŠãããç³æ²¹åã³å€©ç¶ã¬ã¹ã®ã¿ãªãããã»ãšãã©ã® SCADA ã·ã¹ãã ã«é©çšã§ãããã¬ã€ã ã©ã€ã³ã®ä»é²ã«ã¯ãSCADA ã·ã¹ãã è©äŸ¡ã®ãã§ãã¯ãªã¹ãã SCADA å¶åŸ¡ã·ã¹ãã ã»ãã¥ãªã ã£èšç»æžã®äŸãããã 284 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Electric Power Research Institute (EPRI) http://www.epri.com/Our-Work/Pages/Cyber-Security.aspx, http://smartgrid.epri.com/NESCOR.aspx The Electric Power Research Institute (EPRI) is a nonprofit center for public interest energy and environmental research. EPRI brings together member organizations, the Institute's scientists and engineers, and other leading experts to work collaboratively on solutions to the challenges of electric power. These solutions span nearly every area of power generation, delivery, and use, including health, safety, and environment. EPRI's members represent over 90% of the electricity generated in the United States. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) https://ics-cert.us-cert.gov/About-Industrial-Control-Systems-Cyber-Emergency-Response-Team The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) operates within the National Cybersecurity and Integration Center (NCCIC), a division of the Department of Homeland Security's Office of Cybersecurity and Communications (DHS CS&C). NCCIC/ICS-CERT is a key component of the DHS Strategy for Securing Control Systems. The primary goal of the Strategy is to build a long-term common vision where effective risk management of control systems security can be realized through successful coordination efforts. ICS-CERT provides a control system security focus in collaboration with US-CERT to: ïŒ Respond to and analyze control systems related incidents. ïŒ Conduct vulnerability and malware analysis. ïŒ Provide onsite support for incident response and forensic analysis. ïŒ Provide situational awareness in the form of actionable intelligence. ïŒ Coordinate the responsible disclosure of vulnerabilities/mitigations. ïŒ Share and coordinate vulnerability information and threat analysis through information products and alerts. ICS-CERT coordinates control systems-related security incidents and information sharing with Federal, State, and local agencies and organizations, the intelligence community, and private sector constituents, including vendors, owners and operators, and international and private sector CERTs. The focus on control systems cybersecurity provides a direct path for coordination of activities among all members of the critical infrastructure stakeholder community. As a functional component of the NCCIC, ICS-CERT provides focused operational capabilities for defense of control system environments against emerging cyber threats. ICS-CERT provides efficient coordination of control-systems-related security incidents and information sharing with federal, state, and local agencies and organizations, the Intelligence Community, private sector constituents including vendors, owners, and operators, and international and private sector computer security incident response teams (CSIRTs). The focus on control systems cybersecurity provides a direct path for coordination of activities for all members of the stakeholder community. 285 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç±³åœé»åç 究æïŒEPRIïŒ http://www.epri.com/Our-Work/Pages/Cyber-Security.aspx, http://smartgrid.epri.com/NESCOR.aspx ç±³åœé»åç 究æïŒEPRIïŒã¯ãå ¬çãšãã«ã®ãŒç°å¢ç 究ã«é¢ããéå¶å©å£äœã§ãããå çå£äœãç 究æã®ç§åŠè ã»ãšã³ãžãã¢ãã®ä»å°é家ãæããŠãé»ååé¡ã®è§£æ±ºã«åãçµãã§ããã解決ç㯠çºé»ãé é»ãå©çšãªã©ããããåéã«ãŸããããå¥åº·ãå®å šãç°å¢çãå«ãŸãããå çã¡ã³ã㌠ã¯ãç±³åœçºé»éã® 90%以äžãçç£ããŠããã ç£æ¥çšå¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT) https://ics-cert.us-cert.gov/About-Industrial-Control-Systems-Cyber-Emergency-Response-Team ç£æ¥çšå¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT)ã¯ãåœå®¶ãµã€ããŒã»ãã¥ãªãã£éä¿¡çµ±å ã»ã³ã¿ãŒ(NCCIC)å ã§ãåœåå®å šä¿éçã®ãµã€ããŒã»ãã¥ãªãã£éä¿¡å±ïŒDHS CS&CïŒã®äžã«ã ããNCCIC/ICS-CERT ã¯ãå¶åŸ¡ãµãŒãã¹ã®ã»ãã¥ãªãã£ã確ä¿ãã DHS æœçã®äž»èŠãªæ§æèŠçŽ ã§ããããã®æœçã®äž»ãªç®çã¯ãé·æã®å ±éçããžã§ã³ãæã¡ç«ãŠãçžäºé£æºãéããŠå¶åŸ¡ã·ã¹ ãã ã»ãã¥ãªãã£ã®å¹æçãªã¹ã¯ç®¡çãå®çŸããããšã«ãããICS-CERT 㯠US-CERT ãšã®é£æº ãéããŠã以äžãéç¹ãšããå¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ãæšé²ããã ïŒ å¶åŸ¡ã·ã¹ãã é¢é£ã€ã³ã·ãã³ããžã®å¯Ÿå¿ãšåæ ïŒ è匱æ§ãšãã«ãŠãšã¢ã®åæ ïŒ çŸå Žã§ã®ã€ã³ã·ãã³ã察å¿ãšèª¿æ»åææ¯æŽ ïŒ å®çšçãªæ å ±æäŸã«ããæèã®é«æ ïŒ è匱æ§ã»ç·©åçã®è²¬ä»»ããé瀺ã®èª¿æŽ ïŒ æ å ±éç¥ã»ã¢ã©ãŒãã«ããè匱æ§æ å ±ãšè åšåæã®å ±æãšèª¿æŽ ICS-CERT ã¯å¶åŸ¡ã·ã¹ãã é¢é£ã»ãã¥ãªãã£ã€ã³ã·ãã³ããšæ å ±ã調æŽããåœã»å·ã»å°æ¹èªæ²» äœã»çµç¹ã»æ å ±å ±åäœã»æ°éäŒæ¥ïŒãã³ããŒã»ä¿æè ã»åœéæ°éäŒæ¥ CERT çïŒãšå ±æãããå¶ åŸ¡ã·ã¹ãã ã®ãµã€ããŒã»ãã¥ãªãã£ã«æ³šåããããšã§ãå šéèŠã€ã³ãã©é¢ä¿è éã®æŽ»åãçŽæ¥èª¿ æŽããéçãéããã NCCIC ã®æ©èœèŠçŽ ãšã㊠ICS-CERT ã¯ãå¶åŸ¡ã·ã¹ãã ç°å¢ãæ°èãµã€ããŒè åšããå®ããããé äžçãªéçšèœåãä»äžããã ICS-CERT ã¯å¶åŸ¡ã·ã¹ãã é¢é£ã»ãã¥ãªãã£ã€ã³ã·ãã³ããšæ å ±ã調æŽããåœã»å·ã»å°æ¹èªæ²» äœã»çµç¹ã»æ å ±å ±åäœã»æ°éäŒæ¥ïŒãã³ããŒã»ä¿æè ã»æäœå¡ã»åœé/æ°éäŒæ¥ã³ã³ãã¥ãŒã¿ã» ãã¥ãªãã£ã€ã³ã·ãã³ã察å¿ããŒã [CSIRT]çïŒãšå ±æãããå¶åŸ¡ã·ã¹ãã ã®ãµã€ããŒã»ãã¥ãª ãã£ã«æ³šåããããšã§ãå šé¢ä¿è ã«æŽ»åãçŽæ¥èª¿æŽããéçãéãã 286 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ICS-CERT Cyber Security Evaluation Tool (CSET®) http://ics-cert.us-cert.gov/Assessments The Cyber Security Evaluation Tool (CSET®) is a DHS product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS ICS-CERT by cybersecurity experts and with assistance from NIST. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls. CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as NIST, NERC, Transportation Security Administration (TSA), U.S. Department of Defense (DoD), and others. When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a selfassessment of the security posture of your control system environment. ICS-CERT Recommended Practices https://ics-cert.us-cert.gov/Introduction-Recommended-Practices ICS-CERT works with the control systems community to ensure that recommended practices, which are made available, have been vetted by subject-matter experts in industry before being made publicly available in support of this program. Recommended practices are developed to help users reduce their exposure and susceptibility to cyber attacks. These recommendations are based on understanding the cyber threats, control systems vulnerabilities and attack paths, and secure architecture design. The recommended practices working group selects topics to be implemented in the recommended practices section. Additional supporting documents detailing a wide variety of control systems topics associated with cyber vulnerabilities and their mitigation have been developed and vetted by the working group for accuracy. These documents will be updated and topics added to address additional content and emerging issues. 287 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS-CERT ãµã€ããŒã»ãã¥ãªãã£è©äŸ¡ããŒã«(CSET®) http://ics-cert.us-cert.gov/Assessments ICS-CERT ãµã€ããŒã»ãã¥ãªãã£è©äŸ¡ããŒã«(CSET®)ã¯ãçµç¹ãåœã®éèŠãµã€ããŒè³ç£ãå®ãã® ãæ¯æŽãã DHS ã®è£œåã§ãããDHS ICS-CERT ã®æå°äžã§ãNIST ã®æ¯æŽãåŸãŠãµã€ããŒã»ã㥠ãªãã£å°é家ãéçºããããµã€ããŒã·ã¹ãã åã³ãããã¯ãŒã¯ã®ã»ãã¥ãªãã£ç¶æ ãè©äŸ¡ããé ã®äœç³»çãã€å埩çãªåçµãå¯èœãšãªããããããç£æ¥çšå¶åŸ¡åã³ IT ã·ã¹ãã ã«é¢ä¿ããé«åºŠ ã®è©³çŽ°ãªçåã«çããŠããã CSET ã¯ãã¹ã¯ããããœãããŠãšã¢ããŒã«ã§ãå¶åŸ¡ã·ã¹ãã åã³æ å ±æè¡ãããã¯ãŒã¯ã»ãã¥ãª ãã£èŠç¯ããåºãèªããããæ¥çåºæºã«ç §ãããŠã段éçã«è©äŸ¡ããããšãã§ãããCSET ã«ã ããçµç¹ã®äŒæ¥ã»ç£æ¥çšå¶åŸ¡ãµã€ããŒã·ã¹ãã ã®ãµã€ããŒã»ãã¥ãªãã£ç¶æ ãæ¹åããããã®åª å çæšå¥šäºé ãªã¹ããäœæã§ããããã®ããŒã«ã¯ããµã€ããŒã»ãã¥ãªãã£åºæºãã¬ã€ãã©ã€ã³å ã³èŠç¯ããŒã¿ããŒã¹ããæšå¥šäºé ãå°ãåºããããããã®æšå¥šäºé ã¯ããµã€ããŒã»ãã¥ãªãã£ç®¡ çã®æ¡åŒµã«é©çšå¯èœãªäžé£ã®è¡åã«çµã³ã€ããŠããã CSET ã¯ãã¹ã¿ã³ãã¢ããŒã³ã©ããããããã¯ãŒã¯ã¹ããŒã·ã§ã³ã«ãç°¡åã«ã€ã³ã¹ããŒã«ããŠå© çšã§ããããã«ãªã£ãŠãããNISTãNERCãé茞ä¿å®å±(TSA)ãåœé²ç·çãã®ä»ã®çµç¹ããå ¥æ å¯èœãªçš®ã ã®åºæºãåããŸãšããŠãããŠãããããŒã«ã®ãŠãŒã¶ããããåºæºã®ãããããéžæã ããšãäžé£ã®è³ªåãæ瀺ãããã質åãžã®åçããéžæãããã»ãã¥ãªãã£ä¿èšŒã¬ãã«ãšç §ãã åãããæ¹åã§ããåéã瀺ãã詳现ãªã¬ããŒããäœæãããããã«ãªã£ãŠãããCSET ã¯ãå¶ åŸ¡ã·ã¹ãã ç°å¢ã®ã»ãã¥ãªãã£ç¶æ ãèªå·±è©äŸ¡ã§ããåªããæ段ãšãªãã ICS-CERT æšå¥šèŠç¯ https://ics-cert.us-cert.gov/Introduction-Recommended-Practices ICS-CERT ã¯å¶åŸ¡ã·ã¹ãã ã®å ±åäœãšé£æºããå ¥æå¯èœã«ãªã£ãæšå¥šèŠç¯ãå ¬éããåã«ãæ¥ç ã®å¯Ÿè±¡å°é家ã«æ€èšŒãäŸé Œããã æšå¥šèŠç¯ã¯ããµã€ããŒæ»æã«å¯Ÿããé²åºãæåæ§ãæžããããã«äœæãããããµã€ããŒè åšãå¶ åŸ¡ã·ã¹ãã ã®è匱æ§ã»æ»æçµè·¯åã³ã»ãã¥ã¢ãªã¢ãŒããã¯ãã£èšèšã«å¯Ÿããç解ãåºã«ããŠããã æšå¥šèŠç¯äœæ¥ã°ã«ãŒãã¯ãæšå¥šèŠç¯ã»ã¯ã·ã§ã³ã§åãäžããã¹ãè«é¡ãéžå®ããããµã€ããŒè匱 æ§ãšãã®ç·©åçã«é¢ããå€æ§ãªå¶åŸ¡ã·ã¹ãã è«é¡ã«ã€ããŠè©³è¿°ããè£è¶³ææžãäœæ¥ã°ã«ãŒãã«ã ãäœæãããæ£ç¢ºæ§ãæ€èšŒãããŠãããææžã¯æŽæ°ãããè£è¶³çãªå 容ãæ°ããåé¡ãåãäžã ãè«é¡ãè¿œå ãããã 288 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Institute of Electrical and Electronics Engineers, Inc. (IEEE) http://www.ieee.org IEEE 1686-2007 â Standard for Substation IED Cybersecurity Capabilities. The functions and features to be provided in substation intelligent electronic devices (lEDs) to accommodate critical infrastructure protection programs are defined in this standard. Security regarding the access, operation, configuration, firmware revision, and data retrieval from an IED is addressed in this standard. Communications for the purpose of power system protection (teleprotection) is not addressed. Encryption for the secure transmission of data both within and external to the substation, including supervisory control and data acquisition, is not part of this standard as this is addressed in other efforts." IEEE P1711 - Standard for a Cryptographic Protocol for Cybersecurity of Substation Serial Links. This standard defines a cryptographic protocol to provide integrity, and optional confidentiality, for cybersecurity of serial links. It does not address specific applications or hardware implementations, and is independent of the underlying communications protocol. IEEE 1815-2012 - Standard for Electric Power System Communications-Distributed Network Protocol (DNP3). This standard describes the DNP3 SCADA protocol, incorporating version five of the applicationlayer authentication procedure called DNP3 Secure Authentication (DNP3-SAv5). DNP3-SAv5 uses a HMAC process to verify that data and commands are received (without tampering) from authorized individual users or devices while limiting computational and communications overhead. SAv5 supports remote update (add/change/revoke) of user credentials using either symmetric or PKI techniques. SAv5 authenticates but does not encrypt messages, hence it does not provide confidentiality. SAv5 can be used together with encryption techniques such as TLS or IEEE 1711 where confidentiality is required. Institute for Information Infrastructure Protection (I3P) http://www.thei3p.org/ The I3P is a consortium of leading national cybersecurity institutions, including academic research centers, government laboratories, and non-profit organizations. It was founded in September 2001 to help meet a well-documented need for improved research and development (R&D) to protect the nation's information infrastructure against catastrophic failures. The institute's main role is to coordinate a national cybersecurity R&D program and help build bridges between academia, industry, and government. The I3P continues to work toward identifying and addressing critical research problems in information infrastructure protection and opening information channels between researchers, policymakers, and infrastructure operators. Currently, the I3P does the following: ïŒ Fosters collaboration among academia, industry, and government on pressing cybersecurity problems. ïŒ Develops, manages, and supports national-scale research projects. ïŒ Provides research fellowship opportunities to qualified post-doctoral researchers, faculty, and research scientists. ïŒ Hosts workshops, meetings, and events on cybersecurity and information infrastructure protection issues. ïŒ Builds and supports a knowledge base as an online vehicle for sharing and distributing information to I3P members and others working on information security challenges. 289 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã é»æ°é»åæè¡è åäŒïŒIEEEïŒ http://www.ieee.org IEEE 1686-2007 â å€é»æ IED ãµã€ããŒã»ãã¥ãªãã£èŠæ ŒãéèŠã€ã³ãã©é²è·ããã°ã©ã ã«åã£ã å€é»ææ å ±é»åããã€ã¹ïŒIEDsïŒã«èšèŒããæ©èœã»ç¹æ§ã¯ããã®èŠæ Œã§å®çŸ©ããããã¢ã¯ã»ã¹ã éçšãæ§æããã¡ãŒã ãŠãšã¢æ¹æ£åã³ IED ããã®ããŒã¿ååŸã¯ããã®èŠæ Œã§åãäžãããããé» åã·ã¹ãã ä¿è·çšéä¿¡ïŒéä¿¡ä¿è·ïŒã¯å¯Ÿè±¡å€ãšãªããSCADA ãå«ããå€é»æå å€ã§ã®ã»ãã¥ã¢ ãªããŒã¿éä¿¡ã®ããã®æå·åã¯ãå¥ã«æ±ãããããããã®èŠæ Œã§ã¯åãäžããããªãã IEEE P1711 - å€é»æã·ãªã¢ã«ãªã³ã¯ã®ãµã€ããŒã»ãã¥ãªãã£çšæå·åãããã³ã«èŠæ Œããã®èŠæ Œ ã¯æå·åãããã³ã«ã«ã€ããŠå®ããã·ãªã¢ã«ãªã³ã¯ã®å®å šæ§åã³ãªãã·ã§ã³ã®æ©å¯æ§ã«ã€ããŠèŠ å®ãããç¹å®ã®ã¢ããªã±ãŒã·ã§ã³ãããŒããŠãšã¢å®è£ ã¯åãäžãããåºæ¬éä¿¡ãããã³ã«ã«ã¯äŸ åããŠããªãã IEEE 1815-2012 - é»åã·ã¹ãã éä¿¡ã»é é»ç¶²ãããã³ã«èŠæ Œ(DNP3)ããã®èŠæ Œã¯ãDNP3 ã»ã㥠ã¢èªèšŒ(DNP3-SAv5)ãšåŒã°ããã¢ããªã±ãŒã·ã§ã³å±€èªèšŒæé ã®ããŒãžã§ã³ 5 ãåãå ¥ããã DNP3 SCADA ã«ã€ããŠèšè¿°ããŠãããDNP3-SAv5 㯠HMAC ããã»ã¹ã䜿çšããŠãæŒç®åã³éä¿¡ ãªãŒããŒããããæãã€ã€ãæš©éãããŠãŒã¶åã¯ããã€ã¹ããããŒã¿åã³ã³ãã³ããïŒæ¹ç«ãª ãïŒåä¿¡ãããã©ãããæ€èšŒãããSAv5 ã¯ã察称æè¡å㯠PKI æè¡ãçšããŠãŠãŒã¶èªèšŒæ å ±ã® é éæŽæ°ïŒè¿œå ã»å€æŽã»åæ¶ïŒããµããŒããããèªèšŒã¯è¡ãããæ©å¯æ§ããªãããã¡ãã»ãŒãžã® æå·åã¯è¡ããªããæ©å¯æ§ãå¿ èŠãªå Žåã¯ãTLS ã IEEE 1711 çã®æå·åæè¡ã䜵çšããã æ å ±ã€ã³ãã©ä¿è·ç 究æïŒI3PïŒ http://www.thei3p.org/ I3P ã¯å€§åŠã®ç 究æãåœç«ç 究æãNPO çã®äž»èŠãµã€ããŒã»ãã¥ãªãã£æ©é¢ãããªãã³ã³ãœãŒã· ã¢ã ã§ãããåœã®æ å ±ã€ã³ãã©ãå£æ» çé害ããå®ãç®çã§ãç 究éçºãæ¹åããŠææžåããã ã 2001 幎 9 æã«åµèšããããäž»ãªåœ¹å²ã¯ãåœã®ãµã€ããŒã»ãã¥ãªãã£ç 究éçºããã°ã©ã ã®èª¿ æŽãè¡ããç£å®åŠã®é£æºãå³ãããšã«ãããI3P ã¯æ å ±ã€ã³ãã©ã®ä¿è·ã«ãããéèŠãªç 究äžã® åé¡ãæããã«ããŠåãäžãããšãšãã«ãç 究è ãæ¿çç«æ¡è åã³ã€ã³ãã©éçšè éã®æ å ±çµè·¯ ã®éæãç®æããŠãããçŸåšæ¬¡ã®ãããªåçµãè¡ã£ãŠããã ïŒ ãµã€ããŒã»ãã¥ãªãã£åé¡ãšåãçµãç£å®åŠéã®é£æºåŒ·å ïŒ åœå®¶èŠæš¡ã®ç 究ãããžã§ã¯ãã®çå®ã»ç®¡çã»æ¯æŽ ïŒ æè³æ Œå士課çšä¿®äºåŸç 究è ã»æå¡ã»ç 究è ãžã®ç 究æ©äŒã®æäŸ ïŒ ãµã€ããŒã»ãã¥ãªãã£ã»æ å ±ã€ã³ãã©ä¿è·åé¡ã«é¢ããã¯ãŒã¯ã·ã§ããã»äŒè°ã»ã€ãã³ãã® éå¬ ïŒ I3P ã¡ã³ããŒãã®ä»æ å ±ã»ãã¥ãªãã£åé¡é¢ä¿è ãžã®æ å ±å ±æã»é ä¿¡åªäœãšããŠã®ç¥èåºç€ ã®æ§ç¯ 290 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY International Electrotechnical Commission (IEC) Technical Committees 65 and 57 http://www.iec.ch/ IEC is a standards organization that prepares and publishes international standards for all electrical, electronic, and related technologies. These standards serve as a basis for creating national standards and as references for drafting international tenders and contracts. IECâs members include manufacturers, providers, distributors, vendors, consumers, and users, all levels of governmental agencies, professional societies, trade associations, and standards developers from over 60 countries. In 2004 the IEC Technical Sub-Committee 65C (Industrial Networks), through its working group WG13 (cybersecurity), started to address security issues - within the IEC 61784 standard â for field buses and other industrial communication networks. Results of this work are outlined in part 4, entitled âDigital data communications for measurement and control â Profiles for secure communications in industrial networks.â TC65 WG10 is working to extend this field level communication to address security standards across common automation networking scenarios. The standard being drafted as a result of this work is IEC 62443, entitled âSecurity for industrial process measurement and control â Network and system security.â It is based on a modular security architecture consisting of requirement sets. These modules are mapped into ICS component and network architecture. The resulting requirements can then be formulated for use as the basis for Requests for Proposals (RFP) for data communication standards, and security audits. TC 57 is focused on Power Systems Management and Associated Information Exchange and is divided up into a series of working groups. Each working group is comprised of members of national standards committees from the countries that participate in the IEC. Each working group is responsible for the development of standards within its domain. The current working groups are: ïŒ WG 3: Telecontrol protocols. ïŒ WG 9: Distribution automation using distribution line carrier systems. ïŒ WG 10: Power system IED communication and associated data models. ïŒ WG 13: Energy management system application program interface (EMS-API). ïŒ WG 14: System interfaces for distribution management (SIDM). ïŒ WG 15: Data and communication security. ïŒ WG 16: Deregulated energy market communications. ïŒ WG 17: Communications Systems for Distributed Energy Resources (DER). ïŒ WG 18: Hydroelectric power plants â Communication for monitoring and control. ïŒ WG 19: Interoperability within TC 57 in the long term. ïŒ WG 20: Planning of (single-sideband) power line carrier systems (IEC 60495) Planning of (singlesideband) power line carrier systems (IEC 60663). ïŒ WG 21: Interfaces and protocol profiles relevant to systems connected to the electrical grid. 291 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã åœéé»æ°æšæºäŒè°ïŒIECïŒæè¡å§å¡äŒ 65 åã³ 57 http://www.iec.ch/ IEC ã¯ããããé»æ°ãé»ååã³é¢é£æè¡ã«é¢ããåœéèŠæ Œãäœæããçºè¡šããèŠæ Œçµç¹ã§ããã èŠæ Œã¯ãåœã®èŠæ Œäœæã®æ ¹æ ãšãªããåœéå ¥æã»å¥çŽãèµ·èããéã®åèãšãªããIEC ã¡ã³ã㌠ã¯ã¡ãŒã«ãŒããããã€ããæµéæ¥è ããã³ããŒãæ¶è²»è ã»ãŠãŒã¶ãåçŽã¬ãã«ã®è¡æ¿æ©é¢ãå°é 家åäŒã貿æåäŒåã³ 60 ãåœã®èŠæ Œäœæå£äœã§ããã IEC æè¡äžéšå§å¡äŒ 65CïŒç£æ¥çšãããã¯ãŒã¯ïŒã¯ 2004 幎ããã®äœæ¥ã°ã«ãŒã WG13ïŒãµã€ã㌠ã»ãã¥ãªãã£ïŒãéããŠãIEC61784 èŠæ Œã®äžéšãšããŠããã£ãŒã«ããã¹ãã®ä»ç£æ¥çšéä¿¡ãã ãã¯ãŒã¯ã®ã»ãã¥ãªãã£åé¡ã®æ€èšã«çæããããã®äœæ¥ã®çµæã¯ãããŒã 4ãèšæž¬å¶åŸ¡ã®ãã ã®ããžã¿ã«ããŒã¿éä¿¡ïŒç£æ¥çšãããã¯ãŒã¯ã«ãããã»ãã¥ã¢ãªéä¿¡ã®ãããã¡ã€ã«ãã«æŠèª¬ã ããŠããã TC65 WG10 ã¯ããã®ãã£ãŒã«ãã¬ãã«éä¿¡ãæ¡åŒµããŠãå ±éãªãŒãã¡ãŒã·ã§ã³ãããã¯ãŒãã³ ã°ã·ããªãªã§ã®ã»ãã¥ãªãã£èŠæ Œãåãäžããããã®çµæèµ·èãããèŠæ Œã IEC 62433 ã§ããç£ æ¥çšèšæž¬å¶åŸ¡ã®ã»ãã¥ãªã㣠- ãããã¯ãŒã¯åã³ã·ã¹ãã ã»ãã¥ãªãã£ããšé¡ãããããã€ãã® èŠä»¶ãããªãã¢ãžã¥ãŒã«åŒã®ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ãåºæ¬ãšããŠãããããããã®ã¢ãžã¥ ãŒã«ã¯ãICS ã³ã³ããŒãã³ãåã³ãããã¯ãŒã¯ã¢ãŒããã¯ãã£ã«ãããã³ã°ããããããããèŠ ä»¶ãå®ããããããŒã¿éä¿¡èŠæ Œåã³ã»ãã¥ãªãã£ç£æ»ã«å¯Ÿããææ¡èŠæ±ïŒRFPïŒã®åºç€ãšããŠå© çšãããã TC57 ã¯é»åã·ã¹ãã 管çåã³é¢é£æ å ±äº€æã«ç¹åããŠãããäžé£ã®ã°ã«ãŒãã«ååããŠããã åäœæ¥ã°ã«ãŒãã¯ãIEC å çååœã®èŠæ Œå§å¡äŒã¡ã³ããŒã§æ§æãããŠãããåã°ã«ãŒãã¯ããã ããã®ãã¡ã€ã³å ã§ã®èŠæ Œäœæãæ åœãããçŸåšã®äœæ¥ã°ã«ãŒãã¯ä»¥äžã®ãšããã ïŒ WG 3ïŒé éå¶åŸ¡ãããã³ã« ïŒ WG 9ïŒé é»ç·æ¬éã·ã¹ãã ãå©çšããé é»èªåå ïŒ WG 10ïŒé»åã·ã¹ãã IED éä¿¡åã³é¢é£ããŒã¿ã¢ãã« ïŒ WG 13ïŒç·æ¥ç®¡çã·ã¹ãã ã¢ããªã±ãŒã·ã§ã³ããã°ã©ã ã€ã³ã¿ãã§ãŒã¹ïŒEMS-APIïŒ ïŒ WG 14ïŒé é»ç®¡çã·ã¹ãã ã€ã³ã¿ãã§ãŒã¹ïŒSIDMïŒ ïŒ WG 15ïŒããŒã¿åã³éä¿¡ã»ãã¥ãªãã£ ïŒ WG 16ïŒãšãã«ã®ãŒåžå Žéä¿¡ã®èŠå¶ç·©å ïŒ WG 17ïŒåæ£ãšãã«ã®ãŒãªãœãŒã¹éä¿¡ã·ã¹ãã ïŒDERïŒ ïŒ WG 18ïŒæ°Žåçºé»æ - ç£èŠå¶åŸ¡çšéä¿¡ ïŒ WG 19ïŒTC57 å ã§ã®é·æçžäºéçšæ§ ïŒ WG 20ïŒïŒååŽæ³¢åž¯ïŒéé»ç·æ¬éã·ã¹ãã ã®ãã©ã³ãã³ã°ïŒIEC 60495ïŒãïŒååŽæ³¢åž¯ïŒé é»ç·æ¬éã·ã¹ãã ã®ãã©ã³ãã³ã°ïŒIEC 60663ïŒ ïŒ WG 21ïŒé é»ç¶²æ¥ç¶ã·ã¹ãã ã«ä¿ãã€ã³ã¿ãã§ãŒã¹åã³ãããã³ã«ãããã¡ã€ã« 292 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ISA99 Industrial Automation and Control Systems Security Standards http://www.isa.org/isa99 The ISA99 standards development committee brings together industrial cybersecurity experts from across the globe to develop ISA standards on industrial automation and control system (IACS) security. This original and ongoing ISA99 work is being standardized by the IEC in producing the multi-standard IEC 62443 series. The committeeâs focus is to improve the confidentiality, integrity, and availability of components or systems used for automation or control and provides criteria for procuring and implementing secure control systems. Compliance with the committeeâs guidance will improve industrial automation and control system electronic security, and will help identify vulnerabilities and address them, thereby reducing the risk of compromising confidential information or causing industrial automation control system degradation or failure. All ISA-62443 standards and technical reports are organized into four general categories called General, Policies and Procedures, System, and Component. ïŒ General category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS. ïŒ Policies and Procedures category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program. ïŒ System category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model. ïŒ Component category includes work products that describe the specific product development and technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products. The current status of the ISA-62443 documents is provided on the ISA99 Wiki at http://isa99.isa.org/ISA99 Wiki/ General ïŒ ISA-62443-1-1 (IEC/TS 62443-1-1) (formerly referred to as "ISA-99 Part 1") was originally published as ISA standard ANSI/ISA-99.00.01-2007, as well as an IEC technical specification IEC/TS 62443-1-1. The ISA99 committee is currently revising it to make it align with other documents in the series, and to clarify normative content. ïŒ ISA-TR62443-1-2 (IEC 62443-1-2) is a master glossary of terms used by the ISA99 committee. This document is a working draft. ïŒ ISA-62443-1-3 (IEC 62443-1-3) identifies a set of compliance metrics for IACS security. This document is currently under development and the committee will be releasing a draft for comment in 2013. ïŒ ISA-TR62443-1-4 (IEC/TS 62443-1-4) defines the IACS security life cycle and use case. This work product has been proposed as part of the series, but as of January 2013 development had not yet started. 293 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ISA99 ç£æ¥ãªãŒãã¡ãŒã·ã§ã³åã³å¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£èŠæ Œ http://www.isa.org/isa99 ISA99 èŠæ Œäœæå§å¡äŒã¯ãäžçã®ç£æ¥ãµã€ããŒã»ãã¥ãªãã£å°é家ãæéããŠãç£æ¥ãªãŒãã¡ãŒ ã·ã§ã³å¶åŸ¡ã·ã¹ãã ïŒIACSïŒã»ãã¥ãªãã£ã® ISA èŠæ Œã®äœæã«åãçµãã§ãããåœååã³çŸè¡ ã® ISA99 äœæ¥ã¯ãIEC ã«ããæšæºåãããè€æ°ã®èŠæ Œ IEC62443 ã·ãªãŒãºã®äœæãç®æããŠããã å§å¡äŒã®çŠç¹ã¯ãèªååãå¶åŸ¡ã«äœ¿çšããã³ã³ããŒãã³ããã·ã¹ãã ã®æ©å¯æ§ã»å®å šæ§ã»å¯çšæ§ ãæ¹åããã»ãã¥ã¢ãªå¶åŸ¡ã·ã¹ãã ã®èª¿éã»å®è£ åºæºãå®ããããšã«ãããå§å¡äŒã®ã¬ã€ãã³ã¹ ã«åŸãããšã§ãç£æ¥ãªãŒãã¡ãŒã·ã§ã³ãå¶åŸ¡ã·ã¹ãã ã®é»åçã»ãã¥ãªãã£ãæ¹åãããèåŒ±æ§ ãšå¯ŸåŠæ¹æ³ãæããã«ãªããç§å¯æ å ±ã®æŒæŽ©ãç£æ¥ãªãŒãã¡ãŒã·ã§ã³å¶åŸ¡ã·ã¹ãã ã®å£åã»æ é ãªã¹ã¯ãæžãã ISA-62443 èŠæ Œåã³æè¡å ±åæžã¯ãã©ããå šè¬ãããªã·ãŒã»æé ãã·ã¹ãã åã³ã³ã³ããŒãã³ã ã®ããããã«åé¡ãããã ïŒ å šè¬åºåã«ã¯æŠå¿µã»ã¢ãã«ã»çšèªãšãã£ãå ±éçåã¯åºæ¬çæ å ±ãå«ãŸããããŸããIACS ã®ã»ãã¥ãªãã£è©äŸ¡åºæºåã³ã»ãã¥ãªãã£ã©ã€ããµã€ã¯ã«ã«ã€ããŠèšè¿°ããäœæ¥ææãå«ãŸ ããã ïŒ äœæ¥ææã®ããªã·ãŒã»æé åºåã¯ãè³ç£ä¿æè ã察象ã«ãããã®ã§ãããå¹æç㪠IACS ã» ãã¥ãªãã£ããã°ã©ã ã®äœæåã³ä¿å®ã®æ§ã ãªé¢ãåãäžããŠããã ïŒ ã·ã¹ãã åºåã«ã¯ãå¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ã¢ãªçµ±ååã«é¢ããã·ã¹ãã èšèšã¬ã€ãã³ã¹ãšèŠ 件ã«ã€ããŠèšè¿°ããäœæ¥ææãå«ãŸãããäžå¿ãšãªãã®ã¯å°ååã³ã³ã³ãžããèšèšã¢ãã«ã§ ããã ïŒ ã³ã³ããŒãã³ãåºåã«ã¯ãç¹å®è£œåã®éçºãšå¶åŸ¡ã·ã¹ãã 補åã®æè¡èŠä»¶ã«ã€ããŠèšè¿°ãã äœæ¥ææãå«ãŸãããäž»ãªå¯Ÿè±¡ã¯å¶åŸ¡è£œåãã³ããŒã§ããããã€ã³ãã°ã¬ãŒã¿ãè³ç£ä¿æè ãã»ãã¥ã¢ãªè£œåã調éããéã®è³ãšããããšãã§ããã ISA-62443 ææžã®çŸç¶ã«ã€ããŠã¯ã次㮠ISA99 Wiki ãµã€ãã§ç¢ºèªã§ããã http://isa99.isa.org/ISA99 Wiki/ å šè¬ ïŒ ISA-62443-1-1 (IEC/TS 62443-1-1)ïŒæ§ç§°ãISA-99 Part 1ãïŒã¯åœå ISA èŠæ Œ ANSI/ISA99.00.01-2007 åã³ IEC æè¡ä»æ§æž IEC/TS 62443-1-1 ãšããŠçºè¡šããããISA99 å§å¡äŒã¯ãã· ãªãŒãºã®ä»ã®ææžãšã®æŽåæ§ã確ä¿ããæšæºçãªå 容ãæ確ã«ãããããçŸåšããã®èŠçŽã äžã§ããã ïŒ ISA-TR62443-1-2 (IEC 62443-1-2)ã¯ãISA99 ã䜿çšããçšèªã®ç·çšèªéã§ããããŸã èæ¡æ®µ éã«ããã ïŒ ISA-62443-1-3 (IEC 62443-1-3)ã¯ãIACS ã»ãã¥ãªãã£ã®äžé£ã®ã³ã³ãã©ã€ã¢ã³ã¹è©äŸ¡åºæºãš ãªããçŸåšäœæäžã§ã2013 幎ã«æ¡ãçºè¡šããæèŠãåéããã ïŒ ISA-TR62443-1-4 (IEC/TS 62443-1-4)ã¯ãIACS ã®ã»ãã¥ãªãã£ã©ã€ããµã€ã¯ã«ãšäœ¿çšäŸãèš èŒããŠããããã®äœæ¥ææã¯ã·ãªãŒãºã®äžéšãšããŠæå±ããããã2013 幎 1 ææç¹ã§äœæ ã«æªçæã§ããã 294 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Policies and Procedures ïŒ ISA-62443-2-1 (IEC 62443-2-1) (formerly referred to as "ANSI/ISA 99.02.01-2009 or ISA-99 Part 2") addresses how to establish an IACS security program. This standard is approved and published the IEC as IEC 62443-2-1. It now being revised to permit closer alignment with the ISO 27000 series of standards. ïŒ ISA-TR62443-2-2 (IEC 62443-2-2) addresses how to operate an IACS security program. This standard is currently under development. ïŒ ISA-TR62443-2-3 (IEC/TR 62443-2-3) is a technical report on the subject of patch management in IACS environments. This report is currently under development. ïŒ ISA-62443-2-4 (IEC 62443-2-4) focuses on the certification of IACS supplier security policies and practices. This document was adopted from the WIB organization and is now a working product of the IEC TC65/WG10 committee. The proposed ISA version will be a U.S. national publication of the IEC standard. System ïŒ ISA-TR62443-3-1 (IEC/TR 62443-3-1) is a technical report on the subject of suitable technologies for IACS security. This report is approved and published as ANSI/ISA-TR99.00.01-2007 and is now being revised. ïŒ ISA-62443-3-2 (IEC 62443-3-2) addresses how to define security assurance levels using the zones and conduits concept. This standard is currently under development. ïŒ ISA-62443-3-3 (IEC 62443-3-3) defines detailed technical requirements for IACS security. This standard has been published as ANSI/ISA-62443-3-3 (99.03.03)-2013. It was previously numbered as ISA-99.03.03. Component ïŒ ISA-62443-4-1 (IEC 62443-4-1) addresses the requirements for the development of secure IACS products and solutions. This standard is currently under development. ïŒ ISA-62443-4-2 (IEC 62443-4-2) series address detailed technical requirements for IACS components level. This standard is currently under development. ISA100 Wireless Systems for Automation http://www.isa.org/isa100 The ISA100 Committee will establish standards, recommended practices, technical reports, and related information that will define procedures for implementing wireless systems in the automation and control environment with a focus on the field level. Guidance is directed towards those responsible for the complete life cycle including the designing, implementing, on-going maintenance, scalability or managing industrial automation and control systems, and shall apply to users, system integrators, practitioners, and control systems manufacturers and vendors. 295 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ããªã·ãŒåã³æé ïŒ ISA-62443-2-1 (IEC 62443-2-1) (æ§ç§°ãANSI/ISA 99.02.01-2009 å㯠ISA-99 Part 2ã)ã¯ãIACS ã»ãã¥ãªãã£ããã°ã©ã ã®çå®æ¹æ³ãåãäžããŠããããã®èŠæ Œã¯æ¿èªãããIEC 62443-21 ãšããŠçºè¡šããããçŸåš ISO27000 ã·ãªãŒãºèŠæ Œãšã®æŽåæ§ã確ä¿ããããæ¹èšäžã§ããã ïŒ ISA-TR62443-2-2 (IEC 62443-2-2)ã¯ãIACS ã»ãã¥ãªãã£ããã°ã©ã ã®éçšæ¹æ³ãåãäžããã ãã®èŠæ Œã¯çŸåšäœæäžã§ããã ïŒ ISA-TR62443-2-3 (IEC/TR 62443-2-3)ã¯ãIACS ç°å¢ã«ãããããã管çã«é¢ããæè¡å ±åæž ã§ããããã®å ±åæžã¯çŸåšäœæäžã§ããã ïŒ ISA-62443-2-4 (IEC 62443-2-4)ã¯ãIACS ãµãã©ã€ã€ã®ã»ãã¥ãªãã£ããªã·ãŒåã³èŠç¯ã®èªå® æžã«ç¹åããŠãããæ¬æžã¯ WIB çµç¹ãæ¡çšããIEC TC65/WG10 å§å¡äŒã®äœæ¥ææãšãªã£ãŠ ãããISA çã®æ¡ã¯ãIEC èŠæ Œã®æ¿åºææžãšãªããã ã·ã¹ãã ïŒ ISA-TR62443-3-1 (IEC/TR 62443-3-1)ã¯ãIACS ã»ãã¥ãªãã£ã®é©åæè¡ã«é¢ããæè¡å ±åæž ã§ãããæ¬å ±åæžã¯æ¿èªãããANSI/ISA-TR99.00.01-2007 ãšããŠçºè¡šãããçŸåšæ¹èšäžã§ã ãã ïŒ ISA-62443-3-2 (IEC 62443-3-2)ã¯ãå°ååã³ã³ã³ãžããèšèšæŠå¿µãå©çšããã»ãã¥ãªãã£ä¿ 蚌ã¬ãã«ã®å®çŸ©æ¹æ³ã«ã€ããŠåãäžããŠããããã®èŠæ Œã¯çŸåšäœæäžã§ããã ïŒ ISA-62443-3-3 (IEC 62443-3-3)ã¯ãIACS ã»ãã¥ãªãã£ã®è©³çŽ°ãªæè¡èŠä»¶ã«ã€ããŠæããã«ã ãŠããããã®èŠæ Œã¯ ANSI/ISA-62443-3-3 (99.03.03)-2013 ãšããŠçºè¡šããããæ§çªå·ã¯ ISA99.03.03 ã ã£ãã ã³ã³ããŒãã³ã ïŒ ISA-62443-4-1 (IEC 62443-4-1)ã¯ãã»ãã¥ã¢ãª IACS 補ååã³ãœãªã¥ãŒã·ã§ã³ã®éçºèŠä»¶ã«ã€ ããŠåãäžããŠããããã®èŠæ Œã¯çŸåšäœæäžã§ããã ïŒ ISA-62443-4-2 (IEC 62443-4-2)ã·ãªãŒãºã¯ãIACS ã³ã³ããŒãã³ãã¬ãã«ã®è©³çŽ°ãªæè¡èŠä»¶ã« ã€ããŠåãäžããŠããããã®èŠæ Œã¯çŸåšäœæäžã§ããã ISA100 ãªãŒãã¡ãŒã·ã§ã³çšã¯ã€ã€ã¬ã¹ã·ã¹ãã http://www.isa.org/isa100 ISA100 å§å¡äŒã¯ããã£ãŒã«ãã¬ãã«ã«ç¹åãããªãŒãã¡ãŒã·ã§ã³åã³å¶åŸ¡ç°å¢ã«ãããã¯ã€ã€ ã¬ã¹ã·ã¹ãã ã®æé ãèŠå®ããèŠæ Œãæšå¥šèŠç¯ãå®ããæè¡å ±åæžãé¢é£æ å ±ãé ä¿¡ãããã¬ã€ ãã³ã¹ã¯ç£æ¥ãªãŒãã¡ãŒã·ã§ã³åã³å¶åŸ¡ã·ã¹ãã ã®èšèšãå®è£ ãæåžžçä¿å®ãã¹ã±ãŒã©ããªãã£ã 管ççã©ã€ããµã€ã¯ã«å šè¬ã®æ åœè ã察象ãšãããŠãŒã¶ãã·ã¹ãã ã€ã³ãã°ã¬ãŒã¿ãå®ååŸäºè åã³å¶åŸ¡ã·ã¹ãã ã¡ãŒã«ãŒã»ãã³ããŒã«é©çšãããã 296 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ISO 27001 http://www.iso.org/, http://www.27000.org ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System. The objective of the standard itself is to "provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System (ISMS).â Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's information security management system is influenced by the organization's needs and objectives, security requirements, the organizational processes used and the size and structure of the organization.â The content sections of the standard include: ïŒ Context of the Organization. ïŒ Information Security Leadership. ïŒ Planning an ISMS. ïŒ Support. ïŒ Operation. ïŒ Performance Evaluation. ïŒ Improvement. ïŒ Annex A â List of controls and their objectives. The 2005 version of the standard heavily employed the Plan-Do-Check-Act model to structure the processes, and reflect the principles set out in the OECG guidelines (see oecd.org). However, the latest, 2013 version, places more emphasis on measuring and evaluating how well an organizationâs ISMS is performing. 297 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ISO 27001 http://www.iso.org/, http://www.27000.org ISO27001 ã¯ãæ å ±ã»ãã¥ãªãã£ç®¡çã·ã¹ãã ã®ç¢ºç«ãå®è£ ãéçšãç£èŠã調æ»ãä¿å®åã³æ¹å ã«é¢ããã¢ãã«ãšãªãããã®äŒç»ã®ç®çã¯ããæ å ±ã»ãã¥ãªãã£ç®¡çã·ã¹ãã ïŒISMSïŒã®ç¢ºç«ã å®è£ ãä¿å®åã³ç¶ç¶çæ¹åã«é¢ããèŠä»¶ã瀺ããããšã«ããããã®æ¡çšã«ã€ããŠã¯ãæŠç¥çãªæ±º å®äºé ãšãªããæŽã«ãçµç¹ã®æ å ±ã»ãã¥ãªãã£ç®¡çã·ã¹ãã ã®èšèšåã³å®è£ ã¯ãçµç¹ã®å¿ èŠã»ç® çãã»ãã¥ãªãã£èŠä»¶ãçµç¹çããã»ã¹åã³çµç¹ã®èŠæš¡ã»æ§é ã«åœ±é¿ãããããèŠæ Œã®ç®æ¬¡æ§æ ã¯ä»¥äžã®ãšããã ïŒ çµç¹ã®æ æ³ ïŒ æ å ±ã»ãã¥ãªãã£ã®æå° ïŒ ISMS ã®ãã©ã³ãã³ã° ïŒ æ¯æŽ ïŒ éçš ïŒ æ¥çžŸè©äŸ¡ ïŒ æ¹å ïŒ ä»é² A - å¶åŸ¡ãšãã®ç®çãªã¹ã 2005 幎çèŠæ Œã§ã¯ãèšç»ã»å®è¡ã»ç¢ºèªã»è¡åã¢ãã«ã倧ãã«åãå ¥ããããã»ã¹ãæ§é åãã OECG ã¬ã€ãã©ã€ã³ã«èšèŒãããŠããååãåæ ããŠããïŒoecd.org ãåç §ïŒããããææ°ã® 2013 幎çã§ã¯ãçµç¹ã® ISMS æ¥åéè¡ç¶æ³ã®èšæž¬ã»è©äŸ¡ã«ãã£ããã®éç¹ã眮ãããŠããã 298 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ISO 27002 http://www.iso.org/, http://www.27000.org ISO 27002 "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization." The actual controls listed in the standard are intended to address the specific requirements identified via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build confidence in inter-organizational activities." 81 In 2013 the current version was published. ISO 27002:2013 contains 114 controls, fewer than the 133 documented in the 2005 version. However for additional granularity, these are presented in 14 sections, rather than the original 11: ïŒ Security Policy. ïŒ Organization of Information Security. ïŒ Human Resource Security. ïŒ Asset Management. ïŒ Access Control. ïŒ Cryptography. ïŒ Physical and Environmental Security. ïŒ Operations Security. ïŒ Communications Security. ïŒ Information Systems Acquisition, Development, Maintenance. ïŒ Supplier Relationships. ïŒ Information Security Incident Management. ïŒ Information Security Aspects of Business Continuity. ïŒ Compliance. 81 http://www.27000.org/iso-27002.htm. 299 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ISO 27002 http://www.iso.org/, http://www.27000.org ISO 27002 ã¯ãçµç¹å ã«ãããæ å ±ã»ãã¥ãªãã£ç®¡çã®éå§ãå®è£ ãä¿å®åã³æ¹åã«é¢ãã㬠ã€ãã©ã€ã³ãšäžè¬ååãå®ããããèŠæ Œã®ãªã¹ãã«å«ãŸããŠããå®éã®å¶åŸ¡ã¯ãæ£èŠã®ãªã¹ã¯è© 䟡ã§å®ããããå ·äœçèŠä»¶ãåãäžããŠããããŸããçµç¹ã®ã»ãã¥ãªãã£åºæºåã³å¹æçãªã»ã ã¥ãªãã£ç®¡çèŠç¯ïŒã®çºå±ã«åããã¬ã€ããäžãïŒãçµç¹é掻åãžã®ä¿¡é Œã®éžæã«è³ãããããš ãç®çãšããŠããã 82 çŸè¡ç㯠2013 幎ã«çºè¡šããããISO 27002:2013 ã«ã¯ 114 ã®å¶åŸ¡ãçŽããããŠããã2005 幎çã® 133 ãããæžã£ãŠããããã ãã»ã¯ã·ã§ã³ã¯ 11 ãã次㮠14 ã«å¢ãããã现ãããªã£ãŠããã ïŒ ã»ã¯ã·ã§ã³ããªã·ãŒ ïŒ æ å ±ã»ãã¥ãªãã£çµç¹ ïŒ äººçè³ç£ã®ã»ãã¥ãªãã£ ïŒ è³ç£ç®¡ç ïŒ ã¢ã¯ã»ã¹å¶åŸ¡ ïŒ æå·å ïŒ ç©ççã»ç°å¢çã»ãã¥ãªãã£ ïŒ éçšã»ãã¥ãªãã£ ïŒ éä¿¡ã»ãã¥ãªãã£ ïŒ æ å ±ã·ã¹ãã ã®ååŸã»éçºã»ä¿å® ïŒ ãµãã©ã€ã€ãšã®é¢ä¿ ïŒ æ å ±ã»ãã¥ãªãã£ã€ã³ã·ãã³ã管ç ïŒ æ å ±ã»ãã¥ãªãã£é¢ããèŠãäºæ¥ç¶ç¶æ§ ïŒ ã³ã³ãã©ã€ã¢ã³ã¹ 82 http://www.27000.org/iso-27002.htm. 300 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY International Council on Large Electric Systems (CIGRE) http://www.cigre.org/ The International Council on Large Electric Systems (CIGRE) is a nonprofit international association based in France. It has established several study committees to promote and facilitate the international exchange of knowledge in the electrical industry by identifying recommended practices and developing recommendations. Three of its study committees focus on control systems: ïŒ The objectives of the B3 Substations Committee include the adoption of technological advances in equipment and systems to achieve increased reliability and availability. ïŒ The C2 System Operation and Control Committee focuses on the technical capabilities needed for the secure and economical operation of existing power systems including control centers and operators. ïŒ The D2 Information Systems and Telecommunication for Power Systems Committee monitors emerging technologies in the industry and evaluates their possible impact. In addition, it focuses on the security requirements of the information systems and services of control systems. LOGIIC â Linking the Oil and Gas Industry to Improve Cybersecurity http://www.dhs.gov/csd-logiic The LOGIIC (Linking the Oil and Gas Industry to Improve Cybersecurity) program is an ongoing collaboration of oil and natural gas companies and the DHS Science and Technology Directorate (S&T). LOGIIC was formed in 2004 to facilitate cooperative research, development, testing, and evaluation procedures to improve cybersecurity in petroleum industry digital control systems. The program undertakes collaborative R&D projects to improve the level of cybersecurity in critical systems of interest to the oil and natural gas sector. The program objective is to promote the interests of the sector while maintaining impartiality, the independence of the participants, and vendor neutrality. After a successful first project, the LOGIIC consortium was formally established as a collaboration between DHS, the Automation Federation, and five of the major oil and gas companies. The LOGIIC program has completed several R&D projects, and more projects are being planned and started. 301 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã åœé倧é»åã·ã¹ãã äŒè°ïŒCIGREïŒ http://www.cigre.org/ CIGRE ã¯ãã©ã³ã¹ã«æ ç¹ã眮ãéå¶å©åœéæ©é¢ã§ãããããã€ãã®ç 究å§å¡äŒããããæšå¥šèŠ ç¯ã®å®çŸ©ã¥ããæšå¥šäºé ã®çå®ãéããŠãé»åæ¥çã«ãããåœéçãªæèŠäº€æãä¿é²ããŠããã ãã®ãã¡æ¬¡ã® 3 å§å¡äŒãå¶åŸ¡ã·ã¹ãã ã«ç¹åããŠããã ïŒ B3 å€é»æå§å¡äŒã®ç®çã«ã¯ãè£ ååãã·ã¹ãã ã®æè¡çé²æ©ãåãå ¥ããŠãä¿¡é Œæ§ãšå¯çš æ§ã確ä¿ããããšãå«ãŸããã ïŒ C2 ã·ã¹ãã éçšå¶åŸ¡å§å¡äŒã¯ãå¶åŸ¡ã»ã³ã¿ãŒãæäœå¡ãå«ããæ¢åé»åã·ã¹ãã ã®éçšã ã»ãã¥ã¢ãã€çµæžçã«ããããã®æè¡åã«éç¹ã眮ããŠããã ïŒ D2 é»åã·ã¹ãã çšæ å ±ã·ã¹ãã é»æ°éä¿¡å§å¡äŒã¯ãæ¥çã®æ°èæè¡ã泚èŠãããã®åœ±é¿ã è©äŸ¡ããããŸãå¶åŸ¡ã·ã¹ãã ã®æ å ±ã·ã¹ãã ã»ãµãŒãã¹ã«é¢ããã»ãã¥ãªãã£èŠä»¶ããéèŠ ããŠããã LOGIIC â ãµã€ããŒã»ãã¥ãªãã£ãæ¹åããç³æ²¹ã»ã¬ã¹æ¥çã®é£æº http://www.dhs.gov/csd-logiic LOGIICïŒãµã€ããŒã»ãã¥ãªãã£ãæ¹åããç³æ²¹ã»ã¬ã¹æ¥çã®é£æºïŒããã°ã©ã ã¯ãç³æ²¹ã»ã¬ã¹ äŒç€Ÿåã³ DHS ç§åŠæè¡å±ïŒS&TïŒéã§çŸåšé²å±äžã®åå掻åã§ãããLOGIIC 㯠2004 幎ã«å¶å® ãããå ±åç 究ã»éçºã»è©Šéšã»è©äŸ¡æé ãä¿é²ããç³æ²¹æ¥çã®ããžã¿ã«å¶åŸ¡ã·ã¹ãã ã®ãµã€ã㌠ã»ãã¥ãªãã£åäžãç®æããŠããã ç³æ²¹ã»å€©ç¶ã¬ã¹æ¥çã®å©çã«çŽçµããéèŠã·ã¹ãã ã®ãµã€ ããŒã»ãã¥ãªãã£ã¬ãã«ãäžãããããå ±åç 究ã»éçºãæãããŠãããããã°ã©ã ã®ç®çã¯ã ã¡ã³ããŒéã®å ¬å¹³ãç¬ç«æ§åã³ãã³ããŒã®äžç«æ§ãä¿ã¡ã€ã€ãæ¥çã®å©çãä¿é²ããããšã«ããã æåã®ãããžã§ã¯ããæåããåŸãLOGIIC ã³ã³ãœãŒã·ã¢ã ã DHSããªãŒãã¡ãŒã·ã§ã³é£çåã³ ç³æ²¹ã»ã¬ã¹å€§æ 5 瀟éã§æ£åŒã«çºè¶³ããããããŸã§ããã€ãã®ç 究éçºãããžã§ã¯ããå®äºã㊠ãããä»åŸæŽã«æ°èŠèšç»ãäºå®ãããŠããã 302 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY National SCADA Test Bed (NSTB) http://energy.sandia.gov/infrastructure-security/cyber/scada-systems/testbeds/national-scada-testbed/ The National Supervisory Control and Data Acquisition (SCADA) Test Bed is a DOE Office of Electricity Delivery and Energy Reliability (OE) -sponsored resource to help secure our nationâs energy control systems. It combines state-of-the-art operational system testing facilities with research, development, and training to discover and address critical security vulnerabilities and threats to the energy sector. Working in partnership with the energy sector, the National SCADA Test Bed seeks to: ïŒ Identify and mitigate existing vulnerabilities. ïŒ Facilitate development of security standards. ïŒ Serve as an independent entity to test SCADA systems and related control system technologies. ïŒ Identify and promote best cybersecurity practices. ïŒ Increase awareness of control systems security within the energy sector. ïŒ Develop advanced control system architectures and technologies that are more secure and robust. Partners in the NSTB include Idaho National Laboratory, Sandia National Laboratories, Argonne National Laboratory, Pacific Northwest National Laboratory, and the National Institute of Standards and Technology. 303 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç±³åœ SCADA ãã¹ããããïŒNSTBïŒ http://energy.sandia.gov/infrastructure-security/cyber/scada-systems/testbeds/national-scada-testbed/ ç±³åœ SCADA ãã¹ããããã¯ãDOE ã®é é»ãšãã«ã®ãŒä¿¡é Œæ§å±ïŒOEïŒã®æ¯æŽã«ãããªãœãŒã¹ã§ã ç±³åœã®ãšãã«ã®ãŒå¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ã¢åãå©æãããææ°ã®éçšã·ã¹ãã è©Šéšæœèšãšç 究㻠éçºã»èšç·ŽãäžäœåããŠããšãã«ã®ãŒæ¥çã«ãšã£ãŠã®é倧ãªã»ãã¥ãªãã£è匱æ§ã»è åšãèŠã€ã ãŠåãçµãã ãšãã«ã®ãŒæ¥çãšé£æºããç±³åœ SCADA ãã¹ããããã¯ä»¥äžãç®æšãšããŠããã ïŒ æ¢åã®è匱æ§ãæããã«ããŠç·©åãã ïŒ ã»ãã¥ãªãã£èŠæ Œã®éçºãä¿é²ãã ïŒ SCADA ã·ã¹ãã æè¡åã³é¢é£å¶åŸ¡ã·ã¹ãã æè¡ã®ç¬ç«è©Šéšæ©é¢ãšããŠæ©èœãã ïŒ ãµã€ããŒã»ãã¥ãªãã£ã®æè¯èŠç¯ãå®ããŠä¿é²ãã ïŒ ãšãã«ã®ãŒæ¥çã«ãããå¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ã«å¯Ÿããæèãé«ãã ïŒ ããã»ãã¥ã¢ã§åŒ·åºãªææ°å¶åŸ¡ã·ã¹ãã ã¢ãŒããã¯ãã£åã³æè¡ãéçºãã NSTB ã«ã¯ã¢ã€ããåœç«ç 究æããµã³ãã£ã¢åœç«ç 究æãã¢ãŒãŽã³åœç«ç 究æã倪平æŽå西åœç« ç 究æåã³ç±³åœæšæºæè¡å±ãå çããŠããã 304 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY NIST Special Publication 800 Series Security Guidelines http://csrc.nist.gov/publications/nistpubs/index.html The NIST Special Publication 800 series of documents on information technology reports on the NIST Information Technology Laboratory (ITL) research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Focus areas include cryptographic technology and applications, advanced authentication, public key infrastructure, internetworking security, criteria and assurance, and security management and support. In addition to NIST SP 800-82, the following is a listing of some additional 800 series documents that have significant relevance to the ICS security community. These as well as many others are available through the URL listed above. ïŒ NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems [19]. ïŒ NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments [79]. ïŒ NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [21]. ïŒ NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View [20]. ïŒ NIST SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies [40]. ïŒ NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy [85]. ïŒ NIST SP 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks 0. ïŒ NIST SP 800-50, Building an Information Technology Security Awareness and Training Program [61]. ïŒ NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations [22]. ïŒ NIST SP 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans [23]. ïŒ NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide [59]. ïŒ NIST SP 800-63-2, Electronic Authentication Guideline [53]. ïŒ NIST SP 800-64 Revision 2, Security Considerations in the Information System Development Life Cycle [46]. ïŒ NIST SP 800-70 Revision 2, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers [26]. ïŒ NIST SP 800-77, Guide to IPsec VPNs [74]. ïŒ NIST SP 800-83 Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops [60]. ïŒ NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response [93]. 305 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã NIST ç¹å¥åºçç© 800 ã·ãªãŒãºã»ãã¥ãªãã£ã¬ã€ãã©ã€ã³ http://csrc.nist.gov/publications/nistpubs/index.html SP800 ã·ãªãŒãºã¯ãæ å ±æè¡ç 究æïŒITLïŒã®ç 究ãã¬ã€ãã³ã¹åã³ã³ã³ãã¥ãŒã¿ã»ãã¥ãªã㣠ã«ãããåçµäžŠã³ã«ç£å®åŠãšã®é£æºã«é¢ããæ å ±æè¡å ±åæžã§ãããéç¹åéãšããŠæå·æè¡ãš ãã®å¿çšãææ°èªèšŒãå ¬ééµã€ã³ãã©ãã€ã³ã¿ãŒãããäœæ¥ã®ã»ãã¥ãªãã£ãåºæºã»ä¿èšŒãã»ã ã¥ãªãã£ç®¡çã»æ¯æŽçãå«ãŸããŠãããNIST SP 800-82 ã«å ããŠãICS ã»ãã¥ãªãã£é¢ä¿è ã«å€§ ãã«é¢ä¿ãããã®ãšããŠã次㮠800 ã·ãªãŒãºææžãçšæãããŠãããããã以å€ã«ããäžèšã® URL ããå©çšã§ãããã®ãããã ïŒ NIST SP 800-18 第 1 çãé£éŠæ å ±ã·ã¹ãã çšã»ãã¥ãªãã£èšç»æžã®äœæã¬ã€ãã[19] ïŒ NIST SP 800-30 第 1 çããªã¹ã¯è©äŸ¡å®æœã¬ã€ãã[79] ïŒ NIST SP 800-37 第 1 çãé£éŠæ å ±ã·ã¹ãã ãžã®ãªã¹ã¯ç®¡çäœç³»é©çšã¬ã€ãïŒã»ãã¥ãªãã£ã© ã€ããµã€ã¯ã«ã¢ãããŒãã[21] ïŒ NIST SP 800-39ãæ å ±ã»ãã¥ãªãã£ãªã¹ã¯ã®ç®¡çïŒçµç¹ãä»»ååã³æ å ±ã·ã¹ãã æŠèª¬ã[20] ïŒ NIST SP 800-40 第 3 çãäŒæ¥ããã管çæè¡ã¬ã€ãã[40] ïŒ NIST SP 800-41 第 1 çããã¡ã€ã¢ãŠã©ãŒã«åã³ãã¡ã€ã¢ãŠã©ãŒã«ããªã·ãŒã¬ã€ãã©ã€ã³ã [85] ïŒ NIST SP 800-48 第 1 çãã¬ã¬ã·ãŒIEEE 802.11 ã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯ã»ãã¥ãªãã£ã¬ã€ ãã[0] ïŒ NIST SP 800-50ãæ å ±æè¡ã»ãã¥ãªãã£æèèšç·Žããã°ã©ã ã®æ§ç¯ã[61] ïŒ NIST SP 800-53 第 4 çãé£éŠæ å ±ã·ã¹ãã ã»çµç¹ã®ã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒç®¡çã[22] ïŒ NIST SP 800-53A 第 4 çãé£éŠæ å ±ã·ã¹ãã ã»çµç¹ã®ã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒç®¡çè© äŸ¡ïŒå¹æçã»ãã¥ãªãã£è©äŸ¡èšç»æžã®äœæã[23] ïŒ NIST SP 800-61 第 2 çãã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ã€ã³ã·ãã³ãåŠçã¬ã€ãã[59] ïŒ NIST SP 800-63-2ãé»åèªèšŒã¬ã€ãã©ã€ã³ã[53] ïŒ NIST SP 800-64 第 2 çãæ å ±ã·ã¹ãã éçºã©ã€ããµã€ã¯ã«ã«ãããã»ãã¥ãªãã£èæ ®äºé ã [46] ïŒ NIST SP 800-70 第 2 çãIT 補åã®åœå®¶ãã§ãã¯ãªã¹ãããã°ã©ã ïŒãã§ãã¯ãªã¹ããŠãŒã¶ã» éçºè ã¬ã€ãã©ã€ã³ã[26] ïŒ NIST SP 800-77ãIPSsec VPNs ã¬ã€ãã[74] ïŒ NIST SP 800-83 第 1 çããã«ãŠãšã¢ã€ã³ã·ãã³ãé²æ¢åã³ãã¹ã¯ãããã»ã©ãããããã®å æ±ã¬ã€ãã[60] ïŒ NIST SP 800-86ãã€ã³ã·ãã³ã察å¿æã®èª¿æ»æè¡ã®é©çšã¬ã€ãã[93] 306 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ïŒ NIST SP 800-88 Revision 1, Guidelines for Media Sanitization [78]. ïŒ NIST SP 800-92, Guide to Computer Security Log Management [68]. ïŒ NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS) [55]. ïŒ NIST SP 800-97, Establishing Robust Security Networks: a Guide to IEEE 802.11i [64]. ïŒ NIST SP 800-100, Information Security Handbook: A Guide for Managers [27]. ïŒ NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices [94]. ïŒ NIST SP 800-115, Technical Guide to Information Security Testing and Assessment [41]. ïŒ NIST SP 800-123, Guide to General Server Security [95]. ïŒ NIST SP 800-127, Guide to Securing WiMAX Wireless Communications [96]. ïŒ NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems [97]. ïŒ NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations [81]. NIST Cybersecurity Framework http://www.nist.gov/cyberframework/index.cfm Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, in February 2013 [83]. It directed NIST to work with stakeholders to develop a voluntary framework â based on existing standards, guidelines, and practices â for reducing cyber risks to critical infrastructure. NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014 [83]. The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. The Department of Homeland Security's Critical Infrastructure Cyber Community C³ Voluntary Program helps align critical infrastructure owners and operators with existing resources that will assist their efforts to adopt the Cybersecurity Framework and manage their cyber risks. Learn more about the C³ Voluntary Program by visiting: www.dhs.gov/ccubedvp. NIST has also issued a companion Roadmap that discusses NIST's next steps with the Framework and identifies key areas of cybersecurity development, alignment, and collaboration. 307 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ïŒ NIST SP 800-88 第 1 çãã¡ãã£ã¢ãµãã¿ã€ãºã¬ã€ãã©ã€ã³ã[78] ïŒ NIST SP 800-92ãã³ã³ãã¥ãŒã¿ã»ãã¥ãªãã£ãã°ç®¡çã¬ã€ãã[68] ïŒ NIST SP 800-94ãäŸµå ¥æ€ç¥é²æ¢ã·ã¹ãã ïŒIDPSïŒã¬ã€ãã[55] ïŒ NIST SP 800-97ã匷åºãªã»ãã¥ãªãã£ãããã¯ãŒã¯ã®æ§ç¯ïŒIEEE 802.11i ã¬ã€ãã[64] ïŒ NIST SP 800-100ãæ å ±ã»ãã¥ãªãã£ãã³ãããã¯ïŒç®¡çè ã¬ã€ãã[27] ïŒ NIST SP 800-111ããšã³ããŠãŒã¶ããã€ã¹çšã¹ãã¬ãŒãžæå·åæè¡ã¬ã€ãã[94] ïŒ NIST SP 800-115ãæ å ±ã»ãã¥ãªãã£è©Šéšè©äŸ¡æè¡ã¬ã€ãã[41] ïŒ NIST SP 800-123ãäžè¬çãµãŒãã»ãã¥ãªãã£ã¬ã€ãã[95] ïŒ NIST SP 800-127ãWiMAX ã¯ã€ã€ã¬ã¹éä¿¡ã¬ã€ãã[96] ïŒ NIST SP 800-128ãæ å ±ã·ã¹ãã ã®ã»ãã¥ãªãã£éèŠèšå®ç®¡çã¬ã€ãã[97] ïŒ NIST SP 800-137ãé£éŠæ å ±ã·ã¹ãã ã»çµç¹ã®æ å ±ã»ãã¥ãªãã£ç¶ç¶ç£èŠã[81] NIST ã®ãµã€ããŒã»ãã¥ãªãã£äœç³» http://www.nist.gov/cyberframework/index.cfm ç±³åœã®åœå®¶ã»çµæžå®å šä¿éã¯ãä¿¡é Œæ§ã®é«ãéèŠã€ã³ãã©ã®æ©èœã«äŸåããŠãããšããŠã倧統é åœä»€ 13636 éèŠã€ã³ãã©ãµã€ããŒã»ãã¥ãªãã£ã®æ¹åã 2013 幎 2 æã«çºä»€ãã[83]ããã®äžã§ NIST ã¯é¢ä¿è ãšé£æºããæ¢åã®èŠæ Œãã¬ã€ãã©ã€ã³åã³èŠç¯ãåºã«ãéèŠã€ã³ãã©ãžã®ãµã€ã ãŒãªã¹ã¯ã®è»œæžã«åããŠãèªçºçãªäœç³»ãæ§ç¯ããããåœããããã NIST 㯠2014 幎 2 æ 14 æ¥ãéèŠã€ã³ãã©ãµã€ããŒã»ãã¥ãªãã£æ¹åäœç³»ç¬¬ 1 çãçºè¡šãã[83]ã ç£ã»å®éã®é£æºã§æ§ç¯ãããäœç³»ã¯ãéèŠã€ã³ãã©ä¿è·ãä¿é²ããèŠæ Œãã¬ã€ãã©ã€ã³åã³èŠç¯ ããæ§æãããŠãããåªå é äœã¥ãããæè»æ§ããããå埩å¯èœã§è²»çšå¹æã®é«ãåçµã«ããã éèŠã€ã³ãã©ã®ææè åã³éçšè ããµã€ããŒã»ãã¥ãªãã£é¢é£ãªã¹ã¯ã管çã§ããããã«æ¯æŽã ãã åœåå®å šä¿éçã®éèŠã€ã³ãã©ãµã€ããŒã³ãã¥ãã㣠C³ ä»»æããã°ã©ã ã¯ãéèŠã€ã³ãã©ã®ä¿ æè åã³æäœå¡ãæ¢åãªãœãŒã¹ã掻çšãã€ã€ããµã€ããŒã»ãã¥ãªãã£äœç³»ãåãå ¥ãããµã€ã㌠ãªã¹ã¯ã管çããè³ãšãªããC³ ä»»æããã°ã©ã ã®è©³çŽ°ã¯ä»¥äžã® URL ã«ããã www.dhs.gov/ccubedvp. NIST ã¯æåŒããšãªãããŒãããããçºè¡šãããã®äœç³»ã®æ¬¡ãªãã¹ãããã«ã€ããŠèª¬æãããµã€ ããŒã»ãã¥ãªãã£éçºã»èª¿æŽã»é£æºã®äž»ãªåéãæããã«ããŠããã 308 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY NIST Industrial Control System Security Project http://csrc.nist.gov/groups/SMA/fisma/ics/ As part of the continuing effort to provide effective security standards and guidance to federal agencies and their contractors in support of the Federal Information Security Management Act and as part of the effort to protect the nation's critical infrastructure, NIST continues to work with public and private sector entities on sector-specific security issues. Industrial and process control systems are an integral part of the US critical infrastructure and the protection of those systems is a priority for the federal government. This project intends to build upon the current FISMA security standards and provide targeted extensions and/or interpretations of those standards for industrial and process controls systems where needed. Since many industrial and process controls systems are supporting private sector organizations, NIST will collaborate with ongoing standards efforts addressing these sector-specific types of systems. NIST Cybersecurity for Manufacturing Systems Project http://www.nist.gov/el/isd/cs/csms.cfm Smart manufacturing systems need to be protected from vulnerabilities that may arise as a result of their increased connectivity, use of wireless networks and sensors, and use of widespread information technology. Manufacturers are hesitant to adopt common security technologies, such as encryption and device authentication, due to concern for potential negative performance impacts in their systems. This is exacerbated by a threat environment that has changed dramatically with the appearance of advanced persistent attacks specifically targeting industrial systems, such as Stuxnet. This project will develop a cybersecurity risk management framework with supporting guidelines, methods, metrics and tools to enable manufacturers, technology providers, and solution providers to assess and assure cybersecurity for smart manufacturing systems. The cybersecurity risk management framework and methodology will stimulate manufacturer adoption and enable effective use of security technologies, leading to smart manufacturing systems that offer security, reliability, resilience and continuity in the face of disruption and major incidents. NIST Cybersecurity for Smart Grid Systems Project http://www.nist.gov/el/smartgrid/cybersg.cfm Smart grid cybersecurity must address not only deliberate attacks, such as from disgruntled employees, industrial espionage, and terrorists, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters. The Smart Grid Interoperability Panel (SGIP) Cybersecurity Committee (SGCC), which is led and managed by the NIST Information Technology Laboratory (ITL), Computer Security Division, is moving forward in fiscal year 2014 to address the critical cybersecurity needs in the areas of Advanced Metering Infrastructure (AMI) security requirements, cloud computing, supply chain, and privacy recommendations related to emerging standards. This project will provide foundational cybersecurity guidance, cybersecurity reviews of standards and requirements, outreach, and foster collaborations in the cross-cutting issue of cybersecurity in the smart grid. 309 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã NIST ç£æ¥çšå¶åŸ¡ã·ã¹ãã ã»ãã¥ãªãã£ãããžã§ã¯ã http://csrc.nist.gov/groups/SMA/fisma/ics/ é£éŠæ¿åºæ©é¢åã³é£éŠæ å ±ã»ãã¥ãªãã£ç®¡çæ³ãæ¯ããå¥çŽæ¥è ã«å¹æçãªã»ãã¥ãªãã£èŠæ Œã» ã¬ã€ãã³ã¹ãæäŸããç¶ç¶çãªåçµã®äžç°ãšããŠããŸãåœã®éèŠã€ã³ãã©ãä¿è·ããåçµã®äžç° ãšããŠãNIST ã¯å®æ°è«žå£äœãšé£æºããŠãæ¥çåºæã®ã»ãã¥ãªãã£åé¡ãšç¶ç¶çã«ååããŠããã ç£æ¥çšã·ã¹ãã åã³ããã»ã¹å¶åŸ¡ã·ã¹ãã ã¯ãç±³åœã®éèŠã€ã³ãã©ã®äžå¯æ¬ ãªäžéšã§ããããã ãã·ã¹ãã ã«å¯Ÿããä¿è·ã¯ãé£éŠæ¿åºã®åªå ç課é¡ã§ãããæ¬ãããžã§ã¯ãã¯ãçŸè¡ FISMA ã» ãã¥ãªãã£èŠæ Œãåºç€ãšããŠããããç£æ¥çšã·ã¹ãã åã³ããã»ã¹å¶åŸ¡ã·ã¹ãã ã®èŠæ Œããå¿ èŠ ã«å¿ããŠæ¡åŒµã»è§£éããããšãäž»çŒãšããŠãããå€ãã®ç£æ¥çšã·ã¹ãã åã³ããã»ã¹å¶åŸ¡ã·ã¹ã ã ã¯ãæ°éæ¥ççµç¹ãæ¯ããŠãããããNIST ã¯ããã®ãããªæ¥çåºæã®ã·ã¹ãã ã察象ãšãã çŸè¡èŠæ Œã®åçµãšé£æºããŠããã çç£ã·ã¹ãã ãããžã§ã¯ãçš NIST ãµã€ããŒã»ãã¥ãªã㣠http://www.nist.gov/el/isd/cs/csms.cfm ã¹ããŒãçç£ã·ã¹ãã ã¯ãæ¥ç¶æ°ãã¯ã€ã€ã¬ã¹ãããã¯ãŒã¯/ã»ã³ãµã®å©çšåã³åºç¯ãªæ å ±æè¡ ã®å©çšãå¢ããçµæãè匱æ§ãçããããä¿è·ãå¿ èŠãšãªããã¡ãŒã«ãŒã¯ãã·ã¹ãã ã«ãã€ãã¹ ã®åœ±é¿ãåºãããšãæããŠãæå·åãããã€ã¹èªèšŒãšãã£ããäžè¬çãªã»ãã¥ãªãã£æè¡ã®æ¡çš ã«æ¶æ¥µçã§ãããStuxnet ã®ãããªç£æ¥çšã·ã¹ãã ã«ç¹åããå·æãªæ»æãåºçŸããããã«ãè åšç°å¢ãæ¿å€ããããšãšãããŸã£ãŠããã£ããäºæ ã¯æªåãããæ¬ãããžã§ã¯ãã§ã¯ãæ ¹æ ãšãª ãã¬ã€ãã©ã€ã³ãæ¹æ³ãè©äŸ¡åºæºåã³ããŒã«ã®äŒŽã£ããµã€ããŒã»ãã¥ãªãã£ãªã¹ã¯ç®¡çäœç³»ãç å®ããã¡ãŒã«ãŒãæè¡æäŸè åã³ãœãªã¥ãŒã·ã§ã³æäŸè ãã¹ããŒãçç£ã·ã¹ãã çšãµã€ããŒã»ã ã¥ãªãã£ã®è©äŸ¡ã»ä¿èšŒãå®æœã§ããããã«ããããµã€ããŒã»ãã¥ãªãã£ãªã¹ã¯ç®¡çäœç³»åã³æ¹æ³ è«ã¯ãã¡ãŒã«ãŒãã»ãã¥ãªãã£æè¡ãæ¡çšããŠæå¹å©çšãã匟ã¿ãã€ããäžæã倧èŠæš¡ã€ã³ã·ã ã³ãæã®ã»ãã¥ãªãã£ãä¿¡é Œæ§ãæè»æ§åã³ç¶ç¶æ§ã確ä¿ã§ããã¹ããŒãçç£ã·ã¹ãã ãžå°ãã ã®ãšãªãã ã¹ããŒãã°ãªããã·ã¹ãã ãããžã§ã¯ãçš NIST ãµã€ããŒã»ãã¥ãªã㣠http://www.nist.gov/el/smartgrid/cybersg.cfm ã¹ããŒãã°ãªãããµã€ããŒã»ãã¥ãªãã£ã§ã¯ãäžæºãæ±ããåŸæ¥å¡ãç£æ¥ã¹ãã€ããããªã¹ãç ã«ããèšç»çãªæ»æã ãã§ãªãããŠãŒã¶ã®é誀ãè£ ååé害åã³èªç¶çœå®³ã«èµ·å ããæ å ±ã€ã³ã ã©ã®æ³å®å€ã®æ©èœäœäžãæ€èšå¯Ÿè±¡ã«ããªããã°ãªããªããNIST ã®æ å ±æè¡ç 究æïŒITLïŒã³ã³ã ã¥ãŒã¿ã»ãã¥ãªãã£éšã®ç£ç£äžã«ããã¹ããŒãã°ãªããçžäºéçšããã«ïŒSGIPïŒãµã€ããŒã»ã㥠ãªãã£å§å¡äŒã¯ 2014 äŒèšå¹ŽåºŠã«ãææ°èšéã€ã³ãã©ïŒAMIïŒã»ãã¥ãªãã£èŠä»¶ãã¯ã©ãŠãã³ã³ ãã¥ãŒãã£ã³ã°ããµãã©ã€ãã§ãŒã³åã³æ°èèŠæ Œé¢é£æ°éæšå¥šäºé åéã§ã®éèŠãµã€ããŒã»ã㥠ãªãã£ã®å¿ èŠæ§ã®æ€èšã«åããŠæŽ»åãéå§ãããæ¬ãããžã§ã¯ãã¯åºæ¬çãµã€ããŒã»ãã¥ãªã㣠ã¬ã€ãã³ã¹ãèŠæ Œåã³èŠä»¶ã®ãµã€ããŒã»ãã¥ãªãã£èª¿æ»ã«ã€ããŠèšè¿°ããã¹ããŒãã°ãªããã®å é暪æçãªãµã€ããŒã»ãã¥ãªãã£åé¡ã§ã®é£æºãæ§ç¯ããã 310 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY NIST Smart Grid System Testbed Facility http://www.nist.gov/el/smartgrid/sgtf.cfm NIST is charged by the 2007 Energy Independence and Security Act (EISA) with facilitation of interoperability standards to enable successful implementation of the evolving cyber-physical national electric grid system known as the smart grid (SG). The Smart Grid Testbed Facility will create a unique set of interconnected and interacting labs in several key measurement areasâcontiguously located on the NIST Gaithersburg siteâthat will accelerate the development of SG interoperability standards by providing a combined testbed platform for system measurements, characterization of smart grid protocols, and validation of SG standards, with particular emphasis on microgrids. (A microgrid is defined as a subset of the grid which has the capability of being quickly disconnected from, and functioning independently of, the larger grid.) Measurements will include eight areas: power conditioning, synchrophasor metrology, cybersecurity, precision time synchronization, electric power metering, modeling/evaluation of SG communications, sensor interfaces, and energy storage. The testbed will serve as a core Smart Grid Program research facility to address measurement needs of the evolving SG industrial community including the measurement and validation issues. North American Electric Reliability Corporation (NERC) http://www.nerc.com/ NERCâs mission is to improve the reliability and security of the bulk power system in North America. To achieve that, NERC develops and enforces reliability standards; monitors the bulk power system; assesses future adequacy; audits owners, operators, and users for preparedness; and educates and trains industry personnel. NERC is a self-regulatory organization that relies on the diverse and collective expertise of industry participants. As the Electric Reliability Organization, NERC is subject to audit by the U.S. Federal Energy Regulatory Commission and governmental authorities in Canada NERC has issued a set of cybersecurity standards to reduce the risk of compromise to electrical generation resources and high-voltage transmission systems above 100 kV, also referred to as bulk electric systems. Bulk electric systems include Balancing Authorities, Reliability Coordinators, Interchange Authorities, Transmission Providers, Transmission Owners, Transmission Operators, Generation Owners, Generation Operators, and Load Serving Entities. The cybersecurity standards include audit measures and levels of non-compliance that can be tied to penalties. The set of NERC cybersecurity Standards includes the following: ïŒ CIP-002, Cyber Security - Critical Cyber Asset Identification. ïŒ CIP-003, Cyber Security - Security Management Controls. ïŒ CIP-004, Cyber Security - Personnel & Training. ïŒ CIP-005, Cyber Security - Electronic Security Perimeter(s). ïŒ CIP-006, Cyber Security - Physical Security of Critical Cyber Assets. ïŒ CIP-007, Cyber Security - Systems Security Management. ïŒ CIP-008, Cyber Security - Incident Reporting and Response Planning. ïŒ CIP-009, Cyber Security - Recovery Plans for Critical Cyber Assets. 311 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã NIST ã¹ããŒãã°ãªããã·ã¹ãã ãã¹ããããæœèš http://www.nist.gov/el/smartgrid/sgtf.cfm NIST 㯠2007 幎ããšãã«ã®ãŒç¬ç«ã»ãã¥ãªãã£æ³ïŒEISAïŒã«ãããã¹ããŒãã°ãªããïŒSGïŒãš ããŠç¥ãããåœã®ãµã€ããŒç©ççé é»ã·ã¹ãã ãå¹æçã«å®è£ ããããã®çžäºéçšæ§èŠæ Œãäœæ ãããã矩åã¥ãããããã¹ããŒãã°ãªããã·ã¹ãã ãã¹ããããæœèšã¯ãçžäºæ¥ç¶ããçžäºäœ çšããäžé£ã®ç 究æ矀ãããã€ãã®éèŠèšæž¬ãšãªã¢å ã«æ§ç¯ãïŒNIST ã®ã²ã€ãµãŒãºããŒã°æœèš ã«é£æ¥ïŒãã·ã¹ãã èšæž¬ãã¹ããŒãã°ãªãããããã³ã«ã®ç¹æ§åæåã³ SG èŠæ Œæ€èšŒçšã®çµåã ã¹ãããããã©ããããŒã ãæäŸããããšã«ãããç¹ã«ãã€ã¯ãã°ãªãããéç¹ãšãã SG çžäº éçšæ§èŠæ Œã®äœæãæ¥ãã§ãããïŒãã€ã¯ãã°ãªããã¯ã倧èŠæš¡ã°ãªããããè¿ éã«åé¢ããŠã ç¬ç«ããæ©èœèœåãçºæ®ããã°ãªãããµãã»ãããšå®çŸ©ããããïŒæ¬¡ã® 8 é ç®ãèšæž¬ãããé»å ç¶æ ãã·ã³ã¯ããã§ãŒã¶èšæž¬ããµã€ããŒã»ãã¥ãªãã£ã粟å¯æéåæãé»å枬å®ãSG éä¿¡ã®ã¢ ããªã³ã°ã»è©äŸ¡ãã»ã³ãµã€ã³ã¿ãŒãã§ã€ã¹åã³ãšãã«ã®ãŒä¿åããã¹ããããã¯ãäžæ žçãªã¹ã ãŒãã°ãªããããã°ã©ã ç 究æœèšãšããŠæ©èœããèšæž¬ã»æ€èšŒåé¡ãå«ããŠé²å±äžã®ãSG ç£æ¥å ± åäœã®èšæž¬ããŒãºã«å¯Ÿå¿ããŠããã åç±³é»åä¿¡é Œæ§è©è°äŒïŒNERCïŒ http://www.nerc.com/ NERC ã®ä»»åã¯ãåç±³ã«ããã倧é»åã·ã¹ãã ã®ä¿¡é Œæ§ãšã»ãã¥ãªãã£ãæ¹åããããšã«ããã ãã®ãã NERC ã¯ãä¿¡é Œæ§èŠæ Œã®äœæã»æœè¡ã倧é»åã·ã¹ãã ã®ç£èŠãå°æ¥çãªåŠ¥åœæ§ã®è©äŸ¡ã ä¿æè ã»æäœå¡ã»ãŠãŒã¶ã®å³å¿æ§ç£æ»ãæ¥çè·å¡ã®æè²èšç·Žãè¡ã£ãŠãããNERC ã¯èªäž»èŠå¶çµ ç¹ã§ãæ¥çåå è ã®å€æ§ãã€å æ¬çå°éç¥èã«äŸåããŠãããé»åä¿¡é Œæ§çµç¹ãšããŠãç±³åœã®é£ éŠãšãã«ã®ãŒèŠå¶å§å¡äŒãšã«ããã®è¡æ¿åœå±ã®ç£æ»ãåãã矩åãããã çºé»ãªãœãŒã¹åã³ 100kV è¶ é«é»å§éé»ã·ã¹ãã ïŒå€§é»åã·ã¹ãã ãšãããïŒã®æ©èœäœäžãªã¹ã¯ã 軜æžãããããNERC ã¯äžé£ã®ãµã€ããŒã»ãã¥ãªãã£èŠæ Œãçºè¡šããŠããã倧é»åã·ã¹ãã«ã¯äº æ¥è ïŒBalancing AuthoritiesïŒãä¿¡é Œæ§ã³ãŒãã£ããŒã¿ãéé»ãããã€ããéé»ä¿æè ãéé»äºæ¥ è ãçºé»ä¿æè ãçºé»äºæ¥è åã³å°å£²äºæ¥è ãå«ãŸããããµã€ããŒã»ãã¥ãªãã£èŠæ Œã«ã¯ãç£æ» æ段åã³çœ°åã«çµã³ã€ãåçŽãã³ã³ã³ãã©ã€ã¢ã³ã¹ãå«ãŸããã äžé£ã® NERC ãµã€ããŒã»ãã¥ãªãã£èŠæ Œã«ã¯ä»¥äžã®ãã®ãããã ïŒ CIP-002ããµã€ããŒã»ãã¥ãªã㣠- éèŠãµã€ããŒè³ç£ã®èå¥ã ïŒ CIP-003ããµã€ããŒã»ãã¥ãªã㣠- ã»ãã¥ãªãã£ç®¡ç察çã ïŒ CIP-004ããµã€ããŒã»ãã¥ãªã㣠- è·å¡åã³èšç·Žã ïŒ CIP-005ããµã€ããŒã»ãã¥ãªã㣠- é»åã»ãã¥ãªãã£ã®åšèŸºã ïŒ CIP-006ããµã€ããŒã»ãã¥ãªã㣠- éèŠãµã€ããŒè³ç£ã®ç©ççã»ãã¥ãªãã£ã ïŒ CIP-007ããµã€ããŒã»ãã¥ãªã㣠- ã·ã¹ãã ã»ãã¥ãªãã£ç®¡çã ïŒ CIP-008ããµã€ããŒã»ãã¥ãªã㣠- ã€ã³ã·ãã³ãã®å±åºåã³å¯Ÿå¿èšç»ã®ç«æ¡ã ïŒ CIP-009ããµã€ããŒã»ãã¥ãªã㣠- éèŠãµã€ããŒè³ç£åŸ©æ§èšç»ã 312 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SANS ICS Security Courses http://ics.sans.org/ The ICS curriculum provides hands-on training courses focused on Attacking and Defending ICS environments. These courses equip both security professionals and control system engineers with the knowledge and skills they need to safeguard our critical infrastructures. The Global Industrial Cyber Security Professional (GICSP) is the newest certification in the Global Information Assurance Certification (GIAC) family and focuses on the foundational knowledge of securing critical infrastructure assets. The GICSP bridges together IT, engineering and cybersecurity to achieve security for industrial control systems from design through retirement. Smart Grid Interoperability Panel (SGIP) Cyber Security Working Group (CSWG) http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/CyberSecurityCTG The primary goal of the working group is to develop an overall cybersecurity strategy for the Smart Grid that includes a risk mitigation strategy to ensure interoperability of solutions across different domains/components of the infrastructure. The cybersecurity strategy needs to address prevention, detection, response, and recovery. Implementation of a cybersecurity strategy requires the definition and implementation of an overall cybersecurity risk assessment process for the Smart Grid. The working groupâs effort is documented in NIST Interagency Report (NISTIR) 7628 Revision 1, Guidelines for Smart Grid Cybersecurity [98]. 313 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã SANS ICS ã»ãã¥ãªãã£èª²çš http://ics.sans.org/ ICS ã«ãªãã¥ã©ã ã¯ãICS ç°å¢ã«å¯Ÿããæ»æãšé²åŸ¡ã«ç¹åããå®å°èšç·Žèª²çšã§ãããã»ãã¥ãªã ã£å°éå¡ãšå¶åŸ¡ã·ã¹ãã ãšã³ãžãã¢åæ¹ã«ãéèŠã€ã³ãã©ãå®ãããã®ç¥èãšæéãæ瀺ããã äžçç£æ¥ãµã€ããŒã»ãã¥ãªãã£å°é家ïŒGICSPïŒã¯ãäžçæ å ±ä¿èšŒèªå®æžïŒGIACïŒãã¡ããªã® äžã§ãææ°ã®èªå®æžã§ãéèŠã€ã³ãã©è³ç£ã®ã»ãã¥ãªãã£ã«é¢ããåºæ¬ç¥èãéèŠããŠããã GICSP ã¯ãITããšã³ãžãã¢ãªã³ã°åã³ãµã€ããŒã»ãã¥ãªãã£ã®æ¶ãæ©ãšãªããèšèšããçšéå»æ¢ ãŸã§ãç£æ¥çšå¶åŸ¡ã·ã¹ãã ã®ã»ãã¥ãªãã£ãå®çŸããã ã¹ããŒãã°ãªããçžäºéçšæ§ããã«ïŒSGIPïŒãµã€ããŒã»ãã¥ãªãã£äœæ¥ã°ã«ãŒãïŒCSWGïŒ http://collaborate.nist.gov/twiki-sggrid/bin/view/SmartGrid/CyberSecurityCTG äœæ¥ã°ã«ãŒãã®äž»ãªç®çã¯ãã¹ããŒãã°ãªããã®ãµã€ããŒã»ãã¥ãªãã£æŠç¥ãçå®ããããšã«ã ããããã«ã¯ã€ã³ãã©ã®çš®ã ã®é åã»ã³ã³ããŒãã³ãã«ãŸããããœãªã¥ãŒã·ã§ã³ã®çžäºéçšæ§ã 確ä¿ããããã®ãªã¹ã¯ç·©åçãå«ãŸããããµã€ããŒã»ãã¥ãªãã£æŠç¥ã¯ãäºé²ã»æ€ç¥ã»å¯Ÿå¿ã»åŸ© æ§ãåãäžããå¿ èŠãããããµã€ããŒã»ãã¥ãªãã£æŠç¥ãå®æœããã«ã¯ãã¹ããŒãã°ãªããã®å š è¬çãµã€ããŒã»ãã¥ãªãã£ãªã¹ã¯è©äŸ¡ããã»ã¹ãæããã«ããŠãå®æœããå¿ èŠãããã äœæ¥ã°ã«ãŒãã®åçµã¯ãNIST æ¿åºæ©é¢éå ±åæžïŒNISTIRïŒ7628 第 1 çãã¹ããŒãã°ãªãããµã€ ããŒã»ãã¥ãªãã£ã¬ã€ãã©ã€ã³ãã«èšèŒãããŠãã[98]ã 314 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix EâICS Security Capabilities and Tools This section provides an overview of security capabilities that are available to or being developed in support of the ICS community. There are several security products that are marketed specifically for ICS, while others are general IT security products that are being used with ICS. Many of the products available offer âsingle point solutions,â where a single security product offers multiple levels of protection. In addition to available products, this section also discusses some research and development work towards new products and technologies. Each organization should make a risk-based determination whether to employ the security capabilities and tools mentioned in this appendix. Data Diode A data diode (also referred to as a unidirectional gateway, deterministic one-way boundary device or unidirectional network) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyber attacks. While use of these devices is common in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications, the technology is also being used to enforce one-way communications outbound from critical digital systems to untrusted networks. Encryption Encryption protects the confidentiality of data by encoding the data to ensure that only the intended recipient can decode it. There are some commercially available encryption products designed specifically for ICS applications, as well as general encryption products that support basic serial and Ethernet-based communications. Firewalls Firewalls are commonly used to segregate networks to protect and isolate ICS. These implementations use commercially available firewalls that are focused on Internet and corporate application layer protocols and are not equipped to handle ICS protocols. Research was performed by an IT security vendor in 2003 to develop a Modbus-based firewall that allows policy decisions to be made on Modbus/TCP header values just as traditional firewalls filter on TCP/UDP ports and IP addresses [76]. There are currently several firewalls available for ICS. Intrusion Detection and Prevention Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are being deployed on ICS networks and components to detect well-known cyber attacks. Network IDS products monitor network traffic and use various detection methods, such as comparing portions of the traffic to signatures of known attacks. In contrast, host intrusion detection uses software loaded on a host computer, often with attack signatures, to monitor ongoing events and data on a computer system for possible exploits. IPS products take intrusion detection a step further by automatically acting on detected exploits to attempt to stop them [57]. The required task of a security team to constantly monitor, evaluate, and quickly respond to intrusion detection events is sometimes contracted to a managed security service provider (MSSP). MSSPs have correlation and analysis engines to process and reduce the vast amounts of events logged per day to a small subset that needs to be manually evaluated. There are also correlation and analysis engine products available to large organizations wanting to perform this function in-house. Security information and event 315 SP800-82 第 2 ç ä»é² E ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã»ãã¥ãªãã£æ©èœåã³ããŒã« ãã®ã»ã¯ã·ã§ã³ã§ã¯ãICS å ±åäœãå©çšã§ããã»ãã¥ãªãã£æ©èœããçŸåšéçºäžã®ãã®ã«ã€ã㊠æŠèª¬ãããåžå Žã«ã¯ ICS ã«ç¹åããã»ãã¥ãªãã£è£œåãããã€ããããICS ã§å©çšãããŠããäž è¬ç㪠IT ã»ãã¥ãªãã£è£œåããããå ¥æå¯èœãªè£œåã®å€ãã¯ãåäžãœãªã¥ãŒã·ã§ã³ãã§ã1 ã€ã® ã»ãã¥ãªãã£è£œåãå€æ§ãªã¬ãã«ã®ä¿è·ãäžããŠãããå ¥æå¯èœãªè£œåã«å ããŠããã®ã»ã¯ã·ã§ ã³ã§ã¯ãæ°è£œåã»æ°æè¡ã«åããç 究éçºã«ã€ããŠãããã€ãåãäžãããåçµç¹ã¯ããã®ä»é² ã§èšåãããŠããã»ãã¥ãªãã£æ©èœåã³ããŒã«ã®æ¡çšã®æ¯éã«ã€ããŠããªã¹ã¯ã«ç«èããŠå€æã ã¹ãã§ããã ããŒã¿ãã€ãªãŒã ããŒã¿ãã€ãªãŒãïŒåæ¹åã²ãŒããŠã§ã€ã決å®è«çäžæ¹éè¡å¢çããã€ã¹åã¯åæ¹åãããã¯ãŒ ã¯ãšãåŒã°ããïŒã¯ããããã¯ãŒã¯æ©åšåã¯ããã€ã¹ã§ãããŒã¿ãäžæ¹åã«ã®ã¿æµããŠãæ å ±ã» ãã¥ãªãã£ãä¿èšŒããç£æ¥çšå¶åŸ¡ã·ã¹ãã çã®éèŠããžã¿ã«ã·ã¹ãã ãå€éšãµã€ããŒæ»æããä¿ è·ããããã®ãããªããã€ã¹ã®å©çšã¯ãåœé²çã®ãã€ã»ãã¥ãªãã£ç°å¢ã§ã¯æ®éã«èŠãããç°çš® ã»ãã¥ãªãã£åºåãæããã2 ã€ä»¥äžã®ãããã¯ãŒã¯éã®æ¥ç¶ã確ç«ãããã®æè¡ã¯ãéèŠããž ã¿ã«ã·ã¹ãã ããå€éšã®ä¿¡é Œã§ããªããããã¯ãŒã¯ã«åããåæ¹åã®éä¿¡ã«ãå©çšãããã æå·å æå·åã¯ãããŒã¿ãã³ãŒãåããŠææã®åä¿¡è ã ãã埩å·ã§ããããã«ããããšã§ãããŒã¿ã®æ© å¯æ§ãä¿è·ãããICS çšéã«ç¹åããåžè²©ã®æå·å補åãããã€ããããåºæ¬çãªã·ãªã¢ã«åã³ Ethernet ããŒã¹ã®éä¿¡ã«å¯Ÿå¿ããæ±çšæå·å補åãããã ãã¡ã€ã¢ãŠã©ãŒã« ãã¡ã€ã¢ãŠã©ãŒã«ã¯éåžžããããã¯ãŒã¯ãåé¢ã㊠ICS ãä¿è·ã»éé¢ããããã«äœ¿çšãããå®è£ ã¯ãã€ã³ã¿ãŒãããåã³äŒæ¥ã¢ããªã±ãŒã·ã§ã³å±€ãããã³ã«ã«ç¹åããICS ãããã³ã«ã¯åŠçã ãªãåžè²©ã®ãã¡ã€ã¢ãŠã©ãŒã«ã䜿çšããŠè¡ãã2003 幎㫠IT ã»ãã¥ãªãã£ãã³ããŒã Modbus ã ãŒã¹ãã¡ã€ã¢ãŠã©ãŒã«ã®éçºã«åããŠç 究ãè¡ã£ããããã¯åŸæ¥ã®ãã¡ã€ã¢ãŠã©ãŒã«ã TCP/UDP ããŒãåã³ IP ã¢ãã¬ã¹ã§ãã£ã«ã¿ãªã³ã°ãè¡ãããã«ãModbus/TCP ããããŒå€ã§ã ãªã·ãŒæ±ºå®ãè¡ãããšãã§ãããçŸåš ICS çšã«å©çšã§ãããã¡ã€ã¢ãŠã©ãŒã«ãããã€ãããã äŸµå ¥æ€ç¥åã³é²æ¢ äŸµå ¥æ€ç¥ã·ã¹ãã ïŒIDSïŒåã³äŸµå ¥é²æ¢ã·ã¹ãã ïŒIPSïŒã¯ãæ¢ç¥ã®ãµã€ããŒæ»æãæ€ç¥ããããã ICS ãããã¯ãŒã¯åã³ã³ã³ããŒãã³ãã«å±éãããŠããããããã¯ãŒã¯ IDS 補åã¯ãããã¯ãŒã¯ ãã©ãã£ãã¯ãç£èŠããæ¢ç¥ã®æ»æã®ãã©ãã£ãã¯ã·ã°ããã£ã®äžéšãæ¯èŒãããªã©ãçš®ã ã®æ€ ç¥æ¹æ³ãå©çšããŠãããå¯Ÿç §çã«ãã¹ãäŸµå ¥æ€ç¥ã§ã¯ããã¹ãã³ã³ãã¥ãŒã¿ã«ã€ã³ã¹ããŒã«ãã ãœãããŠãšã¢ãå©çšããå€ãã¯æ»æã·ã°ããã£ãåèã«ããŠãã³ã³ãã¥ãŒã¿ã·ã¹ãã äžã§é²è¡äž ã®äºè±¡åã³ããŒã¿ãç£èŠããæªçšã®æç¡ãæ€ç¥ãããIPS 補åã¯ãäŸµå ¥æ€ç¥ããäžæ©é²ããŠãæ€ ç¥ããæªçšã®äžæ¢ãè©Šã¿ã[57]ã ã»ãã¥ãªãã£ããŒã ã«æ±ããããäŸµå ¥æ€ç¥ã®åžžç¶ç£èŠã»è©äŸ¡ã»è¿ é察å¿ãšããæ¥åã¯ã管çã»ã ã¥ãªãã£ãµãŒãã¹ãããã€ãïŒMSSPïŒã«å§èšãããããšããããMSSP ã®çžé¢åæãšã³ãžã³ã¯ã æ¯æ¥èšé²ãããèšå€§ãªäºè±¡ãåŠçããŠå°ããªãµãã»ããã«ããããã¥ã¢ã«æäœã§è©äŸ¡ã§ãããã ã«ããããã®æ©èœã瀟å ã§æãããã倧äŒæ¥åãã«ãçžé¢åæãšã³ãžã³è£œåãçšæãããŠããã ã»ãã¥ãªãã£æ å ±ã»äºè±¡ç®¡çïŒSIEMïŒè£œåãå©çšããŠãIDS åã³ IPS ãã°ã®äºè±¡ã®ã»ããä»ã®ã³ ã³ãã¥ãŒã¿ã·ã¹ãã ãã¢ããªã±ãŒã·ã§ã³ãã€ã³ãã©è£ ååãã®ä»ããŒããŠãšã¢/ãœãããŠãšã¢ã® ç£æ»ãã°ãç£èŠã»åæã»çžé¢ããŠãäŸµå ¥ã®ãããã¿ãæ€åºããŠããçµç¹ãããã 316 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY management (SIEM) products are used in some organizations to monitor, analyze, and correlate events from IDS and IPS logs, as well as audit logs from other computer systems, applications, infrastructure equipment, and other hardware and software, to look for intrusion attempts. IDS and IPS vendors are developing and incorporating attack signatures for various ICS protocols such as Modbus, DNP3, and ICCP [58]. Snort rules have been developed for Modbus TCP, DNP3, and ICCP. Snort is an open source network intrusion detection and prevention system using a rule-driven language to perform signature, protocol, and anomaly-based inspections. Rules for DNP3 and Modbus protocols have also been added to the Bro IDS platform. As with any software added to an ICS component, the addition of host IDS or IPS software could affect system performance. IPSs are commonplace in todayâs information security industry, but can be very resource intensive. These systems have the ability to automatically reconfigure systems if an intrusion attempt is identified. This automated and fast reaction is designed to prevent successful exploits; however, an automated tool such as this could be used by an adversary to adversely affect the operation on an ICS by shutting down segments of a network or server. False positives can also hinder ICS operation. Malware/Antivirus Software Because early malware threats were primarily viruses, the software to detect and remove malware has historically been called âantivirus software,â even though it can detect many types of malware. Antivirus software is used to counter the threats of malware by evaluating files on a computerâs storage devices (some tools also detect malware in real-time at the network perimeter and/or on the userâs workstation) against an inventory of malware signature files. If one of the files on a computer matches the profile of known malware, the malware is removed through a disinfection process so it cannot infect other local files or communicate across a network to infect other files on other computers. There are also techniques available to identify unknown malware âin-the-wildâ when a signature file is not yet available. Many end-users and vendors of ICS are recommending the use of COTS antivirus software with their systems and have even developed installation and configuration guidance based on their own laboratory testing. Some ICS vendors recommend the use of antivirus software with their products, but offer little to no guidance. Some end users and vendors are hesitant to use antivirus software due to fears that its use would cause ICS performance problems or even failure. NIST and Sandia National Laboratories (SNL) conducted a study and produced a report aimed at helping ICS owners/operators to deploy antivirus software and to minimize and assess performance impacts of workstation and server-based antivirus products. This study assembled ICS-based antivirus knowledge and serves as a starting point or a secondary resource when installing, configuring, running, and maintaining antivirus software on an ICS [56]. In many cases, performance impacts can be reduced through configuration settings as well as antivirus scanning and maintenance scheduling outside of the antivirus software practices recommended for typical IT systems. In summary, COTS antivirus software can be used successfully on most ICS components. However, special ICS specific considerations should be taken into account during the selection, installation, configuration, operational, and maintenance procedures. ICS end-users should consult with the ICS vendors regarding the use of antivirus software. 317 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã IDS åã³ IPS ãã³ããŒã¯ãModbusãDNP3 åã³ ICCP çãçš®ã ã® ICS ãããã³ã«ã®æ»æã·ã°ãã ã£ãäœæããçµã¿èŸŒãã§ãã[58]ãModbus TCPãDNP3 åã³ ICCP åãã« Snort ã«ãŒã«ãäœæãã ãŠãããSnort ãšã¯ãªãŒãã³ãœãŒã¹ãããã¯ãŒã¯äŸµå ¥æ€ç¥é²æ¢ã·ã¹ãã ã®ããšã§ãã«ãŒã«ããªã ã³èšèªã䜿çšããŠãã·ã°ããã£ããããã³ã«åã³ç°ç¶ãäž»äœã«æ€æ»ãè¡ããDNP3 åã³ Modbus ãããã³ã«ã®ã«ãŒã«ã Bro IDS ãã©ããããŒã ã«è¿œå ãããŠããã ICS ã³ã³ããŒãã³ãã«è¿œå ãããä»ã®ãœãããŠãšã¢ãšåæ§ããã¹ã IDS å㯠IPS ãœãããŠãšã¢ã® è¿œå ã¯ãã·ã¹ãã ããã©ãŒãã³ã¹ã«åœ±é¿ããããšããããIPSs ã¯æšä»ã®æ å ±ã»ãã¥ãªãã£æ¥ç㧠ã¯æ®éã«èŠããããã極ããŠè³æºãæ¶è²»ããããããã®ã·ã¹ãã ã§ã¯ãäŸµå ¥ã®ãããã¿ãæ€ç¥ã ãããšãã·ã¹ãã èšå®ãèªåçã«å€æŽããèœåãåãã£ãŠããããã®ãããªèªåè¿ é察å¿ã¯æªçš ãé²æ¢ããããã®ãã®ã§ããããæ»æåŽã«éçšããããããã¯ãŒã¯ããµãŒãã®ã»ã°ã¡ã³ããåæ ããããšã«ãããICS éçšã«æªåœ±é¿ãåã¶å Žåããããæ¬éœæ§ã«ãã£ãŠã ICS éçšãé»å®³ãããã ãã«ãŠãšã¢/ã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ åæã®ãã«ãŠãšã¢è åšã¯äž»ã«ãŠã€ã«ã¹ã§ãã£ãããããã«ãŠãšã¢æ€åºã»æé€ãœãããŠãšã¢ã¯ã çš®ã ã®ãã«ãŠãšã¢ã«å¯Ÿããæ€åºèœåãæã€ãã®ã®ãåŸæ¥ãã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ããšåŒã° ããŠãããã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã¯ããã«ãŠãšã¢ã·ã°ããã£ãã¡ã€ã«ã®ç®é²ã«ç §ãããŠã ã³ã³ãã¥ãŒã¿ã®ã¹ãã¬ãŒãžããã€ã¹äžã®ãã¡ã€ã«ãè©äŸ¡ãïŒããŒã«ã«ãã£ãŠã¯ãããã¯ãŒã¯åšèŸº åã¯ãŠãŒã¶ã¯ãŒã¯ã¹ããŒã·ã§ã³äžã§ãªã¢ã«ã¿ã€ã ã«ãã«ãŠãšã¢ãæ€åºãããã®ãããïŒããã«ãŠ ãšã¢ã®è åšã«å¯Ÿæãããã³ã³ãã¥ãŒã¿äžã®ãã¡ã€ã«ã® 1 ã€ãæ¢ç¥ã®ãã«ãŠãšã¢ã®ãããã¡ã€ã«ã« äžèŽãããšãæ¶æ¯ããã»ã¹ãçµãŠãã®ãã«ãŠãšã¢ã¯æé€ãããä»ã®ããŒã«ã«ãã¡ã€ã«ãããã㯠ãŒã¯ãè¶ããä»ã®ã³ã³ãã¥ãŒã¿äžã®ãã¡ã€ã«ãžã®ææã¯çããªããªãããŸãã·ã°ããã£ãã¡ã€ã« ããªãå Žåã§ããæªç¥ã®ãéçããã«ãŠãšã¢ãèå¥ããæè¡ãå©çšã§ããã å€ãã® ICS ãšã³ããŠãŒã¶åã³ãã³ããŒã¯ãã·ã¹ãã ãžã® COTS ã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã®å° å ¥ãæšå¥šããŠãããç¬èªã®ã©ãè©Šéšãåºã«ãã€ã³ã¹ããŒã«ã»èšå®ã¬ã€ãã³ã¹ãäœæããŠããã ICS ãã³ããŒã«ãã£ãŠã¯ãèªç€Ÿè£œåã«ã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã®äœ¿çšãæšå¥šããŠãããã®ã®ã ã¬ã€ãã³ã¹ãå šãåã¯ã»ãšãã©çšæã§ããŠããªãå Žåããããã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã®å© çšã«ãããICS ã®ããã©ãŒãã³ã¹åé¡ãé害ãçºçããã®ãæããŠã䜿çšã«æ¶æ¥µçãªãŠãŒã¶ãã ã³ããŒããããNIST ãšãµã³ãã£ã¢åœç«ç 究æïŒSNLïŒã¯èª¿æ»ãè¡ããICS ä¿æè ã»æäœå¡åã㬠ããŒããäœæããã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã®å±éãå©ããã¯ãŒã¯ã¹ããŒã·ã§ã³/ãµãŒãã㌠ã¹ã¢ã³ããŠã€ã«ã¹è£œåã®ããã©ãŒãã³ã¹åœ±é¿ãæå°åããè©äŸ¡ããè³ãšããŠãããæ¬ç 究ã«ãã ICS ããŒã¹ã®ã¢ã³ããŠã€ã«ã¹ç¥èŠããŸãšãŸããICS ãžã®ã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã®ã€ã³ã¹ã ãŒã«ã»èšå®ã»å®è¡ã»ä¿å®ãè¡ãéã®åºçºç¹åã¯äºæ¬¡ãªãœãŒã¹ãšãªã£ãŠãã[56]ãå€ãã®å Žåãèš å®ãã¢ã³ããŠã€ã«ã¹ã¹ãã£ãã³ã°ã»ä¿å®ã¹ã±ãžã¥ãŒã«ããäžè¬ç㪠IT ã·ã¹ãã ã§æšå¥šãããŠã ãã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢èŠç¯ãé¢ããŠå®æœããããšã§ãããã©ãŒãã³ã¹åœ±é¿ãæžããããš ãã§ããã ãŸãšããšããŠãCOTS ã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã¯ãã»ãšãã©ã® ICS ã³ã³ããŒãã³ãã§äœ¿çšå¯ èœã§ããããã ããã®éžå®ã»ã€ã³ã¹ããŒã«ã»èšå®ã»éçšã»ä¿å®æé ã«éããŠã¯ãç¹æ®ãª ICS åºæ ã®èæ ®äºé ãæ€èšã«å ¥ããã¹ãã§ãããICS ãšã³ããŠãŒã¶ã¯ãã¢ã³ããŠã€ã«ã¹ãœãããŠãšã¢ã®äœ¿ çšã«é¢ããŠãICS ãã³ããŒã«çžè«ãã¹ãã§ããã 318 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Vulnerability Assessment Tools There are many tools available for performing network vulnerability assessments for typical IT networks; however, the impacts these tools may have on the operation of an ICS should be carefully considered [77]. The additional traffic and exploits used during active vulnerability and penetration testing, combined with the limited resources of many ICS, have been known to cause ICS to malfunction. As guidance in this area, SNL developed a preferred list of vulnerability and penetration testing techniques for ICS [77]. These are less intrusive methods, passive instead of active, to collect the majority of information that is often queried by automated vulnerability and penetration testing tools. These methods are intended to allow collection of the necessary vulnerability information without the risk of causing a failure while testing. Sophia is a patent-pending, passive, real-time diagnostic and security tool designed and built specifically for control systems professionals. Sophia builds and maintains an ICS network fingerprint and continuously monitors activity against it, with white, gray and black-listing capabilities, alerting its managers of any abnormal activity for further investigation, monitoring and/or action. Beta testing conducted by the Battelle Energy Alliance (BEA) at the Idaho National Laboratories (INL) recently concluded with a group of over 30 participants, including major utilities and control system vendors. Those Beta participants reported immediate benefits in the fingerprinting process and longer-term benefits in monitoring, securing, and making on-going modifications to ICS configurations during the Beta testing period. Beta participants, as well as non-participants, who have been following the development of Sophia by BEA/INL, have long expressed interest in obtaining commercial grade Sophia software, services and support. Beta testing has proven that this suite of tools offers unique capabilities, including visualization of activity and tailored reporting to meet customer needs. Shodan is a search engine that lets you find specific types of computers (routers, servers, etc.) on the Internet using a variety of filters. Some have also described it as a search engine of service banners, which are meta-data the server sends back to the client. This can be information about the server software, what options the service supports, a welcome message or anything else that the client can find out before interacting with the server. Shodan users are able to find systems including traffic lights, security cameras, home heating systems as well as control systems. Users can use Shodan to determine if any of the devices on their ICS are accessible from the internet. The Cyber Security Evaluation Tool (CSET) is a Department of Homeland Security (DHS) product that assists organizations in protecting their key national cyber assets. It was developed under the direction of the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) by cybersecurity experts and with assistance from NIST. This tool provides users with a systematic and repeatable approach for assessing the security posture of their cyber systems and networks. It includes both high-level and detailed questions related to all industrial control and IT systems. CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards. The output from CSET is a prioritized list of recommendations for improving the cybersecurity posture of the organization's enterprise and industrial control cyber systems. The tool derives the recommendations from a database of cybersecurity standards, guidelines, and practices. Each recommendation is linked to a set of actions that can be applied to enhance cybersecurity controls. CSET has been designed for easy installation and use on a stand-alone laptop or workstation. It incorporates a variety of available standards from organizations such as NIST, NERC, TSA, DoD, and others. When the tool user selects one or more of the standards, CSET will open a set of questions to be answered. The answers to these questions will be compared against a selected security assurance level, and a detailed report will be generated to show areas for potential improvement. CSET provides an excellent means to perform a self-assessment of the security posture of your control system environment. 319 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è匱æ§è©äŸ¡ããŒã« äžè¬ç㪠IT ãããã¯ãŒã¯ã®è匱æ§è©äŸ¡çšããŒã«ã¯å€æ°ãããããããã ICS ã®éçšã«åãŒã圱 é¿ãæ éã«æ€èšãã¹ãã§ãã[77]ãå€ãã® ICS ã®ãªãœãŒã¹ãå¶éãããã¢ã¯ãã£ãè匱æ§ã»ãã ãã¬ãŒã·ã§ã³ã»ãã¹ãã«ãããŠãä»å çãªãã©ãã£ãã¯ãè匱æ§ã®æªçšããããšãICS ã«é害㮠åºãããšãåãã£ãŠããããã®åéã§ã®ã¬ã€ãã³ã¹ãšããŠãSNL 㯠ICS ã®å¥œãŸããè匱æ§ã»ãã ãã¬ãŒã·ã§ã³ã»ãã¹ãæè¡ãªã¹ããäœæãã[77]ããããã¯ãã䟵襲æ§ã®å°ãªãæ¹æ³ã§ãã¢ã¯ã ã£ããšãããããããã·ãã§ãããèªååè匱æ§ã»ãããã¬ãŒã·ã§ã³ã»ãã¹ãããŒã«ããç §äŒã åããããšãå€ãæ å ±ã®å€§åãåéã§ããããã®ãããªæ¹æ³ã¯ãè©Šéšæã«é害ãçºçãããããš ãªããå¿ èŠãªè匱æ§æ å ±ãåéã§ããããã«ãªã£ãŠããã Sophia ã¯ç¹èš±ç³è«äžã®ããã·ãããªã¢ã«ã¿ã€ã 蚺æã»ã»ãã¥ãªãã£ããŒã«ã§ãå¶åŸ¡ã·ã¹ãã å°é å¡çšã«èšèšã»æ§ç¯ãããŠãããICS ãããã¯ãŒã¯ãã£ã³ã¬ãŒããªã³ããçæããŠç¶æãããã㫠察ãã掻åãåžžç¶çã«ç£èŠããããã¯ã€ããªã¹ããã°ã¬ãŒãªã¹ãåã³ãã©ãã¯ãªã¹ãã®äœæèœå ãããã詳现ãªèª¿æ»ã»ç£èŠã»è¡åãèŠããç°åžžæŽ»åã«ã€ããŠç®¡çè ã«èŠå ±ãçºãããã¢ã€ããåœ ç«ç 究æïŒINLïŒã«ãã㊠Battelle Energy AllianceïŒBEAïŒã«ããããŒã¿è©Šéšãè¡ããã倧æå ¬å ± äŒæ¥ãå¶åŸ¡ã·ã¹ãã ãã³ããŒç 30 ãè¶ ããã°ã«ãŒããåå ããŠããã®ã»ã©çµäºããã åå è ã¯ããã£ã³ã¬ãŒããªã³ãåŠçã«ã¯åœé¢ã®å©çããããããŒã¿è©Šéšæéäžã® ICS èšå®ã®ç£ èŠã»ã»ãã¥ãªãã£ç¢ºä¿ã»èšå®å€æŽã«ã¯é·æçå©çããããšå ±åããŠãããåå è ã®ã¿ãªããã BEA/INL ã«ãã Sophia ã®æãè¡ãã泚èŠããŠããéåå è ããåžè²©ã¬ãã«ã® Sophia ãœãããŠãš ã¢ããµãŒãã¹åã³ãµããŒãã«é¢å¿ãå¯ããŠãããããŒã¿è©Šéšã«ããããã®ããŒã«ã«ã¯æŽ»åã®èŠèŠ åã顧客éèŠã«åãããã«ã¹ã¿ãã€ãºåå ±åçã®ãŠããŒã¯ãªæ©èœãããããšãå®èšŒãããŠããã Shodan ã¯æ€çŽ¢ãšã³ãžã³ã§ãçš®ã ã®ãã£ã«ã¿ã䜿çšããŠãã€ã³ã¿ãŒãããäžã®ç¹æ®ãªã³ã³ãã¥ãŒ ã¿ïŒã«ãŒã¿ããµãŒãçïŒãæ¢ãåºãããšãã§ããããµãŒããã¯ã©ã€ã¢ã³ãã«éãè¿ãã¡ã¿ããŒã¿ ã§ããããµãŒãã¹ãããŒã®æ€çŽ¢ãšã³ãžã³ãšè©ããåãããããããã¯ãµãŒããœãããŠãšã¢ããµãŒ ãã¹ã®å¯Ÿå¿ãªãã·ã§ã³ããŠã§ã«ã«ã ã¡ãã»ãŒãžããµãŒããšã®çžäºäœçšãè¡ãåã«ã¯ã©ã€ã¢ã³ãã æ€çŽ¢ã§ãããã®ä»ã«ã€ããŠã®æ å ±ãšãªããShodan ãŠãŒã¶ã¯ä¿¡å·æ©ãã»ãã¥ãªãã£ã«ã¡ã©ãå®¶åº ææ¿ã·ã¹ãã ãå¶åŸ¡ã·ã¹ãã çã®ã·ã¹ãã ãæ€çŽ¢ã§ããããããå©çšããã°ãã€ã³ã¿ãŒãããçµ ç±ã§ã¢ã¯ã»ã¹å¯èœãª ICS äžã®ããã€ã¹ãå€å¥ã§ããã ãµã€ããŒã»ãã¥ãªãã£è©äŸ¡ããŒã«(CSET)ã¯ãçµç¹ãåœã®éèŠãµã€ããŒè³ç£ãå®ãã®ãæ¯æŽããåœ åå®å šä¿éç(DHS)ã®è£œåã§ãããDHS ç£æ¥çšå¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT) ã®æå°äžã§ãNIST ã®æ¯æŽãåŸãŠãµã€ããŒã»ãã¥ãªãã£å°é家ãéçºããããµã€ããŒã·ã¹ãã å ã³ãããã¯ãŒã¯ã®ã»ãã¥ãªãã£ç¶æ ãè©äŸ¡ããéã®äœç³»çãã€å埩çãªåçµãå¯èœãšãªãããã ããç£æ¥çšå¶åŸ¡åã³ IT ã·ã¹ãã ã«é¢ä¿ããé«åºŠã®è©³çŽ°ãªçåã«çããŠãããCSET ã¯ãã¹ã¯ãã ããœãããŠãšã¢ããŒã«ã§ãå¶åŸ¡ã·ã¹ãã åã³æ å ±æè¡ãããã¯ãŒã¯ã»ãã¥ãªãã£èŠç¯ããåºãèª ããããæ¥çåºæºã«ç §ãããŠã段éçã«è©äŸ¡ããããšãã§ãããCSET ã«ãããçµç¹ã®äŒæ¥ã»ç£ æ¥çšå¶åŸ¡ãµã€ããŒã·ã¹ãã ã®ãµã€ããŒã»ãã¥ãªãã£ç¶æ ãæ¹åããããã®åªå çæšå¥šäºé ãªã¹ã ãäœæã§ããããã®ããŒã«ã¯ããµã€ããŒã»ãã¥ãªãã£åºæºãã¬ã€ãã©ã€ã³åã³èŠç¯ããŒã¿ããŒã¹ ããæšå¥šäºé ãå°ãåºããããããã®æšå¥šäºé ã¯ããµã€ããŒã»ãã¥ãªãã£å¶åŸ¡ã®æ¡åŒµã«é©çšå¯èœ ãªäžé£ã®è¡åã«çµã³ã€ããŠãããCSET ã¯ãã¹ã¿ã³ãã¢ããŒã³ã©ããããããã¯ãŒã¯ã¹ããŒã·ã§ ã³ã«ãç°¡åã«ã€ã³ã¹ããŒã«ããŠå©çšã§ããããã«ãªã£ãŠãããNISTãNERCãTSAãDoD ãã®ä» ã®çµç¹ããå ¥æå¯èœãªçš®ã ã®åºæºãåããŸãšããŠãããŠãããããŒã«ã®ãŠãŒã¶ããããåºæºã®ã ããããéžæãããšãäžé£ã®è³ªåãæ瀺ãããã質åãžã®åçããéžæãããã»ãã¥ãªãã£ä¿èšŒ ã¬ãã«ãšç §ããåãããæ¹åã§ããåéã瀺ãã詳现ãªã¬ããŒããäœæãããããã«ãªã£ãŠããã CSET ã¯ãå¶åŸ¡ã·ã¹ãã ç°å¢ã®ã»ãã¥ãªãã£ç¶æ ãèªå·±è©äŸ¡ã§ããåªããæ段ãšãªãã 320 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SamuraiSTFU is the Samurai Projectâs Security Testing Framework for Utilities and takes best in breed security tools for traditional network and web penetration testing and adds specialized tools for embedded and RF testing and mixes in energy sector context, documentation and sample files. It also includes emulators for SCADA, Smart Meters, and other types of energy sector systems to provide leverage for a full test lab. ICS owners must make the individuals using vulnerability assessment tools aware of the criticality of continuous operation and the risks involved with performing these tests on operational systems. It may be possible to mitigate these risks by performing tests on ICS components such as redundant servers or independent test systems in a laboratory setting. Laboratory tests can be used to screen out test procedures that might harm the operational system. Even with very good configuration management to assure that the test system is highly representative, tests on the actual system are likely to uncover flaws not represented in the laboratory. 321 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã SamuraiSTFU ã¯ããŠãŒãã£ãªãã£çšãµã ã©ã€ãããžã§ã¯ãã®ã»ãã¥ãªãã£è©Šéšäœç³»ã§ãäŒçµ±ç㪠ãããã¯ãŒã¯/ãŠã§ããããã¬ãŒã·ã§ã³ã»ãã¹ãçšã»ãã¥ãªãã£ããŒã«ã®æè¯ã®ãã®ã䜿çšãã çµèŸŒã¿/RF è©Šéšçšã®ç¹æ®ããŒã«ãå ãããšãã«ã®ãŒæ¥çã«ãããŠææžãšãã¡ã€ã«ãäžäœåããã ãŸã SCADAãã¹ããŒãã¡ãŒã¿ãŒãã®ä»ãšãã«ã®ãŒæ¥çã®ã·ã¹ãã çšãšãã¥ã¬ãŒã¿ãçµã¿èŸŒãã§ã å šé¢è©Šéšã©ãã«åŒŸã¿ãä»ããŠããã ICS ä¿æè ã¯ãè匱æ§è©äŸ¡ããŒã«ã䜿çšããŠãåã 人ãç¶ç¶éçšã®éèŠæ§ãšãããããè©Šéšãé çšã·ã¹ãã ã§è¡ãå Žåã®ãªã¹ã¯ãèªèãããªããã°ãªããªããåé·ãµãŒããã©ãç°å¢ã«ããç¬ç« è©Šéšã·ã¹ãã çã® ICS ã³ã³ããŒãã³ãã§è©Šéšãè¡ãããšã«ããããã®ãããªãªã¹ã¯ãç·©åããã ãšãã§ãããã©ãè©Šéšãè¡ãã°ãéçšã·ã¹ãã ã«æ害ãªè©Šéšæé ãæé€ã§ããã極ããŠè¯å¥œãªèš å®ç®¡çã§è©Šéšã·ã¹ãã ã代衚çãªãã®ã«ãªãããã«ããŠããå®éã®ã·ã¹ãã ã§è¡ãè©Šéšã¯ãã©ã ã§ã¯åãããªãæ¬ é¥ãæ€åºã§ããããšãããã 322 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix FâReferences [1] Fraser, Roy E., Process Measurement and Control:Introduction to Sensors, Communication, Adjustment, and Control, Upper Saddle River, New Jersey:Prentice-Hall, Inc., 2001. [2] Falco, Joe, et al., IT Security for Industrial Control Systems, NIST Internal Report (NISTIR) 6859, February 2002, http://www.nist.gov/customcf/get_pdf.cfm?pub_id=821684 [accessed 4/16/15]. [3] Bailey, David, and Edwin Wright, Practical SCADA for Industry, Vancouver: IDC Technologies, 2003. [4] Boyer, Stuart, SCADA:Supervisory Control and Data Acquisition.4th ed. Research Triangle Park, North Carolina:International Society of Automation, 2010. [5] American Gas Association, AGA Report No. 12, Cryptographic Protection of SCADA Communications, Part 1:Background, Policies and Test Plan, September, March 14, 2006. [6] Erickson, Kelvin, and John Hedrick, Plantwide Process Control, New York:John Wiley & Sons, Inc., 1999. [7] Berge, Jonas, Fieldbuses for Process Control:Engineering, Operation, and Maintenance, Research Triangle Park, North Carolina:ISA, 2002. [8] Peerenboom, James, âInfrastructure Interdependencies:Overview of Concepts and Terminology,â invited paper, NSF/OSTP Workshop on Critical Infrastructure:Needs in Interdisciplinary Research and Graduate Training, Washington, D.C., June 14-15, 2001. [9] Rinaldi, Steven, et al., âIdentifying, Understanding, and Analyzing Critical Infrastructure Interdependencies,â IEEE Control Systems Magazine, (December 2001), pp. 11-25, http://dx.doi.org/10.1109/37.969131. [10] GAO-04-354, Critical Infrastructure Protection:Challenges and Efforts to Secure Control Systems, U.S. GAO, 2004, http://www.gao.gov/new.items/d04354.pdf. [11] Weiss, Joseph, âCurrent Status of Cybersecurity of Control Systems,â Presentation to Georgia Tech Protective Relay Conference, May 8, 2003. [12] Keeney, Michelle et al., Insider Threat Study:Computer System Sabotage in Critical Infrastructure Sectors, United States Secret Service and Carnegie Mellon Software Institute, 2005, http://www.cert.org/archive/pdf/insidercross051105.pdf. [13] Federal Information Security Management Act of 2002, Pub.L. 107-347 (Title III), 116 Stat 2946, http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf [accessed 4/16/15]. [14] Federal Information Security Management Act Implementation Project [Web site], http://csrc.nist.gov/groups/SMA/fisma/index.html [accessed 4/16/15]. [15] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004, http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf [accessed 4/16/15]. 323 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 324 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [16] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf [accessed 4/16/15]. [17] Knapp, Eric, Industrial Network Security:Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems, Waltham, Massachusetts:Syngress, 2011. [18] U.S. Government Accountability Office (GAO), GAO-15-6, Federal Facility Cybersecurity:DHS and GSA Should Address Cyber Risk to Building and Access Control Systems, December 12, 2014, http://www.gao.gov/products/GAO-15-6 [accessed 4/16/15]. [19] Swanson, Marianne, et al., NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, February 2006, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-18 [accessed 4/16/15]. [20] Joint Task Force Transformation Initiative, NIST SP 800-39, Managing Information Security Risk:Organization, Mission, and Information System View, March 2011, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-39 [accessed 4/16/15]. [21] Joint Task Force Transformation Initiative, NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach, February 2010 (updated June 5, 2014), http://dx.doi.org/10.6028/NIST.SP.800-37r1. [22] Joint Task Force Transformation Initiative, NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (updated January 22, 2015), http://dx.doi.org/10.6028/NIST.SP.800-53r4. [23] Joint Task Force Transformation Initiative, NIST SP 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations:Building Effective Security Assessment Plans, December 2014 (updated December 18, 2014), http://dx.doi.org/10.6028/NIST.SP.800-53Ar4. [24] Barker, William, NIST SP 800-59, Guideline for Identifying an Information System as a National Security System, August 2003, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-59 [accessed 4/16/15]. [25] Stine, Kevin, et al., NIST SP 800-60 Revision 1 (2 vols.), Guide for Mapping Types of Information and Information systems to Security Categories, August 2008, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-60 [accessed 4/16/15]. [26] Quinn, Stephen, et al., NIST SP 800-70 Revision 2, National Checklist Program for IT Products:Guidelines for Checklist Users and Developers, February 2011, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-70 [accessed 4/16/15]. 325 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 326 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [27] Bowen, Pauline, et al., NIST SP 800-100, Information Security Handbook:A Guide for Managers, October 2006 (updated March 7, 2007), http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-100 [accessed 4/16/15]. [28] NIST Security Configurations Checklists Program for IT Products [Web site], http://web.nvd.nist.gov/view/ncp/repository [accessed 4/16/15]. [29] Stamp, Jason, et al., Common Vulnerabilities in Critical Infrastructure Control Systems, Sandia National Laboratories, 2003, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.132.3264&rep=rep1&type=pdf. [30] SCADA Security - Advice for CEOs, IT Security Expert Advisory Group (ITSEAG) [31] Franz, Matthew, Vulnerability Testing of Industrial Network Devices, Critical Infrastructure Assurance Group, Cisco Systems, 2003, http://blogfranz.googlecode.com/files/franz-isa-device-testing-oct03.pdf. [32] Duggan, David, et al., Penetration Testing of Industrial Control Systems, Sandia National Laboratories, Report No SAND2005-2846P, 2005. [33] Presidentâs Critical Infrastructure Protection Board, and U.S. Department of Energy, Office of Energy Assurance, 21 Steps to Improve Cybersecurity of SCADA Networks, [2002], http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf [accessed 4/16/15]. [34] ISA-62443[multiple parts], Security for Industrial Automation and Control Systems, Research Triangle Park, North Carolina:International Society of Automation, http://isa99.isa.org/ISA99%20Wiki/WP_List.aspx [accessed 4/16/15]. [35] Centre for the Protection of National Infrastructure (CPNI), Firewall Deployment for SCADA and Process Control Networks:Good Practice Guide, February 15, 2005, http://energy.gov/sites/prod/files/Good%20Practices%20Guide%20for%20Firewall%20Deployment.pd f [accessed 4/16/15]. [36] U.S. Department of Homeland Security, Recommended Practice:Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies, October 2009, https://ics-cert.uscert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf [accessed 4/16/15]. [37] Industrial Automation Open Networking Association (IAONA), The IAONA Handbook for Network Security, Version 1.3, 2005, http://www.iaona.org/pictures/files/1122888138-IAONA_HNS_1_3reduced_050725.pdf [accessed 4/16/15]. [38] U.S. Department of Homeland Security, Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011, https://ics-cert.uscert.gov/sites/default/files/recommended_practices/DHS_Common_Cybersecurity_Vulnerabilities_I CS_2010.pdf [accessed 4/16/15]. [39] NIST SP 800-12, An Introduction to Computer Security:The NIST Handbook, 1995, http://csrc.nist.gov/publications/PubsSPs.html. 327 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 328 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [40] Souppaya, Murugiah, and Karen Scarfone, NIST SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, July 2013, http://dx.doi.org/10.6028/NIST.SP.800-40r3. [41] Scarfone, Karen, et al., NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, September 2008, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-115 [accessed 4/16/15]. [42] Roback, Edward, NIST SP 800-23, Guidelines to Federal Organizations on Security Assurance and Acquisition/ Use of Tested/Evaluated Products, August 2000, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-23 [accessed 4/16/15]. [43] Stoneburner, Gary, et al., NIST SP 800-27 Revision A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security), June 2004, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-27A [accessed 4/16/15]. [44] Grance, Tim, et al., NIST SP 800-35, Guide to Information Technology Security Services, October 2003, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-35 [accessed 4/16/15]. [45] Grance, Tim, et al., NIST SP 800-36, Guide to Selecting Information Technology Security Products, October 2003, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-36 [accessed 4/16/15]. [46] Grance, Tim, et al., NIST SP 800-64 Revision 2, Security Considerations in the System Development Life Cycle, October 2008, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-64 [accessed 4/16/15]. [47] Hash, Joan, et al., NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process, January 2005, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-65 [accessed 4/16/15]. [48] U.S. Department of Homeland Security, Department of Homeland Security:Cyber Security Procurement Language for Control Systems, September 2009 https://ics-cert.uscert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809.pdf [accessed 4/16/15]. [49] Dray, James, et al., NIST SP 800-73-3, Interfaces for Personal Identity Verification (4 parts), February 2010, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-73 [accessed 4/16/15]. [50] Grother, Patrick, et al., NIST SP 800-76-2, Biometric Data Specification for Personal Identity Verification, July 2013, http://dx.doi.org/10.6028/NIST.SP.800-76-2. 329 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 330 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [51] Kuhn, D. Richard, et al., NIST SP 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, June 2009, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-46 [accessed 4/16/15]. [52] Swanson, Marianne, et al., NIST SP 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems, May 2010, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-34 [accessed 4/16/15]. [53] Burr, William, et al., NIST SP 800-63-2, Electronic Authentication Guideline, August 2013, http://dx.doi.org/10.6028/NIST.SP.800-63-2. [54] Bace, Rebecca, and Mell, Peter, NIST SP 800-31, Intrusion Detection Systems, 2001, http://csrc.nist.gov/publications/PubsSPs.html. [55] Scarfone, Karen, and Peter Mell, NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), February 2007, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-94 [accessed 4/16/15]. [56] Falco, Joe, et al., NIST SP 1058, Using Host-based Anti-virus Software on Industrial Control Systems:Integration Guidance and a Test Methodology for Assessing Performance Impacts, September 18, 2006, http://www.nist.gov/manuscript-publication-search.cfm?pub_id=823596 [accessed 4/16/15]. [57] Peterson, Dale, âIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks,â ISA Automation West (AUTOWEST 2004), Long Beach, California, April 2004, http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.121.3420&rep=rep1&type=pdf [accessed 4/16/15]. [58] Symantec Corporation, âSymantec Expands SCADA Protection for Electric Utilities,â [press release], September 14, 2005, http://www.symantec.com/about/news/release/article.jsp?prid=20050914_01 [accessed 4/16/15]. [59] Grance, Tim, et al., NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide, August 2012, http://dx.doi.org/10.6028/NIST.SP.800-61r2. [60] Mell, Peter, et al., NIST SP 800-83 Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, July 2013, http://dx.doi.org/10.6028/NIST.SP.800-83r1. [61] Wilson, Mark, and Joan Hash, NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, October 2003, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-50 [accessed 4/16/15]. [62] Mix, S., Supervisory Control and Data Acquisition (SCADA) Systems Security Guide, Electric Power Research Institute (EPRI), 2003. 331 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 332 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [63] Scarfone, Karen, et al., NIST SP 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, July 2008, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-48 [accessed 4/16/15]. [64] Frankel, Sheila, et al, NIST SP 800-97, Establishing Wireless Robust Security Networks: a Guide to IEEE 802.11i, February 2007, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-97 [accessed 4/16/15]. [65] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 201-2, Personal Identity Verification (PIV) of Federal Employees and Contractors, August 2013, http://dx.doi.org/10.6028/NIST.FIPS.201-2. [66] Dray, James, et al, NIST SP 800-96, PIV Card to Reader Interoperability Guidelines, September 2006, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-96 [accessed 4/16/15]. [67] Polk, W. Timothy, et al, NIST SP 800-78-3, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, December 2010, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-78 [accessed 4/16/15]. [68] Kent, Karen, and Murugiah Souppaya, NIST SP 800-92, Guide to Computer Security Log Management, September 2006, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-92 [accessed 4/16/15]. [69] Jansen, Wayne, et al., NIST SP 800-28 Version 2, Guidelines on Active Content and Mobile Code, March 2008, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-28 [accessed 4/16/15]. [70] Polk, Tim, et al., NIST SP 800-52 Revision 1, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, April 2014, http://dx.doi.org/10.6028/NIST.SP.80052r1. [71] Barker, Elaine, et al., NIST SP 800-56A Revision 2, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, May 2013, http://dx.doi.org/10.6028/NIST.SP.800-56Ar2. [72] Baker, Elaine, et al., NIST SP 800-57 (3 parts), Recommendation for Key Management:Part 1 Revision 3, General, July 2012 http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#80057pt1; Part 2, Best Practices for Key Management Organization, August 2005, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#80057pt2; Part 3 Revision 1, Application-Specific Key Management Guidance, January 2015, http://dx.doi.org/10.6028/NIST.SP.800-57pt3r1. 333 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 334 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [73] Kuhn, D. Richard, et al., NIST SP 800-58, Security Considerations for Voice Over IP Systems, January 2005, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-58 [accessed 4/16/15]. [74] Frankel, Sheila, et al., NIST SP 800-77, Guide to IPsec VPNs, December 2005, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-77 [accessed 4/16/15]. [75] Shirey, R., Internet Security Glossary, Version 2, RFC 4949, August 2007, http://www.rfceditor.org/rfc/rfc4949.txt [accessed 4/16/15]. [76] Franz, Matthew, and Venkat Pothamsetty, ModbusFW:Deep Packet Inspection for Industrial Ethernet, Critical Infrastructure Assurance Group, Cisco Systems, 2004, http://blogfranz.googlecode.com/files/franz-niscc-modbusfw-may04.pdf [accessed 4/16/15]. [77] Duggan, David, Penetration Testing of Industrial Control Systems, SAND2005-2846P, Sandia National Laboratories, March 2005, http://energy.sandia.gov/wp/wpcontent/gallery/uploads/sand_2005_2846p.pdf [accessed 4/16/15]. [78] Kissel, Richard, et al., NIST SP 800-88 Revision 1, Guidelines for Media Sanitization, December 2014, http://dx.doi.org/10.6028/NIST.SP.800-88r1. [79] Joint Task Force Transformation Initiative, NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments, September 2012, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-30 [accessed 4/16/15]. [80] Johnson, Arnold, et al., NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, August 2011, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-128 [accessed 4/16/15]. [81] Dempsey, Kelley, et al., NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011, http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-137 [accessed 4/16/15]. [82] Waltermire, David, et al., NIST SP 800-126 Revision 2, The Technical Specification for the Security Content Automation Protocol (SCAP):SCAP Version 1.2, September 2011 (updated March 19, 2012), http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html#800-126rev2 [accessed 4/16/15]. [83] Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12, 2013, http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf [accessed 4/16/15]. 335 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 336 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [84] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, February 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf [accessed 4/16/15]. [85] Scarfone, Karen, and Paul Hoffman, NIST SP 800-41 Revision 1, Guidelines on Firewalls and Firewall Policy, September 2009, http://csrc.nist.gov/publications/PubsSPs.html#800-41 [accessed 4/16/15]. [86] Office of Management and Budget, OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007, https://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf [accessed 4/16/15]. [87] Office of Management and Budget, OMB Memorandum M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, June 25, 2010, https://www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf [accessed 4/16/15]. [88] McCallister, Erika, et al., NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2010, http://csrc.nist.gov/publications/PubsSPs.html#800-122 [accessed 4/16/15]. [89] Federal Enterprise Architecture Security and Privacy Profile, Version 3.0, September 2010, https://cio.gov/wp-content/uploads/downloads/2012/09/FEA-Security-Privacy-Profile-v3-09-302010.pdf [accessed 4/16/15]. [90] U.S. Department of Commerce, Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, May 25, 2001 (Change Notice 2, 12/3/2002), http://csrc.nist.gov/publications/PubsFIPS.html#140-2 [accessed 4/16/15]. [91] Tracy, Miles, et al., NIST SP 800-45 Version 2, Guidelines on Electronic Mail Security, February 2007, http://csrc.nist.gov/publications/PubsSPs.html#800-45 [accessed 4/16/15]. [92] Grance, Tim, et al., NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, August 2002, http://csrc.nist.gov/publications/PubsSPs.html#800-47 [accessed 4/16/15]. [93] Kent, Karen, et al., NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, August 2006, http://csrc.nist.gov/publications/PubsSPs.html#800-86 [accessed 4/16/15]. [94] Scarfone, Karen, et al., NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices, November 2007, http://csrc.nist.gov/publications/PubsSPs.html#800-111 [accessed 4/16/15]. [95] Scarfone, Karen, et al., NIST SP 800-123, Guide to General Server Security, July 2008, http://csrc.nist.gov/publications/PubsSPs.html#800-123 [accessed 4/16/15]. [96] Scarfone, Karen, et al., NIST SP 800-127, Guide to Securing WiMAX Wireless Communications, September 2010, http://csrc.nist.gov/publications/PubsSPs.html#800-127 [accessed 4/16/15]. 337 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 338 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY [97] Johnson, Arnold, et al., NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, August 2011, http://csrc.nist.gov/publications/PubsSPs.html#800-128 [accessed 4/16/15]. [98] Smart Grid Interoperability Panel, Smart Grid Cybersecurity Committee, NISTIR 7628 Revision 1, Guidelines for Smart Grid Cybersecurity, September 2014, http://dx.doi.org/10.6028/NIST.IR.7628r1 [accessed 4/16/15]. [99] Kissel, Richard (ed.), NISTIR 7298 Revision 2, Glossary of Key Information Security Terms, May 2013, http://dx.doi.org/10.6028/NIST.IR.7298r2 [accessed 4/16/15]. 339 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 340 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix GâICS Overlay NOTE TO READERS The ICS overlay is a partial tailoring of the controls and control baselines in SP 800-53, Revision 4, and adds supplementary guidance specific to ICS. The concept of overlays is introduced in Appendix I of SP 800-53, Revision 4. The ICS overlay is intended to be applicable to all ICS systems in all industrial sectors. Further tailoring can be performed to add specificity to a particular sector (e.g., pipeline, energy). Ultimately, an overlay may be produced for a specific system (e.g., the XYZ company). This ICS overlay constitutes supplemental guidance and tailoring for SP 800-53, Revision 4. Please be sure you are looking at the correct version of SP 800-53. Duplicating Appendix F of SP 800-53 would increase the size of this Appendix by over 65 pages. Therefore, the drafting committee has decided to not duplicate Appendix F. The reader should have SP 800-53, Revision 4 available. The authoring team also considered that this ICS overlay may serve as a model for other overlays. Feedback on this Appendixâs structure would be appreciated, especially in the following areas: the level of abstraction and whether the examples provided in the supplemental guidance are sufficient/beneficial for implementation. Since the ICS overlay exists in the context of SP 800-53, Revision 4, it is important to review that context. SP 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, represents the most comprehensive update to the security controls catalog since its inception in 2005. This update was motivated principally by the expanding threat spaceâ characterized by the increasing sophistication of cyber attacks and the operations tempo of adversaries (i.e., the frequency of such attacks, the professionalism of the attackers, and the persistence of targeting by attackers). State-of-the-practice security controls and control enhancements have been developed and integrated into the catalog addressing such areas as: mobile and cloud computing; applications security; trustworthiness, assurance, and resiliency of information systems; insider threat; supply chain security; and the advanced persistent threat. To take advantage of the expanded set of security and privacy controls, and to give organizations greater flexibility and agility in defending their information systems, the concept of overlays was introduced in this revision. Overlays provide a structured approach to help organizations tailor security control baselines and develop specialized security plans that can be applied to specific missions/business functions, environments of operation, and/or technologies. This specialization approach is important as the number of threat-driven controls and control enhancements in the catalog increases and organizations develop risk management strategies to address their specific protection needs within defined risk tolerances. 341 SP800-82 第 2 ç ä»é² G ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ãªãŒããŒã¬ã€ èªè ãžã®æ³šèš ICS ãªãŒããŒã¬ã€ã¯ãSP 800-53 第 4 çã«ç€ºãããå¶åŸ¡åã³å¶åŸ¡ããŒã¹ã©ã€ã³ãéšåçã«ã«ã¹ã¿ã ã€ãºãããã®ã§ãICS ã«ç¹åããè£è¶³ã¬ã€ãã³ã¹ãšãªãããªãŒããŒã¬ã€ã®æŠå¿µã¯ SP 800-53 第 4 çã®ä»é² I ã«èª¬æããããICS ãªãŒããŒã¬ã€ã¯ãããããç£æ¥çã®ãããã ICS ã·ã¹ãã ã«é©çš ããããã«ã§ããŠãããæŽã«ã«ã¹ã¿ãã€ãºããŠãç¹å®ã®æ¥çåãã«ããããšãã§ããïŒãã€ãã© ã€ã³ããšãã«ã®ãŒçïŒãæçµçã«ã¯ã1 ã€ã®ãªãŒããŒã¬ã€ã 1 ã€ã®ã·ã¹ãã çšã«äœæã§ãã ïŒXYZ 瀟çšçïŒãICS ãªãŒããŒã¬ã€ã¯ãSP 800-53 第 4 çã®è£è¶³ã¬ã€ãã³ã¹ã«ã¹ã¿ãã€ãºçãšãª ãã該åœãã SP 800-53 ã䜿çšããããçæãããããSP 800-53 ã®ä»é² F ãåé²ãããšãçŽæ°ã 65 ããŒãžå¢ããããšã«ãªãã®ã§ãèµ·æ¡å§å¡äŒã¯è€åããªãããšã«ãããèªè 㯠SP 800-53 第 4 ç ãæèš±ã«çœ®ãããã«ãã¹ãã§ããããŸãå·çããŒã ã¯ããã® ICS ãªãŒããŒã¬ã€ãä»ã®ãªãŒããŒã¬ ã€ã®ã²ãªåœ¢ãšãªãããã«ãããä»é²ã®æ§æãç¹ã«æŠå¿µåã®ã¬ãã«åã³è£è¶³ã¬ã€ãã³ã¹ã®æç€ºäŸ ã¯ãå®è£ äžååã§åœ¹ç«ã€ãã©ããã«ã€ããŠããã£ãŒãããã¯ãããã ããã°å¹žãã§ããã ICS ãªãŒããŒã¬ã€ã¯ãSP 800-53 第 4 çã®æèã«æ²¿ã£ãŠååšããŠããããããã®æèãèŠçŽãããš ã¯èèŠã§ãããSP 800-53 第 4 çã®é£éŠæ å ±ã·ã¹ãã ã»çµç¹ã®ã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒç®¡ç ã«ã¯ã2005 幎ã®æŠå¿µå以æ¥ã®ã»ãã¥ãªãã£å¯Ÿçã«ã¿ãã°ã«å¯Ÿããå æ¬çãªæŽæ°å 容ã瀺ãã㊠ãããæŽæ°ã¯ããµã€ããŒæ»æããŸããŸãå·§åŠåããè åšãæ¡å€§ããŠããããšãäž»ãªçç±ã§ãã ïŒæ»æã®é »åºŠãæ»æåŽã®å°éåãæšçã«å¯Ÿããå·ææ§çïŒãå®çšã«äŸãããã»ãã¥ãªãã£å¯Ÿçã 管çæ¡åŒµã¯ãé²å±ãéãã次ã®åéã®ã«ã¿ãã°ã«çµã¿èŸŒãŸããŠãããã¢ãã€ã«/ã¯ã©ãŠãã³ã³ã ã¥ãŒãã£ã³ã°ãã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£ãæ å ±ã·ã¹ãã ã®ä¿¡é Œæ§ã»ä¿èšŒã»åŒŸåæ§ãã€ã³ãµ ã€ããŒè åšããµãã©ã€ãã§ãŒã³ã»ãã¥ãªãã£ãææ°ã®æç¶çè åšã æ¡åŒµãããã»ãã¥ãªãã£/ãã©ã€ãã·ãŒç®¡çãå©çšããæ å ±ã·ã¹ãã ãå®ãããã®æè»æ§ãšæ©æ æ§ãçµç¹ã«å¢ãå ããããããªãŒããŒã¬ã€æŠå¿µããã®çã«å°å ¥ãããããªãŒããŒã¬ã€ã¯ç³»çµ±ç«ã£ ãåçµã§ãçµç¹ãã»ãã¥ãªãã£å¯Ÿçã®ããŒã¹ã©ã€ã³ã埮調æŽããåºæã®ä»»åã»äºæ¥æ©èœãéçšç° å¢åã¯æè¡ã«é©çšå¯èœãªç¬èªã®ã»ãã¥ãªãã£èšç»æžãäœæããã®ãæ¯æŽãããè åšã«å¯Ÿå¿ããã« ã¿ãã°ã®ç®¡çåã³ãã®æ¡åŒµä»¶æ°ãå¢ããŠãããåçµç¹ã¯ãªã¹ã¯ç®¡çæŠç¥ãäœæããåºæã®ä¿è·ã ãŒãºãèŠå®ã®ãªã¹ã¯ãã¬ã©ã³ã¹å ã§åãäžããŠããããããã®ç¬èªåã«åããåçµã¯èèŠã§ã ãã 342 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Identification This overlay may be referenced as the NIST Special Publication 800-82 Revision 2 Industrial Control System Overlay (âNIST SP 800-82 Rev 2 ICS Overlayâ). It is based on NIST SP 800-53 Revision 4 [22]. NIST developed this overlay in furtherance of its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014 (Public Law 113-283), Presidential Policy Directive (PPD)21 and Executive Order 13636. NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. Comments may be directed to icsoverlaycomments@nist.gov. Overlay Characteristics Industrial Control Systems (ICS) are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods). Supervisory control and data acquisition (SCADA) systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. Distributed Control Systems (DCS) are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. Programmable Logic Controllers (PLCs) are generally used for discrete control for specific applications and generally provide regulatory control. These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90 percent of the nation's critical infrastructures are privately owned and operated. Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control and materials handling (e.g., Postal Service mail handling.) Applicability The purpose of this overlay is to provide guidance for securing ICS, including SCADA and DCS systems, PLCs, and other systems performing industrial control functions. This overlay has been prepared for use by federal agencies. It may be used by nongovernmental organizations on a voluntary basis. Overlay Summary Table G-1 provides a summary of the security controls and control enhancements from NIST SP 800-53 Appendix F [22, App. F] that have been allocated to the initial security control baselines (i.e., Low, Moderate, and High) along with indications of ICS Supplemental Guidance and ICS tailoring. Controls and control enhancements for which there is ICS Supplemental Guidance are bolded. If the control baselines are supplemented by the addition of a control to the baseline, the control or control enhancement is underlined. If a control or control enhancement is removed from the baseline, the control or control enhancement is struck out. Example: AU-4 Audit Storage Capacity AU-4 (1) AU-4 (1) AU-4 (1) In this example, ICS Supplemental Guidance was added to Control Enhancement 1 of AU-4 (bolded). In addition, Control Enhancement 1 of AU-4 was added to the Low, Moderate (Mod), and High baselines (underlined). 343 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã èå¥ ãã®ãªãŒããŒã¬ã€ã¯ NIST SP 800-82 第 2 çç£æ¥çšå¶åŸ¡ã·ã¹ãã ãªãŒããŒã¬ã€(ãNIST SP 800-82 第 2 ç ICS ãªãŒããŒã¬ã€ã)ãšåŒã°ããããšãããããã㯠NIST SP 800-53 第 4 ç[22]ã«åºã¥ã ãŠããã NIST ã¯ã2014 幎é£éŠæ å ±åŒ·åæ³(FISMA)(Public Law 113-283)ã倧統é æ¿çæ瀺(PPD)-21 å㳠倧統é åœä»€ 13636 ã«åŸãããã®æ³ç責åãæšé²ããããã«ãã®ãªãŒããŒã¬ã€ãäœæãããNIST ã¯ããããæ¿åºæ©é¢æ¥åã»è³ç£ã®æ å ±ã»ãã¥ãªãã£ã確ä¿ãããããæäœèŠä»¶çãå«ãã èŠæ Œå ã³ã¬ã€ãã©ã€ã³ã®äœæãæ åœããŠãããããã®ãããªèŠæ Œåã³ã¬ã€ãã©ã€ã³ã¯ããã®ãããªã·ã¹ ãã ã«å¯Ÿããæœçæš©éãæã£ãé£éŠè¡æ¿å®ã®æ確ãªæ¿èªããªããã°ãåœã®ã»ãã¥ãªãã£ã·ã¹ãã ã«ã¯é©çšãããªããæèŠã¯æ¬¡å®ã«å¯ããããããicsoverlaycomments@nist.gov. ãªãŒããŒã¬ã€ã®ç¹åŸŽ ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã¯äžè¬çã«é»æ°ãäžäžæ°Žãç³æ²¹ã»ã¬ã¹ã茞éãååŠãå»è¬åããã« ãã»è£œçŽãé£åã»é£²æåã³çµç«è£œé ïŒèªåè»ãèªç©ºå®å®ãèä¹ æ¶è²»è²¡çïŒæ¥çã§å©çšãããŠããã SCADA ã¯ãéåžžãéäžããŒã¿ååŸç£èŠå¶åŸ¡ã«ãããåæ£åãããè³ç£ãå¶åŸ¡ããããã«äœ¿çšããã DCS ã¯ãéåžžãããŒã«ã«ãšãªã¢å ã«ããå·¥å Žçã®çç£ã·ã¹ãã ããç£èŠã»èŠå¶å¶åŸ¡ã«ããå¶åŸ¡ã ãããã«äœ¿çšãããããã°ã©ããã«è«çã³ã³ãããŒã©ïŒPLCïŒã¯ãéåžžãç¹æ®çšéã§ã®é¢æ£å¶åŸ¡ ã«äœ¿çšããèŠå¶å¶åŸ¡ãéåžžè¡ãããã®ãããªå¶åŸ¡ã·ã¹ãã ã¯ãé«åºŠã«é£æºã»çžäºäŸåããã·ã¹ã ã ãšãªããç±³åœã®éèŠã€ã³ãã©ã®éå¶ã«ç·èŠãªåœ¹å²ãæãããŠãããåœã®éèŠã€ã³ãã©ã®ããã 90%ã¯ãç§äŒæ¥ãä¿æãéå¶ããŠããç¹ãéèšããã®ã¯èèŠã§ãããé£éŠæ¿åºæ©é¢ãåè¿°ã® ICS ã®å€ããéå¶ããŠãããããã®ã»ãã«ãèªç©ºäº€é管å¶ãç©æµåŠçïŒæž¯æ¹Ÿæ¥åãéµäŸ¿çïŒãªã©ãã ãã é©çšæ§ ãã®ãªãŒããŒã¬ã€ã®ç®çã¯ãSCADA ã·ã¹ãã ãDCS ã·ã¹ãã ãPLC ãã®ä»ç£æ¥çšå¶åŸ¡æ©èœãã€ã ãã©ãã·ã¹ãã çãICS ã®ã»ãã¥ãªãã£ã確ä¿ããããã®ã¬ã€ãã³ã¹ãšãªããé£éŠæ¿åºæ©é¢åã ã«æºåãããŠãããéæ¿åºçµç¹ãèªäž»çã«å©çšããŠãããŸããªãã ãªãŒããŒã¬ã€ã®ãŸãšã è¡š G-1 ã¯ãNIST SP 800-53 ä»é² F[22, App. F]ã®ã»ãã¥ãªãã£å¯Ÿçåã³ç®¡çæ¡åŒµããŸãšãããã® ã§ããã管çæ¡åŒµã¯ãåœåã®ã»ãã¥ãªãã£å¯ŸçããŒã¹ã©ã€ã³ïŒäœã»äžã»é«ïŒã«ãICS è£è¶³ã¬ã€ã ã³ã¹åã³ ICS ã®ã«ã¹ã¿ãã€ãºãšãšãã«å²ãåœãŠããããã®ã§ãããICS è£è¶³ã¬ã€ãã³ã¹ã®ãã管 çåã³ç®¡çæ¡åŒµã¯å€ªåã«ãªã£ãŠããã察çããŒã¹ã©ã€ã³ã«è£è¶³ç®¡çãè¿œå ãããŠããå Žåã管ç åã³ç®¡çæ¡åŒµã«äžç·ãä»ããŠããã管çåã³ç®¡çæ¡åŒµãããŒã¹ã©ã€ã³ããåé€ãããŠããå Žåã ç·ã§æ¶ãããŠããã äŸ AU-4 ç£æ»ã¹ãã¬ãŒãžå®¹é AU-4 (1) AU-4 (1) AU-4 (1) ãã®äŸã§ã¯ãICS è£è¶³ã¬ã€ãã³ã¹ã管çæ¡åŒµ AU-4 ã® 1ïŒå€ªåïŒã«è¿œå ãããŠããããŸãã管çæ¡ åŒµ AU-4 ã® 1 ãäœã»äžã»é«ããŒã¹ã©ã€ã³ã«è¿œå ãããŠããïŒäžç·ïŒã 344 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Table G-1 Security Control Baselines CNTL INITIAL CONTROL BASELINES CONTROL NAME NO. LOW MOD HIGH AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1 AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) AC-3 Access Enforcement AC-3 AC-3 AC-4 Information Flow Enforcement Not Selected AC-4 AC-4 AC-5 Separation of Duties Not Selected AC-5 AC-5 AC-6 Least Privilege Not Selected AC-6 (1) (2) (5) (9) AC-6 (1) (2) (3) (5) (10) (9) (10) AC-7 Unsuccessful Logon Attempts AC-7 AC-7 AC-7 AC-8 System Use Notification AC-8 AC-8 AC-8 AC-10 Concurrent Session Control Not Selected Not Selected AC-10 AC-11 Session Lock Not Selected AC-11 (1) AC-11 (1) AC-12 Session Termination Not Selected AC-12 AC-12 AC-14 Permitted Actions without Identification or AC-14 AC-14 AC-14 (5) (11) (12) (13) AC-3 Authentication AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4) AC-18 Wireless Access AC-18 AC-18 (1) AC-18 (1) (4) (5) AC-19 Access Control for Mobile Devices AC-19 AC-19 (5) AC-19 (5) AC-20 Use of External Information Systems AC-20 AC-20 (1) (2) AC-20 (1) (2) AC-21 Collaboration and Information Sharing AC-21 AC-21 AC-21 AC-22 Publicly Accessible Content AC-22 AC-22 AC-22 AT-1 Security Awareness and Training Policy and AT-1 AT-1 AT-1 Procedures AT-2 Security Awareness Training AT-2 AT-2 (2) AT-2 (2) AT-3 Role-Based Security Training AT-3 AT-3 AT-3 AT-4 Security Training Records AT-4 AT-4 AT-4 AU-1 Audit and Accountability Policy and AU-1 AU-1 AU-1 AU-2 AU-2 (3) AU-2 (3) AU-3 AU-3 (1) AU-3 (1) (2) AU-4 (1) AU-4 (1) AU-4 (1) Procedures AU-2 Audit Events AU-3 Content of Audit Records AU-4 Audit Storage Capacity AU-5 Response to Audit Processing Failures AU-5 AU-5 AU-5 (1) (2) AU-6 Audit Review, Analysis, and Reporting AU-6 AU-6 (1) (3) AU-6 (1) (3) (5) (6) AU-7 Audit Reduction and Report Generation Not Selected AU-7 (1) AU-7 (1) AU-8 Time Stamps AU-8 AU-8 (1) AU-8 (1) AU-9 Protection of Audit Information AU-9 AU-9 (4) AU-9 (2) (3) (4) AU-10 Non-repudiation Not Selected Not Selected AU-10 AU-11 Audit Record Retention AU-11 AU-11 AU-11 345 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è¡š G-1 ã»ãã¥ãªãã£å¯ŸçããŒã¹ã©ã€ã³ 管ççªå· 管çå AC-1 AC-2 ã¢ã¯ã»ã¹å¶åŸ¡ããªã·ãŒã»æé ã¢ã«ãŠã³ã管ç AC-3 AC-4 AC-5 AC-6 äœ åœåã®å¯ŸçããŒã¹ã©ã€ã³ äž AC-1 AC-2 AC-1 AC-2 (1) (2) (3) (4) ã¢ã¯ã»ã¹æœè¡ æ å ±ãããŒæœè¡ ä»»åã®åå² æå°æš©é AC-3 æªéžæ æªéžæ æªéžæ AC-7 AC-8 AC-10 AC-11 AC-12 AC-14 AC-17 ãã°ã€ã³å€±æ ã·ã¹ãã å©çšéç¥ çŸè¡ã»ãã·ã§ã³ç®¡ç ã»ãã·ã§ã³ãã㯠ã»ãã·ã§ã³çµäº èå¥ã»èªèšŒã®ãªãèš±å¯æžã¿è¡çº ãªã¢ãŒãã¢ã¯ã»ã¹ AC-7 AC-8 æªéžæ æªéžæ æªéžæ AC-14 AC-17 AC-3 AC-4 AC-5 AC-6 (1) (2) (5) (9) (10) AC-7 AC-8 æªéžæ AC-18 ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ AC-18 AC-11 (1) AC-12 AC-14 AC-17 (1) (2) (3) (4) AC-18 (1) AC-19 AC-20 AC-21 AC-22 AT-1 AT-2 AT-3 AT-4 AU-1 AU-2 AU-3 AU-4 AU-5 AU-6 ã¢ãã€ã«ããã€ã¹çšã¢ã¯ã»ã¹å¶åŸ¡ å€éšæ å ±ã·ã¹ãã ã®å©çš é£æºã»æ å ±å ±æ å ¬éã³ã³ãã³ã ã»ãã¥ãªãã£æèã»èšç·Žããªã·ãŒã»æé ã»ãã¥ãªãã£æèèšç·Ž 圹å²ããŒã¹ã»ãã¥ãªãã£èšç·Ž ã»ãã¥ãªãã£èšç·Žèšé² ç£æ»ã»èª¬æ責任ããªã·ãŒã»æé ç£æ»äºè±¡ ç£æ»èšé²å 容 ç£æ»ã¹ãã¬ãŒãžå®¹é ç£æ»åŠçäžåãžã®å¯Ÿå¿ ç£æ»ã®å¯©æ»ã»åæã»å ±å AC-19 AC-20 AC-21 AC-22 AT-1 AT-2 AT-3 AT-4 AU-1 AU-2 AU-3 AU-4 (1) AU-5 AU-6 AC-19 (5) AC-20 (1) (2) AC-21 AC-22 AT-1 AT-2 (2) AT-3 AT-4 AU-1 AU-2 (3) AU-3 (1) AU-4 (1) AU-5 AU-6 (1) (3) AU-7 AU-8 AU-9 AU-10 AU-11 ç£æ»åæžã»å ±åæžäœæ ã¿ã€ã ã¹ã¿ã³ã ç£æ»æ å ±ã®ä¿è· åŠèªé²æ¢ ç£æ»èšé²ä¿ç æªéžæ AU-7 (1) AU-8 (1) AU-9 (4) æªéžæ AU-11 AU-8 AU-9 æªéžæ AU-11 346 é« AC-1 AC-2 (1) (2) (3) (4) (5) (11) (12) (13) AC-3 AC-4 AC-5 AC-6 (1) (2) (3) (5) (9) (10) AC-7 AC-8 AC-10 AC-11 (1) AC-12 AC-14 AC-17 (1) (2) (3) (4) AC-18 (1) (4) (5) AC-19 (5) AC-20 (1) (2) AC-21 AC-22 AT-1 AT-2 (2) AT-3 AT-4 AU-1 AU-2 (3) AU-3 (1) (2) AU-4 (1) AU-5 (1) (2) AU-6 (1) (3) (5) (6) AU-7 (1) AU-8 (1) AU-9 (2) (3) (4) AU-10 AU-11 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY AU-12 Audit Generation AU-12 AU-12 AU-12 (1) (3) CA-1 Security Assessment and Authorization CA-1 CA-1 CA-1 Policies and Procedures CA-2 Security Assessments CA-2 CA-2 (1) CA-2 (1) (2) CA-3 System Interconnections CA-3 CA-3 (5) CA-3 (5) CA-5 Plan of Action and Milestones CA-5 CA-5 CA-5 CA-6 Security Authorization CA-6 CA-6 CA-6 CA-7 Continuous Monitoring CA-7 CA-7 (1) CA-7 (1) CA-8 Penetration Testing Not Selected Not Selected CA-8 CA-9 Internal System Connections CA-9 CA-9 CA-9 CM-1 Configuration Management Policy and CM-1 CM-1 CM-1 Procedures CM-2 Baseline Configuration CM-3 Configuration Change Control CM-4 Security Impact Analysis CM-5 Access Restrictions for Change CM-6 Configuration Settings CM-7 Least Functionality CM-8 Information System Component Inventory CM-2 CM-2 (1) (3) (7) CM-2 (1) (2) (3) (7) Not Selected CM-3 (2) CM-3 (1) (2) CM-4 CM-4 CM-4 (1) Not Selected CM-5 CM-5 (1) (2) (3) CM-6 CM-6 CM-6 (1) (2) CM-7 (1) CM-7 (1) (2) (4) (5) CM-7 (1) (2) (5) CM-8 CM-8 (1) (3) (5) CM-8 (1) (2) (3) (4) (5) CM-9 Configuration Management Plan Not Selected CM-9 CM-9 CM-10 Software Usage Restrictions CM-10 CM-10 CM-10 CM-11 User-Installed Software CM-11 CM-11 CM-11 CP-1 Contingency Planning Policy and Procedures CP-1 CP-1 CP-1 CP-2 Contingency Plan CP-2 CP-2 (1) (3) (8) CP-2 (1) (2) (3) (4) (5) (8) CP-3 Contingency Training CP-3 CP-3 CP-3 (1) CP-4 Contingency Plan Testing CP-4 CP-4 (1) CP-4 (1) (2) CP-6 Alternate Storage Site Not Selected CP-6 (1) (3) CP-6 (1) (2) (3) CP-7 Alternate Processing Site Not Selected CP-7 (1) (2) (3) CP-7 (1) (2) (3) (4) CP-8 Telecommunications Services Not Selected CP-8 (1) (2) CP-8 (1) (2) (3) (4) CP-9 Information System Backup CP-9 CP-9 (1) CP-9 (1) (2) (3) (5) CP-10 Information System Recovery and CP-10 CP-10 (2) CP-10 (2) (4) CP-12 CP-12 CP-12 IA-1 IA-1 IA-1 IA-2 (1) (12) IA-2 (1) (2) (3) (8) IA-2 (1) (2) (3) (4) (11) (12) (8) (9) (11) (12) IA-3 IA-3 (1) (4) IA-3 (1) (4) Reconstitution CP-12 Safe Mode IA-1 Identification and Authentication Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-3 Device Identification and Authentication IA-4 Identifier Management IA-5 Authenticator Management IA-4 IA-4 IA-4 IA-5 (1) (11) IA-5 (1) (2) (3) (11) IA-5 (1) (2) (3) (11) 347 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã CA-2 CA-3 CA-5 CA-6 CA-7 CA-8 CA-9 CM-1 CM-2 ç£æ»äœæ ã»ãã¥ãªãã£è©äŸ¡ã»æš©éä»äžããªã·ãŒã» æé ã»ãã¥ãªãã£è©äŸ¡ ã·ã¹ãã çžäºé£æ¥ è¡åã»ãã€ã«ã¹ããŒã³èšç»æž ã»ãã¥ãªãã£æš©é ç¶ç¶ç£èŠ ãããã¬ãŒã·ã§ã³ã»ãã¹ã å éšã·ã¹ãã æ¥ç¶ èšå®ç®¡çããªã·ãŒã»æé ããŒã¹ã©ã€ã³èšå® CM-3 CM-4 CM-5 CM-6 CM-7 èšå®å€æŽç®¡ç æ¥ç¶åœ±é¿åæ å€æŽçšã¢ã¯ã»ã¹å¶é æ§æèšå® æäœéæ©èœ CM-8 æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² CM-9 CM-10 CM-11 CP-1 CP-2 èšå®ç®¡çèšç»æž ãœãããŠãšã¢äœ¿çšå¶é ãŠãŒã¶ãã€ã³ã¹ããŒã«ãããœãããŠãšã¢ äžæž¬äºæ èšç»ããªã·ãŒã»æé ç·æ¥æ察å¿èšç» æªéžæ CP-3 CP-4 CP-6 CP-7 äžæž¬äºæ èšç·Ž ç·æ¥æ察å¿èšç»èšç·Ž 代æ¿ã¹ãã¬ãŒãžãµã€ã 代æ¿åŠçãµã€ã CP-3 CP-4 æªéžæ æªéžæ CM-9 CM-10 CM-11 CP-1 CP-2 (1) (3) (8) CP-3 CP-4 (1) CP-6 (1) (3) CP-7 (1) (2) (3) CP-8 é»æ°éä¿¡ãµãŒãã¹ æªéžæ CP-8 (1) (2) CP-9 æ å ±ã·ã¹ãã ããã¯ã¢ãã CP-9 CP-9 (1) CP-10 CP-12 IA-1 IA-2 æ å ±ã·ã¹ãã ã®åŸ©æ§ã»åæ§ç¯ ã»ãŒãã¢ãŒã èå¥ã»èªèšŒããªã·ãŒã»æé èå¥ã»èªèšŒïŒçµç¹ãŠãŒã¶ïŒ CP-10 CP-12 IA-1 IA-2 (1) (12) ããã€ã¹èå¥ã»èªèšŒ èå¥å管ç èªèšŒã³ãŒã管ç IA-3 IA-4 IA-5 (1) (11) CP-10 (2) CP-12 IA-1 IA-2 (1) (2) (3) (8) (11) (12) IA-3 (1) (4) IA-4 IA-5 (1) (2) (3) (11) AU-12 CA-1 IA-3 IA-4 IA-5 AU-12 CA-1 AU-12 CA-1 AU-12 (1) (3) CA-1 CA-2 CA-3 CA-5 CA-6 CA-7 æªéžæ CA-2 (1) CA-3 (5) CA-5 CA-6 CA-7 (1) æªéžæ CA-9 CM-1 CM-2 CA-9 CM-1 CM-2 (1) (3) (7) æªéžæ CM-3 (2) CM-4 CM-5 CM-6 CM-7 (1) (2) (4) (5) CM-8 (1) (3) (5) CA-2 (1) (2) CA-3 (5) CA-5 CA-6 CA-7 (1) CA-8 CA-9 CM-1 CM-2 (1) (2) (3) (7) CM-3 (1) (2) CM-4 (1) CM-5 (1) (2) (3) CM-6 (1) (2) CM-7 (1) (2) (5) CM-4 æªéžæ CM-6 CM-7 (1) CM-8 CM-10 CM-11 CP-1 CP-2 348 CM-8 (1) (2) (3) (4) (5) CM-9 CM-10 CM-11 CP-1 CP-2 (1) (2) (3) (4) (5) (8) CP-3 (1) CP-4 (1) (2) CP-6 (1) (2) (3) CP-7 (1) (2) (3) (4) CP-8 (1) (2) (3) (4) CP-9 (1) (2) (3) (5) CP-10 (2) (4) CP-12 IA-1 IA-2 (1) (2) (3) (4) (8) (9) (11) (12) IA-3 (1) (4) IA-4 IA-5 (1) (2) (3) (11) SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY IA-6 IA-6 IA-6 IA-6 Authenticator Feedback IA-7 Cryptographic Module Authentication IA-7 IA-7 IA-7 IA-8 Identification and Authentication (Non- IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) Organizational Users) IR-1 Incident Response Policy and Procedures IR-1 IR-1 IR-1 IR-2 Incident Response Training IR-2 IR-2 IR-2 (1) (2) IR-3 Incident Response Testing Not Selected IR-3 (2) IR-3 (2) IR-4 Incident Handling IR-4 IR-4 (1) IR-4 (1) (4) IR-5 Incident Monitoring IR-5 IR-5 IR-5 (1) IR-6 Incident Reporting IR-6 IR-6 (1) IR-6 (1) IR-7 Incident Response Assistance IR-7 IR-7 (1) IR-7 (1) IR-8 Incident Response Plan IR-8 IR-8 IR-8 MA-1 System Maintenance Policy and Procedures MA-1 MA-1 MA-1 MA-2 Controlled Maintenance MA-2 MA-2 MA-2 (2) MA-3 Maintenance Tools Not Selected MA-3 (1) (2) MA-3 (1) (2) (3) MA-4 Nonlocal Maintenance MA-4 MA-4 (2) MA-4 (2) (3) MA-5 Maintenance Personnel MA-5 MA-5 MA-5 (1) MA-6 Timely Maintenance Not Selected MA-6 MA-6 MP-1 Media Protection Policy and Procedures MP-1 MP-1 MP-1 MP-2 Media Access MP-2 MP-2 MP-2 MP-3 Media Marking Not Selected MP-3 MP-3 MP-4 Media Storage Not Selected MP-4 MP-4 MP-5 Media Transport Not Selected MP-5 (4) MP-5 (4) MP-6 Media Sanitization MP-6 MP-6 MP-6 (1) (2) (3) MP-7 Media Use MP-7 MP-7 (1) MP-7 (1) PE-1 Physical and Environmental Protection Policy PE-1 PE-1 PE-1 PE-2 PE-2 PE-2 and Procedures PE-2 Physical Access Authorizations PE-3 Physical Access Control PE-3 PE-3 PE-3 (1) PE-4 Access Control for Transmission Medium Not Selected PE-4 PE-4 PE-5 Access Control for Output Devices Not Selected PE-5 PE-5 PE-6 Monitoring Physical Access PE-6 PE-6 (1) (4) PE-6 (1) (4) PE-8 Visitor Access Records PE-8 PE-8 PE-8 (1) PE-9 Power Equipment and Cabling Not Selected PE-9 (1) PE-9 (1) PE-10 Emergency Shutoff Not Selected PE-10 PE-10 PE-11 Emergency Power PE-11 (1) PE-11 (1) PE-11 (1) (2) PE-12 Emergency Lighting PE-12 PE-12 PE-12 PE-13 Fire Protection PE-13 PE-13 (3) PE-13 (1) (2) (3) PE-14 Temperature and Humidity Controls PE-14 PE-14 PE-14 PE-15 Water Damage Protection PE-15 PE-15 PE-15 (1) PE-16 Delivery and Removal PE-16 PE-16 PE-16 PE-17 Alternate Work Site Not Selected PE-17 PE-17 PE-18 Location of Information System Components Not Selected Not Selected PE-18 PL-1 Security Planning Policy and Procedures PL-1 PL-1 PL-1 PL-2 System Security Plan PL-2 (3) PL-2 (3) PL-2 (3) PL-4 Rules of Behavior PL-4 PL-4 (1) PL-4 (1) PL-7 Security Concept of Operations PL-7 PL-7 349 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã IA-6 èªèšŒãã£ãŒããã㯠IA-6 IA-6 IA-6 IA-7 æå·åã¢ãžã¥ãŒã«èªèšŒ IA-7 IA-7 IA-7 IA-8 èå¥ã»èªèšŒïŒçµç¹å€ãŠãŒã¶ïŒ IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) IA-8 (1) (2) (3) (4) IR-1 ã€ã³ã·ãã³ã察å¿ããªã·ãŒã»æé IR-1 IR-1 IR-1 IR-2 ã€ã³ã·ãã³ã察å¿èšç·Ž IR-2 IR-2 IR-2 (1) (2) IR-3 ã€ã³ã·ãã³ã察å¿è©Šéš æªéžæ IR-3 (2) IR-3 (2) IR-4 ã€ã³ã·ãã³ãåŠç IR-4 IR-4 (1) IR-4 (1) (4) IR-5 ã€ã³ã·ãã³ãç£èŠ IR-5 IR-5 IR-5 (1) IR-6 ã€ã³ã·ãã³ãå ±å IR-6 IR-6 (1) IR-6 (1) IR-7 ã€ã³ã·ãã³ã察å¿æ¯æŽ IR-7 IR-7 (1) IR-7 (1) IR-8 ã€ã³ã·ãã³ã察å¿èšç»æž IR-8 IR-8 IR-8 MA-1 MA-1 MA-1 MA-1 ã·ã¹ãã ä¿å®ããªã·ãŒã»æé MA-2 管çä¿å® MA-2 MA-2 MA-2 (2) MA-3 ä¿å®ããŒã« æªéžæ MA-3 (1) (2) MA-3 (1) (2) (3) MA-4 ããŒã«ã«ä»¥å€ã®ä¿å® MA-4 MA-4 (2) MA-4 (2) (3) MA-5 ä¿å®èŠå¡ MA-5 MA-5 MA-5 (1) MA-6 é©æçä¿å® æªéžæ MA-6 MA-6 MP-1 ã¡ãã£ã¢ä¿è·ããªã·ãŒã»æé MP-1 MP-1 MP-1 MP-2 ã¡ãã£ã¢ã¢ã¯ã»ã¹ MP-2 MP-2 MP-2 MP-3 ã¡ãã£ã¢ããŒãã³ã° æªéžæ MP-3 MP-3 MP-4 ã¡ãã£ã¢ã¹ãã¬ãŒãž æªéžæ MP-4 MP-4 MP-5 ã¡ãã£ã¢è»¢é æªéžæ MP-5 (4) MP-5 (4) MP-6 ã¡ãã£ã¢ãµãã¿ã€ãº MP-6 MP-6 MP-6 (1) (2) (3) MP-7 ã¡ãã£ã¢å©çš MP-7 MP-7 (1) MP-7 (1) PE-1 ç©çç°å¢ä¿è·ããªã·ãŒã»æé PE-1 PE-1 PE-1 PE-2 ç©ççã¢ã¯ã»ã¹æš©é PE-2 PE-2 PE-2 PE-3 ç©ççã¢ã¯ã»ã¹å¶åŸ¡ PE-3 PE-3 PE-3 (1) PE-4 éä¿¡ã¡ãã£ã¢ã®ã¢ã¯ã»ã¹å¶åŸ¡ æªéžæ PE-4 PE-4 PE-5 åºåããã€ã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ æªéžæ PE-5 PE-5 PE-6 ç©ççã¢ã¯ã»ã¹ç£èŠ PE-6 PE-6 (1) (4) PE-6 (1) (4) PE-8 æ¥èšªè ç«å ¥èšé² PE-8 PE-8 PE-8 (1) PE-9 é»æ°è£ 眮åã³é ç· æªéžæ PE-9 (1) PE-9 (1) PE-10 ç·æ¥é®æ æªéžæ PE-10 PE-10 PE-11 ç·æ¥é»æº PE-11 (1) PE-11 (1) PE-11 (1) (2) PE-12 ç·æ¥ç §æ PE-12 PE-12 PE-12 PE-13 é²ç« PE-13 PE-13 (3) PE-13 (1) (2) (3) PE-14 枩床ã»æ¹¿åºŠå¶åŸ¡ PE-14 PE-14 PE-14 PE-15 氎害é²è· PE-15 PE-15 PE-15 (1) PE-16 é éã»æ€å» PE-16 PE-16 PE-16 PE-17 代æ¿äœæ¥å Ž æªéžæ PE-17 PE-17 PE-18 æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãã®å Žæ æªéžæ æªéžæ PE-18 PL-1 ã»ãã¥ãªãã£èšç»ããªã·ãŒã»æé PL-1 PL-1 PL-1 PL-2 ã·ã¹ãã ã»ãã¥ãªãã£èšç»æž PL-2 (3) PL-2 (3) PL-2 (3) PL-4 è¡åèŠå PL-4 PL-4 (1) PL-4 (1) PL-7 éçšã»ãã¥ãªãã£æŠå¿µ PL-7 PL-7 350 SPECIAL PUBLICATION 800-82 REVISION 2 PL-8 Information Security Architecture PS-1 PS-2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Not Selected PL-8 PL-8 Personnel Security Policy and Procedures PS-1 PS-1 PS-1 Position Risk Designation PS-2 PS-2 PS-2 PS-3 Personnel Screening PS-3 PS-3 PS-3 PS-4 Personnel Termination PS-4 PS-4 PS-4 (2) PS-5 Personnel Transfer PS-5 PS-5 PS-5 PS-6 Access Agreements PS-6 PS-6 PS-6 PS-7 Third-Party Personnel Security PS-7 PS-7 PS-7 PS-8 Personnel Sanctions PS-8 PS-8 PS-8 RA-1 Risk Assessment Policy and Procedures RA-1 RA-1 RA-1 RA-2 Security Categorization RA-2 RA-2 RA-2 RA-3 Risk Assessment RA-3 RA-3 RA-3 RA-5 Vulnerability Scanning RA-5 RA-5 (1) (2) (5) RA-5 (1) (2) (4) (5) SA-1 System and Services Acquisition Policy and SA-1 SA-1 SA-1 Procedures SA-2 Allocation of Resources SA-2 SA-2 SA-2 SA-3 System Development Life Cycle SA-3 SA-3 SA-3 SA-4 Acquisition Process SA-4 (10) SA-4 (1) (2) (9) (10) SA-4 (1) (2) (9) (10) SA-5 Information System Documentation SA-5 SA-5 SA-5 SA-8 Security Engineering Principles Not Selected SA-8 SA-8 SA-9 External Information System Services SA-9 SA-9 (2) SA-9 (2) SA-10 Developer Configuration Management Not Selected SA-10 SA-10 SA-11 Developer Security Testing and Evaluation Not Selected SA-11 SA-11 SA-12 Supply Chain Protection Not Selected Not Selected SA-12 SA-15 Development Process, Standards, and Tools Not Selected Not Selected SA-15 SA-16 Developer-Provided Training Not Selected Not Selected SA-16 SA-17 Developer Security Architecture and Design Not Selected Not Selected SA-17 SC-1 SC-1 SC-1 SC-1 System and Communications Protection Policy and Procedures SC-2 Application Partitioning Not Selected SC-2 SC-2 SC-3 Security Function Isolation Not Selected Not Selected SC-3 SC-4 Information in Shared Resources Not Selected SC-4 SC-4 SC-5 Denial of Service Protection SC-5 SC-5 SC-5 SC-7 Boundary Protection SC-7 SC-7 (3) (4) (5) (7) SC-7 (3) (4) (5) (7) (18) (8) (18) (21) SC-8 (1) SC-8 Transmission Confidentiality and Integrity Not Selected SC-8 (1) SC-10 Network Disconnect Not Selected SC-10 SC-10 SC-12 Cryptographic Key Establishment and SC-12 SC-12 SC-12 (1) Management SC-13 Cryptographic Protection SC-13 SC-13 SC-13 SC-15 Collaborative Computing Devices SC-15 SC-15 SC-15 SC-17 Public Key Infrastructure Certificates Not Selected SC-17 SC-17 SC-18 Mobile Code Not Selected SC-18 SC-18 SC-19 Voice Over Internet Protocol Not Selected SC-19 SC-19 SC-20 SC-20 SC-20 SC-20 Secure Name /Address Resolution Service (Authoritative Source) 351 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã PL-8 PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 RA-1 RA-2 RA-3 RA-5 æ å ±ã»ãã¥ãªãã£ã¢ãŒããã¯ã㣠人å¡ã®ã»ãã¥ãªãã£ããªã·ãŒã»æé é 眮ãªã¹ã¯æå® äººéž éè· è»¢å€ ã¢ã¯ã»ã¹åæ ãµãŒãããŒãã£ç€Ÿå¡ã»ãã¥ãªã㣠æ²æ ãªã¹ã¯è©äŸ¡ããªã·ãŒã»æé ã»ãã¥ãªãã£åé¡ ãªã¹ã¯è©äŸ¡ è匱æ§æ€çŽ¢ æªéžæ SA-1 SA-2 SA-3 SA-4 ã·ã¹ãã åã³ãµãŒãã¹ååŸããªã·ãŒã»æé ãªãœãŒã¹å²åœ ã·ã¹ãã éçºã©ã€ããµã€ã¯ã« ååŸããã»ã¹ SA-1 SA-2 SA-3 SA-4 (10) SA-5 SA-8 SA-9 SA-10 SA-11 SA-12 SA-15 SA-16 SA-17 SC-1 SC-2 SC-3 SC-4 SC-5 SC-7 æ å ±ã·ã¹ãã ææžå ã»ãã¥ãªãã£ãšã³ãžãã¢ãªã³ã°åå å€éšæ å ±ã·ã¹ãã ãµãŒãã¹ éçºè èšå®ç®¡ç éçºè ã»ãã¥ãªãã£è©Šéšè©äŸ¡ ãµãã©ã€ãã§ãŒã³ä¿è· éçºããã»ã¹ã»èŠæ Œã»ããŒã« éçºè ã«ããèšç·Ž éçºè ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ã»èšèš ã·ã¹ãã éä¿¡ä¿è·ããªã·ãŒã»æé ã¢ããªã±ãŒã·ã§ã³åå² ã»ãã¥ãªãã£æ©èœé絶 å ±æãªãœãŒã¹å æ å ± ãµãŒãã¹ä¿è·åŠšå®³ å¢çã®ä¿è· SA-5 æªéžæ SC-8 SC-10 SC-12 SC-13 SC-15 SC-17 SC-18 SC-19 SC-20 éä¿¡æ©å¯æ§ã»å®å šæ§ ãããã¯ãŒã¯åæ æå·éµèšå®ç®¡ç æå·ä¿è· å ±åã³ã³ãã¥ãŒãã£ã³ã°ããã€ã¹ PKI 蚌ææž ã¢ãã€ã«ã³ãŒã æªéžæ æªéžæ PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 RA-1 RA-2 RA-3 RA-5 SA-9 æªéžæ æªéžæ æªéžæ æªéžæ æªéžæ æªéžæ SC-1 æªéžæ æªéžæ æªéžæ SC-5 SC-7 SC-12 SC-13 SC-15 æªéžæ æªéžæ æªéžæ VoIP ã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ ïŒæš©éãœãŒã¹ïŒ SC-20 352 PL-8 PS-1 PS-2 PS-3 PS-4 PS-5 PS-6 PS-7 PS-8 RA-1 RA-2 RA-3 RA-5 (1) (2) (5) SA-1 SA-2 SA-3 SA-4 (1) (2) (9) (10) SA-5 SA-8 SA-9 (2) SA-10 SA-11 æªéžæ æªéžæ æªéžæ æªéžæ SC-1 SC-2 æªéžæ SC-4 SC-5 SC-7 (3) (4) (5) (7) (18) SC-8 (1) SC-10 SC-12 SC-13 SC-15 SC-17 SC-18 SC-19 SC-20 PL-8 PS-1 PS-2 PS-3 PS-4 (2) PS-5 PS-6 PS-7 PS-8 RA-1 RA-2 RA-3 RA-5 (1) (2) (4) (5) SA-1 SA-2 SA-3 SA-4 (1) (2) (9) (10) SA-5 SA-8 SA-9 (2) SA-10 SA-11 SA-12 SA-15 SA-16 SA-17 SC-1 SC-2 SC-3 SC-4 SC-5 SC-7 (3) (4) (5) (7) (8) (18) (21) SC-8 (1) SC-10 SC-12 (1) SC-13 SC-15 SC-17 SC-18 SC-19 SC-20 SPECIAL PUBLICATION 800-82 REVISION 2 SC-21 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SC-21 SC-21 SC-21 SC-22 SC-22 SC-22 Not Selected SC-23 SC-23 SC-24 Secure Name /Address Resolution Service (Recursive or Caching Resolver) SC-22 Architecture and Provisioning for Name/Address Resolution Service SC-23 Session Authenticity SC-24 Fail in Known State Not Selected SC-24 SC-28 Protection of Information at Rest Not Selected SC-28 SC-28 SC-39 Process Isolation SC-39 SC-39 SC-39 SC-41 Port and I/O Device Access SC-41 SC-41 SC-41 SI-1 SI-1 SI-1 SI-2 (1) (2) SI-1 System and Information Integrity Policy and Procedures SI-2 Flaw Remediation SI-2 SI-2 (2) SI-3 Malicious Code Protection SI-3 SI-3 (1) (2) SI-3 (1) (2) SI-4 Information System Monitoring SI-4 SI-4 (2) (4) (5) SI-4 (2) (4) (5) SI-5 Security Alerts, Advisories, and Directives SI-5 SI-5 SI-5 (1) SI-6 Security Function Verification Not Selected Not Selected SI-6 SI-7 Software, Firmware, and Information Integrity Not Selected SI-7 (1) (7) SI-7 (1) (2) (5) (7) SI-8 Spam Protection Not Selected SI-8 (1) (2) SI-8 (1) (2) SI-10 Information Input Validation Not Selected SI-10 SI-10 SI-11 Error Handling Not Selected SI-11 SI-11 SI-12 Information Handling and Retention SI-12 SI-12 SI-12 SI-13 Predictable Failure Prevention Not Selected Not Selected SI-13 SI-14 Non-Persistence Not Selected Not Selected Not Selected SI-15 Information Output Filtering Not Selected Not Selected Not Selected SI-16 Memory Protection Not Selected SI-16 SI-16 SI-17 Fail-Safe Procedures SI-17 SI-17 SI-17 (14) 353 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã SC-21 ã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ ïŒååž°åã¯ãã£ãã·ã³ã°ãªãŸã«ãïŒ SC-21 SC-21 SC-21 SC-22 åå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹çšã¢ãŒãã㯠ãã£ãŒããããžã§ãã³ã° SC-22 SC-22 SC-22 SC-23 ã»ãã·ã§ã³ä¿¡é Œæ§ æªéžæ SC-23 SC-23 SC-24 æ¢ç¥ç¶æ ã®å€±æ æªéžæ SC-24 SC-24 SC-28 äŒç æ å ±ã®ä¿è· æªéžæ SC-28 SC-28 SC-39 ããã»ã¹éé¢ SC-39 SC-39 SC-39 SC-41 ããŒãåã³ I/O ããã€ã¹ã¢ã¯ã»ã¹ SC-41 SC-41 SC-41 SI-1 ã·ã¹ãã æ å ±å®å šæ§ããªã·ãŒã»æé SI-1 SI-1 SI-1 SI-2 æ¬ é¥ä¿®æ£ SI-2 SI-2 (2) SI-2 (1) (2) SI-3 æªæããã³ãŒãä¿è· SI-3 SI-3 (1) (2) SI-3 (1) (2) SI-4 æ å ±ã·ã¹ãã ç£èŠ SI-4 SI-4 (2) (4) (5) SI-4 (2) (4) (5) SI-5 ã»ãã¥ãªãã£èŠå ±ã»å§åã»æ瀺 SI-5 SI-5 SI-5 (1) SI-6 ã»ãã¥ãªãã£æ©èœæ€èšŒ æªéžæ æªéžæ SI-6 SI-7 ãœãããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»æ å ±ã®å® å šæ§ æªéžæ SI-7 (1) (7) SI-7 (1) (2) (5) (7) (14) SI-8 ã¹ãã ä¿è· æªéžæ SI-8 (1) (2) SI-8 (1) (2) SI-10 æ å ±å ¥åæ€èšŒ æªéžæ SI-10 SI-10 SI-11 ãšã©ãŒåŠç æªéžæ SI-11 SI-11 SI-12 æ å ±åŠçä¿ç SI-12 SI-12 SI-12 SI-13 äºæ³ãããæ éã®é²æ¢ æªéžæ æªéžæ SI-13 SI-14 éå·ææ§ æªéžæ æªéžæ æªéžæ SI-15 æ å ±åºåãã£ã«ã¿ãªã³ã° æªéžæ æªéžæ æªéžæ SI-16 ã¡ã¢ãªä¿è· æªéžæ SI-16 SI-16 SI-17 ãã§ãŒã«ã»ãŒãæé SI-17 SI-17 SI-17 354 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The PM-family is deployed organization-wide, supporting the information security program. It is not associated with security control baselines and is independent of any system impact level. PM-1 Information Security Program Plan PM-1 PM-2 Senior Information Security Officer PM-2 PM-3 Information Security Resources PM-3 PM-4 Plan of Action and Milestones Process PM-4 PM-5 Information System Inventory PM-5 PM-6 Information Security Measures of Performance PM-6 PM-7 Enterprise Architecture PM-7 PM-8 Critical Infrastructure Plan PM-8 PM-9 Risk Management Strategy PM-9 PM-10 Security Authorization Process PM-10 PM-11 Mission/Business Process Definition PM-11 PM-12 Insider Threat Program PM-12 PM-13 Information Security Workforce PM-13 PM-14 Testing, Training, and Monitoring PM-14 PM-15 Contacts with Security Groups and Associations PM-15 PM-16 Threat Awareness Program PM-16 355 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã PM ãã¡ããªã¯å šçµç¹ã«å±éãããæ å ±ã»ãã¥ãªãã£ããã°ã©ã ãæ¯ããŠãããã»ãã¥ãªãã£å¯Ÿ çããŒã¹ã©ã€ã³ã¯ä»éããŠãããããããªãã·ã¹ãã 圱é¿ã¬ãã«ãšãç¡é¢ä¿ã§ããã PM-1 PM-2 PM-3 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 PM-12 PM-13 PM-14 PM-15 PM-16 æ å ±ã»ãã¥ãªãã£ããã°ã©ã èšç»æž äžçŽæ å ±ã»ãã¥ãªãã£æ åœå® æ å ±ã»ãã¥ãªãã£ãªãœãŒã¹ è¡åã»ãã€ã«ã¹ããŒã³ããã»ã¹èšç»æž æ å ±ã·ã¹ãã ç®é² æ å ±ã»ãã¥ãªãã£ã«é¢ããããã©ãŒãã³ã¹ã®èšæž¬ äŒæ¥ã¢ãŒããã¯ã㣠éèŠã€ã³ãã©èšç»æž ãªã¹ã¯ç®¡çæŠç¥ ã»ãã¥ãªãã£æš©éããã»ã¹ ä»»åã»äºæ¥ããã»ã¹å®çŸ© ã€ã³ãµã€ããŒè åšããã°ã©ã æ å ±ã»ãã¥ãªãã£ãªã¯ãŒã¯ãã©ãŒã¹ è©Šéšã»èšç·Žã»ç£èŠ ã»ãã¥ãªãã£ã°ã«ãŒãã»åäŒãšã®å¥çŽ è åšæèããã°ã©ã 356 PM-1 PM-2 PM-3 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9 PM-10 PM-11 PM-12 PM-13 PM-14 PM-15 PM-16 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Tailoring Considerations Due to the unique characteristics of ICS, these systems may require a greater use of compensating security controls than is the case for general purpose information systems. Compensating controls are not exceptions or waivers to the baseline controls; rather, they are alternative safeguards and countermeasures employed within the ICS that accomplish the intent of the original security controls that could not be effectively employed. See âSelecting Compensating Security Controlsâ in section 3.2 of NIST SP 800-53 Rev. 4 [22]. In situations where the ICS cannot support, or the organization determines it is not advisable to implement, particular security controls or control enhancements in an ICS (e.g., performance, safety, or reliability are adversely impacted), the organization provides a complete and convincing rationale for how the selected compensating controls provide an equivalent security capability or level of protection for the ICS and why the related baseline security controls could not be employed. In accordance with the Technology-related Considerations of the Scoping Guidance in NIST SP 800-53 Rev. 4, section 3.2, if automated mechanisms are not readily available, cost-effective, or technically feasible in the ICS, compensating security controls, implemented through nonautomated mechanisms or procedures are employed [22]. Compensating controls are alternative security controls employed by organizations in lieu of specific controls in the baselinesâcontrols that provide equivalent or comparable protection for organizational information systems and the information processed, stored, or transmitted by those systems. 83 This may occur, for example, when organizations are unable to effectively implement specific security controls in the baselines or when, due to the specific nature of the ICS or environments of operation, the controls in the baselines are not a cost-effective means of obtaining the needed risk mitigation. Compensating controls may include control enhancements that supplement the baseline. Using compensating controls may involve a trade-off between additional risk and reduced functionality. Every use of compensating controls should involve a risk-based determination of: (i) how much residual risk to accept, and (ii) how much functionality should be reduced. Compensating controls may be employed by organizations under the following conditions: ïŒ Organizations select compensating controls from NIST SP 800-53 Rev. 4, Appendix F. If appropriate compensating controls are not available, organizations adopt suitable compensating controls from other sources 84 ïŒ Organizations provide supporting rationale for how compensating controls provide equivalent security capabilities for organizational information systems and why the baseline security controls could not be employed. ïŒ Organizations assess and accept the risk associated with implementing compensating controls in ICS. Organizational decisions on the use of compensating controls are documented in the security plan for the ICS. 83 84 42 More than one compensating control may be required to provide the equivalent protection for a particular security control in Appendix F. For example, organizations with significant staff limitations may compensate for the separation of duty security control by strengthening the audit, accountability, and personnel security controls. 43 Organizations should make every attempt to select compensating controls from the security control catalog in Appendix F. Organization-defined compensating controls are employed only when organizations determine that the security control catalog does not contain suitable compensating controls. 357 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã«ã¹ã¿ãã€ãºã®èæ ®äºé ICS ç¬ç¹ã®ç¹åŸŽããããããã·ã¹ãã ã«å¿ èŠãšãããè£åã»ãã¥ãªãã£ç®¡çã¯ãæ±çšã®æ å ±ã·ã¹ ãã ãããå€ãã代æ¿ç®¡çã¯ããŒã¹ã©ã€ã³ç®¡çã®äŸå€ãæŸæ£ã§ã¯ãªãã代æ¿ã®å®å šçåã³å¯Ÿçãš ã㊠ICS å ã§æ¡çšãããæå¹å©çšã§ããªãå ã®ã»ãã¥ãªãã£å¯Ÿçã®ç®çãæãããNIST SP 80053 第 4 ç[22]ã®ã»ã¯ã·ã§ã³ 3.2ãè£åã»ãã¥ãªãã£å¯Ÿçããåç §ã®ããšã ICS ã ICS ã«ãããã»ãã¥ãªãã£å¯Ÿçè¥ããã¯ç®¡çæ¡åŒµã«å¯Ÿå¿ããŠããªãå Žååã¯çµç¹ã ICS ã« ãããã»ãã¥ãªãã£å¯Ÿçè¥ããã¯ç®¡çæ¡åŒµã®å®è£ ãäžé©ãšå€æããå ŽåïŒããã©ãŒãã³ã¹ãå®å š æ§ãä¿¡é Œæ§ãžã®æªåœ±é¿çïŒãéžå®ããè£åç管ççã«åçã®ã»ãã¥ãªãã£æ©èœåã¯åçã¬ãã«ã® ICS ä¿è·èœåããããé¢é£ããŒã¹ã©ã€ã³ã»ãã¥ãªãã£å¯Ÿçãæ¡çšã§ããªãã£ãçç±ã«ã€ããŠãçµ ç¹ã¯çŽåŸã®ããçç±ã瀺ãã èªååã¡ã«ããºã ãããã«å©çšã§ããªããè²»çšå¹æããªãåã¯æè¡çã«äžå¯èœãªå ŽåãNIST SP 800-53 第 4 çã®ã»ã¯ã·ã§ã³ 3.2 ã®ãé©çšç¯å²ã¬ã€ãã³ã¹ã®æè¡é¢é£èæ ®äºé ãã«åŸããè£åã» ãã¥ãªãã£å¯Ÿçãéèªååã¡ã«ããºã åã¯æé ã®å®æœãéããŠæ¡çšãã[22]ã è£åç管ççã¯ãç¹å®ã®ããŒã¹ã©ã€ã³ç®¡çã«ä»£ããŠçµç¹ãåã代æ¿ã»ãã¥ãªãã£å¯Ÿçã§ãçµç¹ã® æ å ±ã·ã¹ãã ãšããã§åŠçãä¿ç®¡åã¯éä¿¡ãããæ å ±ã«åçã®ä¿è·ãäžãããã®ãããã85 äŸã ã°ãç¹å®ã®ããŒã¹ã©ã€ã³ç®¡çãå¹æçã«å®æœã§ããªãå ŽåããICS åºæã®æ§è³ªè¥ããã¯éçšç°å¢ ã«èµ·å ããŠãããŒã¹ã©ã€ã³ã®ç®¡çããªã¹ã¯ç·©åäžè²»çšå¯Ÿå¹æã®ãªãå Žåã«ãè£åç管ççãè¬ã ããããè£åç管ççã«ã¯ãããŒã¹ã©ã€ã³ãè£å®ãã管çæ¡åŒµãå«ãŸããããšããããè£åç管 ççãè¡ãã«ã¯ããªã¹ã¯å¢å ãšæ©èœäœäžã®ãã©ã³ã¹ãé¢ä¿ããŠãããå¿ ã(1)蚱容ã§ãããªã¹ã¯ ã®çšåºŠãšãïŒ2ïŒã©ã®çšåºŠæ©èœãäœäžããããããªã¹ã¯ã«åºã¥ããŠå€æãã¹ãã§ãããçµç¹ã¯ã 次ã®ãããªæ¡ä»¶ã®äžã§è£åç管ççãæ¡çšã§ããã ïŒ é©åœãªè£åç管ççã NIST SP 800-53 第 4 çä»é² F ããéžã¶ 86ãé©åœãªè£åç管ççãåä» é²ã«ãªãå Žåãä»ã®ãœãŒã¹ããé©åœãªè£åç管ççãæ¡çšããã ïŒ çµç¹ã¯ãè£åç管ççãæ å ±ã·ã¹ãã ã«å¯ŸããŠåçã®ã»ãã¥ãªãã£æ©èœãæããããŒã¹ã©ã€ ã³ã»ãã¥ãªãã£å¯Ÿçãæ¡çšã§ããªãã£ãæ ¹æ ãšãªãçç±ã瀺ãã ïŒ çµç¹ã¯ãICS ã«ãããè£åç管ççã®å®æœã«ä»éãããªã¹ã¯ãè©äŸ¡ãåãå ¥ããã 代æ¿ç®¡çãå©çšããçµç¹ã®æ±ºå®ã¯ãICS ã®ã»ãã¥ãªãã£èšç»æžã«èšé²ããã 85 86 ä»é² F ã®ç¹å®ã®ã»ãã¥ãªãã£å¯Ÿçã«åçã®ä¿è·ãäžããã«ã¯ãè£å管çãè€æ°å¿ èŠãšãªãããšããããäŸãã°ãè·å¡æ°ã éãããŠããçµç¹ã§ã¯ãç£æ»ç®¡çã説æ責任管çåã³è·å¡ã®ã»ãã¥ãªãã£å¯Ÿçã匷åããŠãã»ãã¥ãªãã£ç®¡çä»»åãåå² ããããšã«ãªããã çµç¹ã¯ããããåªåãæã£ãŠãä»é² F ã®ã»ãã¥ãªãã£å¯Ÿçã«ã¿ãã°ããè£åç管ççãéžã¶ã¹ãã§ãããçµç¹ãèªãå®çŸ© ããè£åç管ççã¯ãåã«ã¿ãã°ã«é©åœãªãã®ããªãå Žåã«ã®ã¿æ¡çšããã 358 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Controls that contain assignments (e.g., Assignment: organization-defined conditions or trigger events) may be tailored out of the baseline. This is equivalent to assigning a value of ânone.â The assignment may take on different values for different impact baselines. Non-Addressable and Non-Routable Communications The unique network properties within ICS warrant specific attention when applying certain security controls. Many of the controls in NIST SP 800-53 Rev. 4 that pertain to communication, devices, and interfaces implicitly assume the applicability of addressable and routable protocols such as the TCP/IP Internet protocol suite 87 or layers 1, 2, and 3 of the Open Systems Interconnection (OSI) model (ISO/IEC 7498-1). Some devices, or subsystems, used in ICS are exceptions to this assumption. This section addresses how the controls may be appropriately tailored. Tailoring is primarily required due to the following situations: ïŒ Capabilities not present. The intent of certain controls may be more easily achieved through compensating controls due to certain network properties or capabilities not existing in the ICS subsystem. For example, physical protections (e.g., locked cabinets) may be used to secure an entire point-to-point communication channel as a means to compensate for a lack of protocols that support authentication. Security controls may warrant additional supplemental guidance to help ensure the implementation of the control or compensating control provides the appropriate level of protection. ïŒ Non-applicable security controls. Many communication protocols found within an ICS may have limited functionality (e.g., not addressable or routable). Security controls dealing with addressing and routing may not be applicable to these protocols. Security controls for devices that communicate point-to-point using standards and protocols that do not include addressing generally require tailoring. A modem connected to a computer through an RS-232 interface is an example. RS-232 was commonly employed in ICS equipment that is currently in use, even if it has been superseded in newer equipment. In telecommunications, RS-232 is the traditional name for a series of standards for serial binary single-ended data and control signals connecting between DTE (data terminal equipment) and DCE (data circuit-terminating equipment, originally defined as data communication equipment). The current version of the standard is Telecommunications Industry Association (TIA)-232-F, Interface Between Data Terminal Equipment and Data Circuit-Terminating Equipment Employing Serial Binary Data Interchange, issued in 1997. An RS-232 serial port was once a standard feature of small computing devices, such as ICS subsystems, used for connections to peripheral devices. However, the low transmission speed, large voltage swing, and large standard connectors motivated development of the Universal Serial Bus (USB), which has displaced RS-232 from most of its peripheral interface roles. RS-232 devices are still found, especially in industrial machines, networking equipment, and scientific instruments. Layered Network Models The layered network models used in both TCP/IP and OSI can provide a basis for understanding the various properties of network communications and will help identify how security controls can be appropriately applied to systems and networks. The following table introduces key properties about the physical, data link, and network layers regarding the application of security controls. 87 44 Currently, the Internet Engineering Task Force, or IETF, manages the TCP/IP protocol suite. 359 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å²åœïŒçµç¹ãå®çŸ©ããæ¡ä»¶ãããªã¬ãŒäºè±¡çïŒã¯ãããŒã¹ã©ã€ã³ãåºã«ã«ã¹ã¿ãã€ãºã§ãããã ãã¯ããªããã®å€ãå²ãåœãŠãã®ãšåãããšã§ãããå²åœã¯ã圱é¿ããŒã¹ã©ã€ã³ãç°ãªããšå€ã ç°ãªãããšãããã ã¢ãã¬ã¹æå®åã¯çµè·¯æå®ã®ãªãéä¿¡ ç¹å®ã®ã»ãã¥ãªãã£å¯Ÿçãé©çšããå ŽåãICS å ã§ã®åºæã®ãããã¯ãŒã¯ç¹æ§ã«ç¹ã«çæãã¹ã ã§ãããNIST SP 800-53 第 4 çã®éä¿¡ãããã€ã¹åã³ã€ã³ã¿ãã§ãŒã¹ã«é¢ãã管çã®å€ãã¯ã TCP/IP ã€ã³ã¿ãŒãããã¹ã€ãŒã 88ããªãŒãã³ã·ã¹ãã éçžäºé£æ¥ïŒOSIïŒã¢ãã«(ISO/IEC 74981)ã® TCP/IP ã¬ã€ã€ãŒ1ã2ã3 çãã¢ãã¬ã¹æå®å¯èœåã¯çµè·¯æå®å¯èœãããã³ã«ãé©çšããã ãšãæé»ã®åæã«ããŠãããICS ã§äœ¿çšããããçš®ã®ããã€ã¹ããµãã·ã¹ãã ã¯ããã®åæã®äŸ å€ãšãªãããã®ã»ã¯ã·ã§ã³ã§ã¯ã管çã®é©æ£ãªã«ã¹ã¿ãã€ãºæ¹æ³ã«ã€ããŠåãäžãããã«ã¹ã¿ã ã€ãºã¯ãäž»ãšããŠæ¬¡ã®ãããªå Žåã«å¿ èŠãšãªãã ïŒ æ©èœããªããç¹å®ã®ç®¡çã®ç®çã¯ãç¹å®ã®ãããã¯ãŒã¯ç¹æ§åã¯æ©èœã ICS ãµãã·ã¹ãã ã« ãªããããè£åç管ççã«ãã容æã«éæå¯èœã§ãããäŸãã°ç©ççä¿è·ïŒãã£ããããã® æœé çïŒã¯ãèªèšŒæ©èœä»ããããã³ã«ããªãå Žåã®è£åæ段ãšããŠã2 ç¹ééä¿¡ãã£ã³ãã« ã®ã»ãã¥ã¢åã«å©çšã§ãããã»ãã¥ãªãã£å¯Ÿçã¯ä»å çãªè£è¶³ã¬ã€ãã³ã¹ãšããŠã管çå㯠è£åç管ççã«ããé©æ§ã¬ãã«ã®ä¿è·ã®ç¢ºä¿ã«åœ¹ç«ã€ã ïŒ é©çšå¯èœãªã»ãã¥ãªãã£å¯ŸçããªããICS ã§äœ¿çšãããŠãããããã³ã«ã®å€ãã¯ãæ©èœãé ãããŠããïŒã¢ãã¬ã¹æå®ãã«ãŒãæå®ãã§ããªãçïŒãã¢ãã¬ã¹åã³ã«ãŒãã«é¢ããã»ã ã¥ãªãã£å¯Ÿçã¯ããã®ãããªãããã³ã«ã«ã¯é©çšã§ããªãã ã¢ãã¬ã¹æå®ã®ãªãèŠæ Œåã³ãããã³ã«ã䜿çšãã 2 ç¹ééä¿¡ãè¡ãããã€ã¹ã®ã»ãã¥ãªãã£å¯Ÿ çã«ã¯ãéåžžãã«ã¹ã¿ãã€ãºãå¿ èŠãšãªããRS-232 ã€ã³ã¿ãã§ãŒã¹çµç±ã®ã³ã³ãã¥ãŒã¿ã«æ¥ç¶ ãããã¢ãã«ããã®äžäŸã§ãããRS-232 ã¯ãçŸåšå©çšãããŠãã ICS è£ ååã§äžè¬çã«äœ¿çšã ããŠããïŒããããè£ ååãæ°ãããã®ã«æè£ ãããŠããå Žåã§ãã£ãŠãïŒãé»æ°éä¿¡ã«ãã㊠RS-232 ã¯ãDTEïŒããŒã¿ç«¯æ«è£ 眮ïŒãš DCEïŒããŒã¿åç·çµç«¯è£ 眮ãå ã¯ããŒã¿éä¿¡è£ çœ®ïŒéã®ã· ãªã¢ã«ãã€ããªã·ã³ã°ã«ãšã³ãããŒã¿å¶åŸ¡ä¿¡å·èŠæ Œã®äŒçµ±çãªå称ã§ãããçŸè¡çèŠæ Œã¯ç±³åœé» æ°éä¿¡å·¥æ¥äŒïŒTIAïŒ-232-Fãã·ãªã¢ã«ãã€ããªããŒã¿äº€æã«ããããŒã¿ç«¯æ«è£ 眮ããŒã¿åç·ç«¯ æ«è£ 眮éã€ã³ã¿ãã§ãŒã¹ããšããŠã1997 幎ã«çºè¡šãããã RS-232 ã·ãªã¢ã«ããŒãã¯ãICS ãµãã·ã¹ãã çã®å°åã³ã³ãã¥ãŒãã£ã³ã°ããã€ã¹ã®èŠæ Œæ©èœãš ããŠãåšèŸºããã€ã¹ãžã®æ¥ç¶ã«äœ¿çšãããããããéä¿¡é床ãé ããé»å§æ¯å¹ ã倧ãããèŠæ Œã³ ãã¯ã¿ã倧ããããšãã USB ãéçºãããRS-232 ã®åšèŸºã€ã³ã¿ãã§ãŒã¹ãšããŠã®åœ¹å²ã¯çµã㣠ããRS-232 ããã€ã¹ã¯ãç¹ã«ç£æ¥çšãã·ã³ããããã¯ãŒãã³ã°è£ 眮åã³ç§åŠèšè£ æ©åšã§ä»ã§ã 䜿çšãããŠããã éå±€åãããã¯ãŒã¯ã¢ãã« TCP/IP ãš OSI ã®åæ¹ã§äœ¿çšãããŠãã éå±€åãããã¯ãŒã¯ã¢ãã«ã¯ããããã¯ãŒã¯éä¿¡ãç解 ããåºæ¬ã§ãã·ã¹ãã åã³ãããã¯ãŒã¯ã«é©çšãã¹ãã»ãã¥ãªãã£å¯ŸçèŠé ã®èå¥ã«åœ¹ç«ã€ã次 ã®è¡šã¯ãã»ãã¥ãªãã£å¯Ÿçã®é©çšã«é¢ããç©ççéå±€ãããŒã¿ãªã³ã¯éå±€åã³ãããã¯ãŒã¯éå±€ ã®éèŠç¹æ§ã瀺ãã 88 çŸåšã€ã³ã¿ãŒãããã¿ã¹ã¯ãã©ãŒã¹ïŒIETFïŒã TCP/IP ãããã³ã«ã¹ã€ãŒãã®ç®¡çãè¡ã£ãŠããã 360 SPECIAL PUBLICATION 800-82 REVISION 2 Network Layer Physical Data link Network GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Layer properties Physical Medium â A networkâs physical medium, specifically whether itâs wired or wireless can drive the application/tailoring of certain controls. Wireless connections cannot be physically protected; therefore, compensating controls focusing on physical security cannot be used. Topology â The physical topologies may also determine how controls are tailored. For example point-to-point topologies (e.g., RS-232) generally do not need physically addressable interfaces, while multipoint topologies (e.g., IEEE 802.3 Ethernet) do require physically addressable interfaces. Physically Addressable â Multipoint protocols require physically addressable interfaces to allow for multiple systems to communicate. Systems that are not physically addressable can only be accessed by those systems with which it shared point-to-point connections. Network Addressable/Routable â Network addressable/routable systems can be accessed by any system on an internetwork. That is, communications can be routed between networks. If a system is not network addressable/routable, it can only be accessed by systems with which it shares a local network connection. Definitions Terms used in this overlay are defined in Appendix Bâ or in NIST Internal Report (NISTIR) 7298 Revision 2, Glossary of Key Information Security Terms [99]. Additional Information or Instructions None at this time. Organizations may provide any additional information or instructions relevant to the overlay not covered in the previous sections. 361 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãããã¯ãŒã¯å±€ éå±€ç¹æ§ ç©ç ç©ççåªäœ - ãããã¯ãŒã¯ã®ç©ççåªäœã§ãç¹ã«æç·/ç¡ç·ã®éãã«ãããç¹å®ã® 管çã®é©çšãã«ã¹ã¿ãã€ãºãã決ãŸãã ã¯ã€ã€ã¬ã¹æ¥ç¶ã¯ç©ççã«ä¿è·ã§ããªããããç©ççã»ãã¥ãªãã£ã«ç¹åããè£ åç管ççã¯å©çšã§ããªãã ããããžãŒ - ç©ççããããžãŒã管çã®ã«ã¹ã¿ãã€ãºæ¹æ³ã決å®ã¥ãããäŸãã° 2 ç¹éããããžãŒïŒRS-232 çïŒã¯ãéåžžãç©ççã«ã¢ãã¬ã¹æå®å¯èœãªã€ã³ã¿ã ã§ãŒã¹ãäžèŠã§ãããããã«ããã€ã³ãããããžãŒïŒIEEE 802.3 Ethernet çïŒã§ ã¯å¿ èŠãšãªãã ããŒã¿ãªã³ã¯ ç©ççã¢ãã¬ã¹æå®å¯èœ - ãã«ããã€ã³ããããã³ã«ã¯ãè€æ°ã·ã¹ãã éã®éä¿¡ çšã«ãç©ççã«ã¢ãã¬ã¹æå®å¯èœãªã€ã³ã¿ãã§ãŒã¹ãå¿ èŠãšãããç©ççã¢ã㬠ã¹æå®äžèœã®ã·ã¹ãã ã«ã¯ãå ±æ 2 ç¹ééä¿¡ã®ããã·ã¹ãã 以å€ã«ã¯ã¢ã¯ã»ã¹ã§ ããªãã ãããã¯ãŒã¯ ãããã¯ãŒã¯ã¢ãã¬ã¹æå®å¯èœ/ã«ãŒãæå®å¯èœ - ã¢ãã¬ã¹/ã«ãŒãæå®å¯èœã·ã¹ ãã ã«ã¯ããããã¯ãŒã¯éã®ã©ã®ã·ã¹ãã ãããã¢ã¯ã»ã¹ã§ãããã€ãŸãéä¿¡ ã¯ããããã¯ãŒã¯éã§çµè·¯æå®ããããããã·ã¹ãã ãã¢ãã¬ã¹/ã«ãŒãæå®äžèœ ã®å Žåãã¢ã¯ã»ã¹ã§ããã®ã¯ããŒã«ã«ãããã¯ãŒã¯æ¥ç¶ãå ±æããã·ã¹ãã ã®ã¿ ãšãªãã å®çŸ© ãã®ãªãŒããŒã¬ã€ã§äœ¿çšããçšèªã¯ãä»é² B å㯠NIST å éšå ±åæž(NISTIR)7298 第 2 çèŠæ å ±ã» ãã¥ãªãã£çšèªé[99]ã«å®çŸ©ãããã è£è¶³æ å ±åã¯æ瀺 çŸåšã®ãšãããªããçµç¹ã¯ãåã®ã»ã¯ã·ã§ã³ã«ãªããªãŒããŒã¬ã€ã«é¢ããè£è¶³æ å ±åã¯æ瀺ãäž ããããšãã§ããã 362 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Detailed Overlay Control Specifications This Overlay is based on the NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, which provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional). The security and privacy controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and assurance helps to ensure that information technology component products and the information systems built from those products using sound system and security engineering principles are sufficiently trustworthy. In preparation for selecting and specifying the appropriate security controls for organizational information systems and their respective environments of operation, organizations first determine the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. This process is known as security categorization. FIPS 199 [15] enables federal agencies to establish security categories for both information and information systems. Other documents, such as those produced by ISA and CNSS, also provide guidance for defining low, moderate, and high levels of security based on impact. The security categories are based on the potential impact on an organization or on people (employees and/or the public) should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individualsâ safety, health and life. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization. This overlay provides ICS Supplemental Guidance for the security controls and control enhancements prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements. This overlay contains a tailoring of the security control baselines; its specification may be more stringent or less stringent than the original security control baseline specification and can be applied to multiple information systems. This overlay is high-level, applicable to all ICS; it may be used as the basis for more specific overlays. Use cases for specific systems in specific environments may be separately published (e.g., as a NISTIR). 363 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 詳现ãªãŒããŒã¬ã€ç®¡çä»æ§æž ãã®ãªãŒããŒã¬ã€ã¯ NIST SP 800-53 第 4 çãé£éŠæ å ±ã·ã¹ãã ã»çµç¹ã®ã»ãã¥ãªãã£ã»ãã©ã€ ãã·ãŒç®¡çããåºã«ããŠããã第 4 çã«ã¯çµç¹éçšïŒä»»åãæ©èœãã€ã¡ãŒãžãè©å€çïŒãçµç¹è³ ç£ãå人ãä»ã®çµç¹åã³åœãæµã®ãµã€ããŒæ»æãèªç¶çœå®³ãæ§é çé害åã³äººçé誀ïŒæå³çå ã¯å¶çºçïŒçã®æ§ã ãªè åšããä¿è·ããããã®é£éŠæ å ±ã·ã¹ãã ã»çµç¹åã³ç®¡çéžå®ããã»ã¹ã® ã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒç®¡çã«ã¿ãã°ã瀺ãããŠãããã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒç®¡ç㯠ã«ã¹ã¿ãã€ãºãå¯èœã§ãæ å ±ã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒã®ãªã¹ã¯ã管çããå šçµç¹çããã»ã¹ ã®äžç°ãšããŠå®æœãããã管çã¯ãæ³ä»€ã倧統é 什ãæ¿çãæ瀺ãèŠåãèŠæ Œåã¯ä»»åã»äºæ¥ã ãŒãºããçããé£éŠæ¿åºåã³éèŠã€ã³ãã©å šäœã®æ§ã ãªã»ãã¥ãªãã£ã»ãã©ã€ãã·ãŒèŠä»¶ã察象 ãšããŠããããã®ææžã«ã¯ãç¹æ®ç®¡çããªãŒããŒã¬ã€ãåºæã®ä»»åã»äºæ¥æ©èœãæè¡åã¯éçšç° å¢ã«åãããŠçå®ããæ¹æ³ã説æãããŠãããæåŸã«ã»ãã¥ãªãã£å¯Ÿçã«ã¿ãã°ã¯ãæ©èœçãªé¢ ïŒã»ãã¥ãªãã£æ©èœã»ã¡ã«ããºã ã®åŒ·åºŠïŒãšä¿èšŒé¢ïŒå®æœããã»ãã¥ãªãã£èœåã®ä¿¡é Œæ§ïŒã®äž¡ æ¹ããã»ãã¥ãªãã£ãæ€èšãããæ©èœãšä¿èšŒã®äž¡é¢ãåãäžããããšã§ãæ å ±æè¡ã³ã³ããŒãã³ ã補åãšããã®è£œåã䜿çšããŠããã£ããããã·ã¹ãã ååãšã»ãã¥ãªãã£ãšã³ãžãã¢ãªã³ã°å åãé©çšããæ§ç¯ãããæ å ±ã·ã¹ãã ãååä¿¡é Œã«å¿ãããããã®ãšãªãã çµç¹ã®æ å ±ã·ã¹ãã ãšããããã®éçšç°å¢ã«å¯Ÿããã»ãã¥ãªãã£å¯Ÿçãéžå®ã»æå®ããããã®æº åãšããŠããŸãçµç¹ã¯ããããã·ã¹ãã ã«ããåŠçãä¿ç®¡åã¯éä¿¡ãããæ å ±ã®éèŠæ§ãšèŠæ³šæ æ§ãå€å®ããããã®ããã»ã¹ã¯ã»ãã¥ãªãã£åé¡ãšããŠç¥ãããŠãããFIPS 199[15]ã¯ãé£éŠæ¿ åºæ©é¢ãæ å ±åã³æ å ±ã·ã¹ãã çšã®ã»ãã¥ãªãã£åé¡ãèšå®ã§ããããã«ç€ºããŠãããISA ã CNSS ã«ããäœæãããä»ã®ææžãã圱é¿åºŠã«å¿ããŠäœã»äžã»é«ã¬ãã«ãå®ããã¬ã€ãã³ã¹ã瀺 ããŠããã ã»ãã¥ãªãã£åé¡ã¯ãç¹å®ã®äºè±¡ãèµ·ããŠãçµç¹ã®ä»»åéè¡ãè³ç£ä¿è·ãæ³ç責任ã®éè¡ãæ¥åžž æ¥åã®ç¶æåã³å人ã®å®å šã»å¥åº·ã»çåœä¿è·ã«å¿ èŠãšãããæ å ±ãæ å ±ã·ã¹ãã ãå±éºã«é¥ãå Ž åã®ãçµç¹åã¯å人ïŒåŸæ¥å¡åã¯åœæ°ïŒã«åã¶åœ±é¿åºŠãåºã«ããŠãããã»ãã¥ãªãã£åé¡ã¯è匱 æ§åã³è åšæ å ±ãšåãããŠãçµç¹ã«å¯Ÿãããªã¹ã¯è©äŸ¡ã«äœ¿çšãã¹ãã§ããã ãã®ãªãŒããŒã¬ã€ã¯ãæ å ±ã®æ©å¯æ§ãå®å šæ§åã³å¯çšæ§ãä¿è·ããããã«ããŸããå®ããããäž é£ã®ã»ãã¥ãªãã£èŠä»¶ãæºããããã«ãæ å ±ã·ã¹ãã ãçµç¹åãã«äœæãããã»ãã¥ãªãã£å¯Ÿ çã»ç®¡çæ¡åŒµçš ICS è£è¶³ã¬ã€ãã³ã¹ãšãªããã»ãã¥ãªãã£ç®¡çããŒã¹ã©ã€ã³ã®ã«ã¹ã¿ãã€ãºãå« ãŸãããã®ä»æ§ã¯å ã®ã»ãã¥ãªãã£ç®¡çããŒã¹ã©ã€ã³ä»æ§ãããå³ããå Žåãããã°ç·©ãå Žåã ãããçš®ã ã®æ å ±ã·ã¹ãã ã«é©çšå¯èœã§ããããã®ãªãŒããŒã¬ã€ã¯é«ã¬ãã«ã§ãå šãŠã® ICS ã«é© çšå¯èœã§ãããããå€ãã®åå¥ãªãŒããŒã¬ã€ã®åºç€ãšããŠäœ¿çšã§ãããå ·äœçãªç°å¢ã«ãããç¹ å®ã·ã¹ãã ã§ã®äœ¿çšäŸã¯å¥é瀺ãããŠããïŒNISTIR çïŒã 364 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure G-1 uses the AU-4 control as an example of the format and content of the detailed overlay control specifications. ï Control number and title. ï Column for control and control enhancement number. ï Column for control and control enhancement name. ï Columns for baselines. If the baselines have been supplemented, then SUPPLEMENTED appears. ï A row for each control or control enhancement. ï Columns for LOW, MODERATE, and HIGH baselines. ï âSelectedâ indicates the control is selected in NIST SP 800-53 Rev. 4. âAddedâ indicates the control is added to a baseline in the ICS overlay. A blank cell indicates the control is not selected. âRemovedâ indicates the control is removed from the baseline. ï The ICS Supplemental Guidance. If there is none, that is stated. ï The Control Enhancement ICS Supplemental Guidance. If there is none, that is stated. ï The rationale for changing the presence of a control or control enhancement in the baseline. ï AU-4 AUDIT STORAGE CAPACITY ï ï ï CONTROL NAME CNTL NO. ï SUPPLEMENTED CONTROL BASELINES Control Enhancement Name LOW MOD HIGH AU-4 Audit Storage Capacity Selected Selected Selected AU-4 (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE Added Added Added ï ï ï ï No ICS Supplemental Guidance. Control Enhancement: (1) ICS Supplemental Guidance: Legacy ICS typically are typically configured with remote storage on a separate information system (e.g., the historian in the DMZ accumulates historical operational ICS data and is backed up for storage at a different site). ICS are currently using online backup services and increasingly moving to Cloud based and Virtualized services. Retention of some data (e.g., SCADA telemetry) may be required by regulatory authorities. ï Rationale for adding control to baseline: Legacy ICS components typically do not have capacity to store or analyze audit data. The retention periods for some data, particularly compliance data, may require large volumes of storage. Figure G-1 Detailed Overlay Control Specifications Illustrated NIST SP 800-53 Rev. 4, Appendix F, contains Supplemental Guidance for all Controls and Control Enhancements [22]. ICS Supplemental Guidance in this overlay provides organizations with additional information on the application of the security controls and control enhancements in NIST SP 800-53 Rev. 4, Appendix F, to ICS and the environments in which these specialized systems operate. The ICS Supplemental Guidance also provides information as to why a particular security control or control enhancement may not be applicable in some ICS environments and may be a candidate for tailoring (i.e., the application of scoping guidance and/or compensating controls). 365 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å³ G-1 ã¯ã詳现ãªãªãŒããŒã¬ã€ç®¡çä»æ§ã®æ§åŒåã³å 容ã®äžäŸãšããŠãAU-4 管çã䜿çšããŠã ãã ï 管çã®çªå·ãšé¡å ï 管çã»ç®¡çæ¡åŒµçªå·ã瀺ãã«ã©ã ï 管çã»ç®¡çæ¡åŒµåã瀺ãã«ã©ã ï ããŒã¹ã©ã€ã³ã瀺ãã«ã©ã ãããŒã¹ã©ã€ã³ã®è£è¶³ãããå Žåããè£è¶³ïŒSUPPLEMENTEDïŒããšè¡š 瀺ãããã å管çã»ç®¡çæ¡åŒµã瀺ãè¡ã ï ï ï ï ï ï äœã»äžã»é«åã³é«ããŒã¹ã©ã€ã³ã瀺ãã«ã©ã ãéžå®ã㯠NIST SP 800-53 第 4 çã§ç®¡çãéžå®ãããŠããããšã瀺ãããè¿œå ãã¯ç®¡ç ã ICS ãªãŒããŒã¬ã€ã®ããŒã¹ã©ã€ã³ã«è¿œå ãããŠããããšã瀺ãã空çœã»ã«ã¯ç®¡çãéž å®ãããŠããªãããšã瀺ãããåé€ãã¯ç®¡çãããŒã¹ã©ã€ã³ããåé€ãããããšã瀺ãã ICS è£è¶³ã¬ã€ãã³ã¹ãäœããªãå Žåããã®æšã®èšè¿°ãããã 管çæ¡åŒµ ICS è£è¶³ã¬ã€ãã³ã¹ãäœããªãå Žåããã®æšã®èšè¿°ãããã ããŒã¹ã©ã€ã³ã®ç®¡çã»ç®¡çæ¡åŒµã®æç¡ãå€ãã£ãçç± ï AU-4 AUDIT STORAGE CAPACITY ï ï ï CONTROL NAME CONTROL BASELINES Control Enhancement Name CNTL NO. ï SUPPLEMENTED LOW MOD HIGH AU-4 Audit Storage Capacity Selected Selected Selected AU-4 (1) AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE Added Added Added ï ï ï ICS è£è¶³ã¬ã€ãã³ã¹ãªã ï 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒã¬ã¬ã·ãŒICS ã¯ãäžè¬ã«å¥åã®æ å ±ã·ã¹ãã äžã®é éã¹ãã¬ãŒãžã§èšå®ãã㊠ããïŒDMZ ã®ãã¹ããªã¢ã³çã§ãICS ã®éçšå±¥æŽããŒã¿ãèç©ããå¥ãµã€ãã®ã¹ãã¬ãŒãžã«ä¿ç®¡ããïŒãICS ã¯ä» ã®ãšãããªã³ã©ã€ã³ããã¯ã¢ãããµãŒãã¹ãå©çšããŠããããã¯ã©ãŠãããŒã¹ã®ä»®æ³ãµãŒãã¹ã«æ¬¡ç¬¬ã«ç§»è¡ããŠã ããç¹å®ã®ããŒã¿ïŒSCADA ãã¬ã¡ããª-çïŒã®ä¿æãèŠå¶åœå±ãã矩åã¥ããããå Žåãããã ï ããŒã¹ã©ã€ã³ã«ç®¡çãè¿œå ããçç±ïŒäžè¬ã«ã¬ã¬ã·ãŒICS ã³ã³ããŒãã³ãã«ã¯ãç£æ»ããŒã¿ã®ä¿ååã¯åæ容éã ãªããç¹å®ã®ããŒã¿ãç¹ã«ã³ã³ãã©ã€ã¢ã³ã¹ããŒã¿ã®ä¿ææéã«ãã£ãŠãä¿ç®¡éã倧ãããªãã å³ G-1 詳现ãªãŒããŒã¬ã€ç®¡çä»æ§ã®èª¬æ NIST SP 800-53 第 4 çä»é² F ã«ãå šãŠã®ç®¡çã»ç®¡çæ¡åŒµè£è¶³ã¬ã€ãã³ã¹ããã[22]ããã®ãªãŒ ããŒã¬ã€ã® ICS è£è¶³ã¬ã€ãã³ã¹ã¯ãNIST SP 800-53 第 4 çã®ä»é² F ã«èšèŒãããã»ãã¥ãªã㣠察çåã³ç®¡çæ¡åŒµããICS åã³ãããå°çšã·ã¹ãã ã®å®è¡ç°å¢ã«é©çšããããã®è£è¶³æ å ±ã瀺ãã ãŸããICS ç°å¢ã«ãã£ãŠã¯ç¹å®ã®ã»ãã¥ãªãã£å¯Ÿçã管çæ¡åŒµãé©çšã§ããã調æŽãå¿ èŠãšãªã çç±ã«ã€ããŠã瀺ãïŒã¹ã³ãŒãã³ã°ã¬ã€ãã³ã¹åã¯è£åå¶åŸ¡ïŒã 366 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ACCESS CONTROL â AC Tailoring Considerations for Access Control Family Before implementing controls in the AC family, consider the tradeoffs among security, privacy, latency, performance, throughput, and reliability. For example, the organization considers whether latency induced from the use of confidentiality and integrity mechanisms employing cryptographic mechanisms would adversely impact the operational performance of the ICS. In situations where the ICS cannot support the specific Access Control requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. AC-1 ACCESS CONTROL POLICY AND PROCEDURES CONTROL NAME CNTL NO. AC-1 CONTROL BASELINES Control Enhancement Name Access Control Policy and Procedures LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. ICS access by vendors and maintenance staff can occur over a very large facility footprint or geographic area and into unobserved spaces such as mechanical/electrical rooms, ceilings, floors, field substations, switch and valve vaults, and pump stations. AC-2 ACCOUNT MANAGEMENT CONTROL NAME CNTL NO. AC-2 AC-2 (1) CONTROL BASELINES Control Enhancement Name Account Management ACCOUNT MANAGEMENT | AUTOMATED SYSTEM ACCOUNT LOW MOD HIGH Selected Selected Selected Selected Selected Selected Selected MANAGEMENT AC-2 (2) ACCOUNT MANAGEMENT | REMOVAL OF TEMPORARY / EMERGENCY ACCOUNTS AC-2 (3) ACCOUNT MANAGEMENT | DISABLE INACTIVE ACCOUNTS Selected Selected AC-2 (4) ACCOUNT MANAGEMENT | AUTOMATED AUDIT ACTIONS Selected Selected AC-2 (5) ACCOUNT MANAGEMENT | INACTIVITY LOGOUT / TYPICAL Selected USAGE MONITORING AC-2 (11) ACCOUNT MANAGEMENT | USAGE CONDITIONS Selected AC-2 (12) ACCOUNT MANAGEMENT | ACCOUNT MONITORING / Selected ATYPICAL USAGE AC-2 (13) ACCOUNT MANAGEMENT | ACCOUNT REVIEWS Selected ICS Supplemental Guidance: Example compensating controls include providing increased physical security, personnel security, intrusion detection, auditing measures. Control Enhancement: (1, 3, 4) ICS Supplemental Guidance: Example compensating controls include employing nonautomated mechanisms or procedures. Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS (e.g., field devices) cannot support temporary or emergency accounts, this enhancement does not apply. Example compensating controls include employing nonautomated mechanisms or procedures. Control Enhancement: (5) ICS Supplemental Guidance: Example compensating controls include employing nonautomated mechanisms or procedures. Control Enhancement: (11, 12, 13) No ICS Supplemental Guidance. 367 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã¢ã¯ã»ã¹å¶åŸ¡ - AC ã¢ã¯ã»ã¹å¶åŸ¡ãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé AC ãã¡ããªã§ç®¡çãå®æœããåã«ãã»ãã¥ãªãã£ããã©ã€ãã·ãŒãåŸ ã¡æéãããã©ãŒãã³ã¹ã ã¹ã«ãŒããããä¿¡é Œæ§ãæ¯èŒèéãããäŸãã°ãæå·ã¡ã«ããºã ãæ¡çšããŠæ©å¯æ§åã³å®å šæ§ã¡ ã«ããºã ãå©çšããããšã«ããçããåŸ ã¡æéããICS ã®éçšããã©ãŒãã³ã¹ãé»å®³ããªããçµ ç¹ã¯æ€èšããã ICS ãããå¶åŸ¡ã®ç¹å®ã®ã¢ã¯ã»ã¹å¶åŸ¡èŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡çšãããè£å管çã®äŸãå¿ èŠã«å¿ããŠã管ççããšã«ç€ºãã ãã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ããICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã AC-1 ã¢ã¯ã»ã¹å¶åŸ¡ããªã·ãŒã»æé 管ççªå· 管çå 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¢ã¯ã»ã¹å¶åŸ¡ããªã·ãŒã»æé AC-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã®é¢ä¿ ãåãäžããããã³ããŒåã³ä¿å®èŠå¡ã«ãã ICS ãžã®ã¢ã¯ã»ã¹ã¯ãæ©æ¢°ã»é»æ°å®€ã倩äºãåºãå€ é»èšåãã¹ã€ããã»ãã«ã宀ããã³ã宀çãåºç¯ãªæœèšåã³å°åãç£èŠäžã«ãªã空éã«ãŸãã㣠ãŠããã AC-2 ã¢ã«ãŠã³ã管ç 管ççªå· 管çå 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« éžå® éžå® éžå® AC-2 (1) ã¢ã«ãŠã³ã管ç | åã·ã¹ãã ã¢ã«ãŠã³ã管ç éžå® éžå® AC-2 (2) ã¢ã«ãŠã³ã管ç |èšæã»ç·æ¥çšã¢ã«ãŠã³ãã®åé€ éžå® éžå® AC-2 (3) ã¢ã«ãŠã³ã管ç |ç¡æŽ»åã¢ã«ãŠã³ãã®ç¡å¹å éžå® éžå® AC-2 (4) ã¢ã«ãŠã³ã管ç | èªåç£æ»è¡çº éžå® éžå® AC-2 (5) ã¢ã«ãŠã³ã管ç | ç¡æŽ»åãã°ã¢ãŠãã»äžè¬çå©çšç£èŠ AC-2 ã¢ã«ãŠã³ã管ç äœ éžå® AC-2 (11) ã¢ã«ãŠã³ã管ç | å©çšç¶æ éžå® AC-2 (12) ã¢ã«ãŠã³ã管ç | ã¢ã«ãŠã³ãç£èŠã»é察称å©çš éžå® AC-2 (13) ã¢ã«ãŠã³ã管ç | ã¢ã«ãŠã³ãå¯©æ» éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãç©ççã»ãã¥ãªãã£ã人çã»ãã¥ãªãã£ã äŸµå ¥æ€ç¥ãç£æ»æ段ã®åŒ·åãããã 管çæ¡åŒµïŒ(1, 3, 4) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãéèªåã¡ã«ããºã åã¯æ é ãããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICSïŒãã£ãŒã«ãããã€ã¹çïŒãèšæåã¯ç·æ¥ã¢ã«ãŠã³ ãã«å¯Ÿå¿ã§ããªãå Žåããã®æ¡åŒµã¯é©çšãããªããè£åç管ççã®äŸãšããŠãéèªåã¡ã«ããºã åã¯æé ãããã 管çæ¡åŒµïŒ(5) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãéèªåã¡ã«ããºã åã¯æé ãã ãã 管çæ¡åŒµïŒ(11, 12, 13) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 368 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY AC-3 ACCESS ENFORCEMENT CONTROL NAME CNTL NO. AC-3 CONTROL BASELINES Control Enhancement Name Access Enforcement LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The organization ensures that access enforcement mechanisms do not adversely impact the operational performance of the ICS. Example compensating controls include encapsulation. Policy for logical access control to NonAddressable and Non-Routable system resources and the associated information is made explicit. Access control mechanisms include hardware, firmware, and software that controls or has device access, such as device drivers and communications controllers. Physical access control may serve as a compensating control for logical access control, however, it may not provide sufficient granularity in situations where users require access to different functions. Logical access enforcement may be implemented in encapsulating hardware and software. AC-4 INFORMATION FLOW ENFORCEMENT CONTROL NAME CNTL NO. AC-4 CONTROL BASELINES Control Enhancement Name LOW Information Flow Enforcement MOD HIGH Selected Selected ICS Supplemental Guidance: Physical addresses (e.g., a serial port) may be implicitly or explicitly associated with labels or attributes (e.g., hardware I/O address). Manual methods are typically static. Label or attribute policy mechanisms may be implemented in hardware, firmware, and software that controls or has device access, such as device drivers and communications controllers. Information flow policy may be supported by labeling or coloring physical connectors as an aid to manual hookup. Inspection of message content may enforce information flow policy. For example, a message containing a command to an actuator may not be permitted to flow between the control network and any other network. AC-5 SEPARATION OF DUTIES CONTROL NAME CNTL NO. AC-5 CONTROL BASELINES Control Enhancement Name LOW Separation of Duties MOD HIGH Selected Selected ICS Supplemental Guidance: Example compensating controls include providing increased personnel security and auditing. The organization carefully considers the appropriateness of a single individual performing multiple critical roles. AC-6 LEAST PRIVILEGE CONTROL NAME CNTL NO. CONTROL BASELINES Control Enhancement Name MOD HIGH Least Privilege Selected Selected AC-6 (1) LEAST PRIVILEGE | AUTHORIZE ACCESS TO SECURITY FUNCTIONS Selected Selected AC-6 (2) LEAST PRIVILEGE | NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS Selected Selected AC-6 (3) LEAST PRIVILEGE | NETWORK ACCESS TO PRIVILEGED COMMANDS AC-6 (5) LEAST PRIVILEGE | PRIVILEGED ACCOUNTS Selected Selected AC-6 (9) LEAST PRIVILEGE | AUDITING USE OF PRIVILEGED FUNCTIONS Selected Selected AC-6 (10) LEAST PRIVILEGE | PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS Selected Selected AC-6 LOW Selected ICS Supplemental Guidance: Example compensating controls include providing increased personnel security and auditing. The organization carefully considers the appropriateness of a single individual having multiple critical 369 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã¢ã¯ã»ã¹ã®æœè¡ AC-3 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¢ã¯ã»ã¹æœè¡ AC-3 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãã¢ã¯ã»ã¹æœè¡ã¡ã«ããºã ã ICS ã®éçšããã©ãŒãã³ã¹ã«æªåœ± é¿ããªãããã«ãããè£å管çã«ã¯ã«ãã»ã«åããããã¢ãã¬ã¹/ã«ãŒãæå®äžèœã·ã¹ãã ãªãœ ãŒã¹åã³é¢é£æ å ±ãžã®è«çã¢ã¯ã»ã¹å¶åŸ¡ããªã·ãŒã¯æ確ã«ãããã¢ã¯ã»ã¹å¶åŸ¡ã¡ã«ããºã ã«ã¯ã ããŒããŠãšã¢ããã¡ãŒã ãŠãšã¢ã®ã»ããããã€ã¹ãã©ã€ããéä¿¡ã³ã³ãããŒã©çãããã€ã¹ã®å¶ 埡åã¯ã¢ã¯ã»ã¹ãè¡ããœãããŠãšã¢ããããç©ççã¢ã¯ã»ã¹å¶åŸ¡ã¯ãè«çã¢ã¯ã»ã¹å¶åŸ¡ã«ä»£ãã è£åç管ççãšãªããããŠãŒã¶ãå¥æ©èœãžã®ã¢ã¯ã»ã¹ãæ±ããå Žåã®ãã现ããããªããè«ç㢠ã¯ã»ã¹æœè¡ã¯ãããŒããŠãšã¢ãšãœãããŠãšã¢ã®ã«ãã»ã«åã§å®æœã§ããã AC-4 æ å ±ãããŒã®æœè¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ æ å ±ãããŒæœè¡ AC-4 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒç©çã¢ãã¬ã¹ïŒã·ãªã¢ã«ããŒãçïŒã¯ãé»ç€ºçåã¯æ瀺çã«ã©ãã«å ã¯å±æ§ïŒããŒããŠãšã¢ I/O ã¢ãã¬ã¹çïŒã«é¢é£ã¥ãããããã¥ã¢ã«æäœã¯äžè¬ã«éçã§ãããã© ãã«åã¯å±æ§ã¡ã«ããºã ã¯ãããŒããŠãšã¢ããã¡ãŒã ãŠãšã¢ã®ã»ããããã€ã¹ãã©ã€ããéä¿¡ã³ ã³ãããŒã©çãããã€ã¹ã®å¶åŸ¡åã¯ã¢ã¯ã»ã¹ãè¡ããœãããŠãšã¢ã«å®è£ ããããæ å ±ãããŒã㪠ã·ãŒã¯ãããã¥ã¢ã«æäœäœæ¥ã®å©ããšããŠãç©ççã³ãã¯ã¿ãžã®ã©ãã«ä»ããçè²ã«ããæ¯ãã ãããã¡ãã»ãŒãžå 容ã®æ€æ»ã¯ãæ å ±ãããŒããªã·ãŒãæœè¡ãããã®ãšãªããäŸãã°ãã¢ã¯ã㥠ãšãŒã¿ãžã®ã³ãã³ããå«ãã ã¡ãã»ãŒãžã¯ãå¶åŸ¡ãããã¯ãŒã¯ãšä»ã®ãããã¯ãŒã¯éã§æµããªã ããã«ããªããã°ãªããªãã AC-5 ä»»ååæ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ä»»ååæ AC-5 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠã人çã»ãã¥ãªãã£ãšç£æ»ã®åŒ·åããããçµ ç¹ã¯ã1 人ã§è€æ°ã®éèŠãªåœ¹å²ãæããã®ãé©åãã©ãããæ éã«æ€èšããã AC-6 æå°æš©é 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« æå°æš©é äœ éžå® éžå® AC-6 (1) æå°æš©é | ã»ãã¥ãªãã£æ©èœãžã®ã¢ã¯ã»ã¹èš±å¯ éžå® éžå® AC-6 (2) æå°æš©é | éã»ãã¥ãªãã£æ©èœãžã®ç¡æš©éã¢ã¯ã»ã¹ éžå® éžå® AC-6 (3) æå°æš©é | ç¹æš©ã³ãã³ããžã®ãããã¯ãŒã¯ã¢ã¯ã»ã¹ AC-6 (5) æå°æš©é | ç¹æš©ã¢ã«ãŠã³ã éžå® éžå® AC-6 (9) æå°æš©é | ç¹æš©æ©èœã®ç£æ»å©çš éžå® éžå® AC-6 (10) æå°æš©é | ç¡æš©éãŠãŒã¶ã«ããç¹æš©æ©èœã®å®è¡çŠæ¢ éžå® éžå® AC-6 éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠã人çã»ãã¥ãªãã£ãšç£æ»ã®åŒ·åããããçµ ç¹ã¯ã1 人ã§è€æ°ã®éèŠç¹æš©ãæã€ã®ãé©åãã©ãããæ éã«æ€èšããã 370 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY privileges. System privilege models may be tailored to enforce integrity and availability (e.g., lower privileges include read access and higher privileges include write access). Control Enhancement: (1) ICS Supplemental Guidance: In situations where the ICS cannot support access control to security functions, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS cannot support access control to nonsecurity functions, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Control Enhancement: (3) ICS Supplemental Guidance: In situations where the ICS cannot support network access control to privileged commands, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Control Enhancement: (5) ICS Supplemental Guidance: In situations where the ICS cannot support access control to privileged accounts, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Control Enhancement: (9) ICS Supplemental Guidance: In general, audit record processing is not performed on the ICS, but on a separate information system. Example compensating controls include providing an auditing capability on a separate information system. Control Enhancement: (10) ICS Supplemental Guidance: Example compensating controls include enhanced auditing. AC-7 UNSUCCESSFUL LOGIN ATTEMPTS CONTROL NAME CNTL NO. AC-7 CONTROL BASELINES Control Enhancement Name Unsuccessful Login Attempts LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Many ICS must remain continuously on and operators remain logged onto the system at all times. A âlog-overâ capability may be employed. Example compensating controls include logging or recording all unsuccessful login attempts and alerting ICS security personnel though alarms or other means when the number of organization-defined consecutive invalid access attempts is exceeded. AC-8 SYSTEM USE NOTIFICATION CONTROL NAME CNTL NO. AC-8 CONTROL BASELINES Control Enhancement Name System Use Notification LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Many ICS must remain continuously on and system use notification may not be supported or effective. Example compensating controls include posting physical notices in ICS facilities. AC-10 CONCURRENT SESSION CONTROL CONTROL NAME CNTL NO. AC-10 CONTROL BASELINES Control Enhancement Name LOW MOD Concurrent Session Control HIGH Selected ICS Supplemental Guidance: The number, account type, and privileges of concurrent sessions takes into account the roles and responsibilities of the affected individuals. Example compensating controls include providing increased auditing measures. 371 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã·ã¹ãã ç¹æš©ã¢ãã«ãã«ã¹ã¿ãã€ãºããŠãå®å šæ§ãšå¯çšæ§ãæœè¡ã§ããïŒããäœãç¹æš©ã«ã¯èªã¿ åãã¢ã¯ã»ã¹ãããé«ãç¹æš©ã«ã¯æžã蟌ã¿ã¢ã¯ã»ã¹ãããïŒã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãã»ãã¥ãªãã£æ©èœãžã®ã¢ã¯ã»ã¹å¶åŸ¡ã«å¯Ÿå¿ããŠã ãªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã åã¯æé ã æ¡çšããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãéã»ãã¥ãªãã£æ©èœãžã®ã¢ã¯ã»ã¹å¶åŸ¡ã«å¯Ÿå¿ã㊠ããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã åã¯æé ãæ¡çšããã 管çæ¡åŒµïŒ(3) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãç¹æš©ã³ãã³ããžã®ãããã¯ãŒã¯ã¢ã¯ã»ã¹å¶åŸ¡ã«å¯Ÿ å¿ããŠããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã å ã¯æé ãæ¡çšããã 管çæ¡åŒµïŒ(5) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãç¹æš©ã¢ã«ãŠã³ããžã®ã¢ã¯ã»ã¹å¶åŸ¡ã«å¯Ÿå¿ããŠã㪠ãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã åã¯æé ãæ¡ çšããã 管çæ¡åŒµïŒ(9) ICS è£è¶³ã¬ã€ãã³ã¹ïŒç·ããŠãç£æ»èšé²åŠç㯠ICS ã§è¡ããããå¥åã®æ å ±ã· ã¹ãã ã§è¡ããããè£åç管ççã®äŸãšããŠãå¥åã®æ å ±ã·ã¹ãã ãžã®ç£æ»èœåã®ä»äžãããã 管çæ¡åŒµïŒ(10) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãæ¡åŒµç£æ»ãããã AC-7 ãã°ã€ã³å€±æ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãã°ã€ã³å€±æ AC-7 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒå€ãã® ICS ã¯é»æºãå ¥ãããŸãŸã«ããªããã°ãªãããæäœå¡ãåžžæã· ã¹ãã ã«ãã°ãªã³ç¶æ ãç¶æããŠãããããã°ãªãŒããŒãæ©èœãæ¡çšã§ãããè£åç管ççã®äŸ ãšããŠãå šãŠãã°ã€ã³å€±ææã®ãã°åã¯èšé²ãåããäºã決ããé£ç¶å€±ææ°ã«éãããšãICS ã» ãã¥ãªãã£æ åœè ã«ã¢ã©ãŒã ãã®ä»ã®æ段ã§èŠå ±ãéãããã«ã§ããã AC-8 ã·ã¹ãã å©çšéç¥ ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã·ã¹ãã å©çšéç¥ AC-8 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒå€ãã® ICS ã¯é»æºãå ¥ãããŸãŸã«ããŠãããªããã°ãªãããã·ã¹ãã å©çšéç¥ã¯å¯Ÿå¿ããªããå¹æçã§ãªããè£åç管ççã®äŸãšããŠãICS æœèšå ã«éç¥ãæ²ç€ºãã æ¹æ³ãããã AC-10 åæã»ãã·ã§ã³ç®¡ç 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ AC-10 åæã»ãã·ã§ã³ç®¡ç äž é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒåæã»ãã·ã§ã³ã®çªå·ãã¢ã«ãŠã³ãã¿ã€ãåã³ç¹æš©ã«ã¯ã圱é¿ãåã ãå人ã®åœ¹å²ãšè²¬ä»»ãèæ ®ã«å ¥ãããè£åç管ççã®äŸãšããŠãç£æ»æ段ã®åŒ·åãããã 372 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY AC-11 SESSION LOCK CONTROL NAME CNTL NO. AC-11 AC-11 (1) CONTROL BASELINES Control Enhancement Name MOD HIGH Session Lock LOW Selected Selected SESSION LOCK | PATTERN-HIDING DISPLAYS Selected Selected ICS Supplemental Guidance: This control assumes a staffed environment where users interact with information system displays. When this assumption does not apply the organization tailors the control appropriately (e.g., the ICS may be physically protected by placement in a locked enclosure). The control may also be tailored for ICS that are not configured with displays, but which have the capability to support displays (e.g., ICS to which a maintenance technician may attach a display). In some cases, session lock for ICS operator workstations/nodes is not advised (e.g., when immediate operator responses are required in emergency situations). Example compensating controls include locating the display in an area with physical access controls that limit access to individuals with permission and need-to-know for the displayed information. Control Enhancement: (1) ICS Supplemental Guidance: ICS may employ physical protection to prevent access to a display or to prevent attachment of a display. In situations where the ICS cannot conceal displayed information, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. AC-12 SESSION TERMINATION CONTROL NAME CNTL NO. AC-12 CONTROL BASELINES Control Enhancement Name LOW Session Termination MOD HIGH Selected Selected ICS Supplemental Guidance: Example compensating controls include providing increased auditing measures or limiting remote access privileges to key personnel. AC-14 PERMITTED ACTIONS WITHOUT IDENTIFICATION OR AUTHENTICATION CONTROL NAME CNTL NO. AC-14 CONTROL BASELINES Control Enhancement Name LOW Permitted Actions without Identification or Authentication MOD HIGH Selected Selected No ICS Supplemental Guidance. AC-17 REMOTE ACCESS CONTROL NAME CNTL NO. AC-17 CONTROL BASELINES Control Enhancement Name Remote Access LOW MOD HIGH Selected Selected Selected AC-17 (1) REMOTE ACCESS | AUTOMATED MONITORING / CONTROL Selected Selected AC-17 (2) REMOTE ACCESS | PROTECTION OF CONFIDENTIALITY / Selected Selected INTEGRITY USING ENCRYPTION AC-17 (3) REMOTE ACCESS | MANAGED ACCESS CONTROL POINTS Selected Selected AC-17 (4) REMOTE ACCESS | PRIVILEGED COMMANDS / ACCESS Selected Selected ICS Supplemental Guidance: In situations where the ICS cannot implement any or all of the components of this control, the organization employs other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include employing nonautomated mechanisms or procedures as compensating controls (e.g., following manual authentication [see IA-2], dial-in remote access may be enabled for a specified period of time or a call may be placed from the ICS site to the authenticated remote entity. 373 SP800-82 第 2 ç AC-11 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã»ãã·ã§ã³ãã㯠管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã»ãã·ã§ã³ãã㯠AC-11 AC-11 (1) ã»ãã·ã§ã³ãã㯠ãã¿ãŒã³é衚瀺 äž é« éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒãã®ç®¡çã¯ããŠãŒã¶ãæ å ±ã·ã¹ãã ãã£ã¹ãã¬ã€ãšããåããè¡ãæ 人ç°å¢ãæ³å®ããŠãããæ³å®ãšç°ãªãç°å¢ã§ã¯ãçµç¹ã¯ç®¡çãé©åã«ã«ã¹ã¿ãã€ãºããïŒéµã®ã ãããã£ãããããªã© ICS ã®ç©ççä¿è·çïŒãè£åç管ççã®äŸãšããŠããã£ã¹ãã¬ã€ãèšå®ã ããŠããªããã®ã®ãæ¥ç¶ããããšæãã°ã§ãã ICS ã®ã«ã¹ã¿ãã€ãºãããïŒä¿å®æè¡è ã«ããã ã£ã¹ãã¬ã€ã®èšçœ®çïŒãå Žåã«ãã£ãŠã¯ãICS æäœå¡ã¯ãŒã¯ã¹ããŒã·ã§ã³/ããŒãã®ã»ãã·ã§ã³ã ãã¯ãæšå¥šã§ããªãããšãããïŒç·æ¥æã«æäœå¡ã®å³æ察å¿ãå¿ èŠçïŒãè£åç管ççã®äŸãšã ãŠãæš©éããã衚瀺æ å ±ãç¥ãå¿ èŠã®ãã人å¡ã ããç«å ¥ã§ããå Žæã«ããã£ã¹ãã¬ã€ãèšçœ®ã ãããšãããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒãã£ã¹ãã¬ã€ãžã®ã¢ã¯ã»ã¹ããã£ã¹ãã¬ã€ã®æ¥ç¶ãé²æ¢ ããç©ççä¿è·ãæ¡çšã§ãããICS ã衚瀺æ å ±ãé èœã§ããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãº ã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã åã¯æé ãè£åç管ççãšããŠæ¡çšããã AC-12 ã»ãã·ã§ã³çµäº 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã»ãã·ã§ã³çµäº AC-12 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãç£æ»æ段ã®åŒ·åããªã¢ãŒãã¢ã¯ã»ã¹ç¹æš©ã éèŠãªäººå¡ã«å¶éããæ¹æ³ãããã AC-14 èå¥ã»èªèšŒã®ãªãèš±å¯ãããè¡çº 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ èå¥ã»èªèšŒã®ãªãèš±å¯ãããè¡çº AC-14 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã AC-17 ãªã¢ãŒãã¢ã¯ã»ã¹ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« éžå® éžå® éžå® AC-17 (1) ãªã¢ãŒãã¢ã¯ã»ã¹ | èªåç£èŠã»ç®¡ç éžå® éžå® AC-17 (2) ãªã¢ãŒãã¢ã¯ã»ã¹ | æå·åã«ããæ©å¯æ§ã»å®å šæ§ã®ä¿è· éžå® éžå® AC-17 (3) ãªã¢ãŒãã¢ã¯ã»ã¹ | 管çã¢ã¯ã»ã¹å¶åŸ¡ãã€ã³ã éžå® éžå® AC-17 (4) ãªã¢ãŒãã¢ã¯ã»ã¹ | ç¹æš©ã³ãã³ãã»ã¢ã¯ã»ã¹ éžå® éžå® AC-17 ãªã¢ãŒãã¢ã¯ã»ã¹ ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ããã®ç®¡çèŠçŽ ã®äžéšåã¯å šéšãå®è¡ã§ããªãç¶æ³ã§ã¯ãå šäœç ãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã åã¯æé ãè£åç管ççãšããŠæ¡ çšããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãéèªåã¡ã«ããºã åã¯æé ã è£åç管ççãšããŠæ¡çšã§ããïŒæåèªèšŒã«åŸã[IA-2 åç §]ããã€ã¢ã«ã€ã³ãªã¢ãŒãã¢ã¯ã»ã¹ã äžå®æéæå¹ã«ããããçºåŒã ICS ãµã€ãããèªèšŒæžã¿é éæ©é¢ã«ç§»èšãããªã©ïŒã 374 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Control Enhancement: (2) ICS Supplemental Guidance: ICS security objectives often rank confidentiality below availability and integrity. The organization explores all possible cryptographic mechanism (e.g., encryption, digital signature, hash function). Each mechanism has a different delay impact. Example compensating controls include providing increased auditing for remote sessions or limiting remote access privileges to key personnel). Control Enhancement: (3) ICS Supplemental Guidance: Example compensating controls include connection-specific manual authentication of the remote entity. Control Enhancement: (4) No ICS Supplemental Guidance. ICS Supplemental Guidance: Example compensating controls include employing nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. AC-18 WIRELESS ACCESS CONTROL NAME CNTL NO. AC-18 CONTROL BASELINES Control Enhancement Name Wireless Access LOW Selected MOD HIGH Selected Selected Selected Selected AC-18 (1) WIRELESS ACCESS | AUTHENTICATION AND ENCRYPTION AC-18 (4) WIRELESS ACCESS | RESTRICT CONFIGURATIONS BY USERS Selected AC-18 (5) WIRELESS ACCESS | CONFINE WIRELESS COMMUNICATIONS Selected ICS Supplemental Guidance: In situations where the ICS cannot implement any or all of the components of this control, the organization employs other mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Control Enhancement: (1) ICS Supplemental Guidance: See AC-17 Control Enhancement: (1) ICS Supplemental Guidance. Example compensating controls include providing increased auditing for wireless access or limiting wireless access privileges to key personnel. Control Enhancement: (4) (5) No ICS Supplemental Guidance. AC-19 ACCESS CONTROL FOR MOBILE DEVICES CONTROL NAME CNTL NO. AC-19 AC-19 (5) CONTROL BASELINES Control Enhancement Name Access Control for Mobile Devices LOW MOD HIGH Selected Selected Selected Selected Selected ACCESS CONTROL FOR MOBILE DEVICES | FULL DEVICE / CONTAINER-BASED ENCRYPTION No ICS Supplemental Guidance. AC-20 USE OF EXTERNAL INFORMATION SYSTEMS CONTROL NAME CNTL NO. AC-20 CONTROL BASELINES Control Enhancement Name Use of External Information Systems LOW MOD HIGH Selected Selected Selected AC-20 (1) USE OF EXTERNAL INFORMATION SYSTEMS | LIMITS ON AUTHORIZED USE Selected Selected AC-20 (2) USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE MEDIA Selected Selected ICS Supplemental Guidance: Organizations refine the definition of âexternalâ to reflect lines of authority and responsibility; granularity of organization entity; and their relationships. An organization may consider a system to be external if that system performs different functions, implements different policies, comes under different managers, or does not provide sufficient visibility into the implementation of security controls to allow the establishment of a satisfactory trust relationship. For example, a process control system and a business data processing system would typically be considered external to each other. Access to an ICS for support by a business partner, such as a vendor or support contractor, is another common example. The definition and trustworthiness of external information systems is reexamined with respect to ICS functions, purposes, technology, and limitations to 375 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ã»ãã¥ãªãã£ç®æšã§ã¯ãæ©å¯æ§ãå¯çšæ§åã³å®å š æ§ãããäžäœã«ã©ã³ã¯ãããããšãå€ããçµç¹ã¯ããããæå·ã¡ã«ããºã ã掻çšããïŒæå·åã ããžã¿ã«çœ²åãããã·ã¥é¢æ°çïŒãåã¡ã«ããºã ã®é 延圱é¿ã¯ããããç°ãªããè£åç管ççã® äŸãšããŠãé éã»ãã·ã§ã³ã«å¯Ÿããç£æ»ã®åŒ·åããªã¢ãŒãã¢ã¯ã»ã¹ç¹æš©ãéèŠãªäººå¡ã«å¶éãã æ¹æ³ãããã 管çæ¡åŒµïŒ(3) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãé éæ©é¢ã®æ¥ç¶åºæã®æåèª èšŒãããã 管çæ¡åŒµïŒ(4) ICS è£è¶³ã¬ã€ãã³ã¹ãªã ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠã éèªåã¡ã«ããºã åã¯æé ãè£åç管ççãšããŠæ¡çšã§ããã AC-18 ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ AC-18 äœ äž é« éžå® éžå® éžå® éžå® éžå® AC-18 (1) ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ | èªèšŒã»æå·å AC-18 (4) ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ | ãŠãŒã¶èšå®ã®å¶é éžå® AC-18 (5) ã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ | ã¯ã€ã€ã¬ã¹éä¿¡ã®å°ã蟌ã éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ããã®ç®¡çèŠçŽ ã®äžéšåã¯å šéšãå®è¡ã§ããªãç¶æ³ã§ã¯ãå šäœç ãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯ä»ã®ã¡ã«ããºã åã¯æé ãè£åç管ççãšããŠæ¡çš ããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒAC-17 管çæ¡åŒµãåç §ïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãè£å ç管ççã®äŸãšããŠãã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ã«å¯Ÿããç£æ»ã®åŒ·åãã¯ã€ã€ã¬ã¹ã¢ã¯ã»ã¹ç¹æš©ãéèŠ ãªäººå¡ã«å¶éããæ¹æ³ãããã 管çæ¡åŒµïŒ(4) (5) ICS è£è¶³ã¬ã€ãã³ã¹ãªã AC-19 ã¢ãã€ã«ããã€ã¹çšã¢ã¯ã»ã¹å¶åŸ¡ 管çå 管ççªå· AC-19 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¢ãã€ã«ããã€ã¹çšã¢ã¯ã»ã¹å¶åŸ¡ äœ äž é« éžå® éžå® éžå® éžå® éžå® AC-19 (5) ã¢ãã€ã«ããã€ã¹çšã¢ã¯ã»ã¹å¶åŸ¡ | ãã«ããã€ã¹/ã³ã³ããããŒã¹ æå·å ICS è£è¶³ã¬ã€ãã³ã¹ãªã AC-20 å€éšæ å ±ã·ã¹ãã ã®å©çš 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« éžå® éžå® éžå® AC-20 (1) å€éšæ å ±ã·ã¹ãã ã®å©çš | èš±å¯ãããå©çšã®å¶é éžå® éžå® AC-20 (2) å€éšæ å ±ã·ã¹ãã ã®å©çš | æºè¡ã¹ãã¬ãŒãžã¡ãã£ã¢ éžå® éžå® AC-20 å€éšæ å ±ã·ã¹ãã ã®å©çš äœ ICS è£è¶³ã¬ã€ãã³ã¹ïŒãå€éšãã®å®çŸ©ã粟æ»ããŠãæš©éã»è²¬ä»»ãçµç¹å®äœã®ç²åºŠåã³ããã ã®é¢ä¿ãåæ ãããããã·ã¹ãã ãéãæ©èœãå®è¡ããéãããªã·ãŒãæ¡çšãã管çè ãéãã æºè¶³ã§ããä¿¡é Œé¢ä¿ãç¯ãããã®ã»ãã¥ãªãã£å¯Ÿçã®å¯èŠåãäžååãªå Žåãçµç¹ã¯ãããå€éš ãšã¿ãªãããäŸãã°ãããã»ã¹å¶åŸ¡ã·ã¹ãã ãšäºæ¥çšããŒã¿åŠçã·ã¹ãã ã¯ãéåžžçžäºã«å€éšãš ã¿ãªãããããã³ããŒããµããŒãå¥çŽè çãäºæ¥ææºè ããã®æ¯æŽã§ ICS ã«ã¢ã¯ã»ã¹ããå Žåãã ããããå€éšã®äŸã§ãããICS ã®æ©èœãç®çãæè¡åã³å¶éã«é¢ããŠãå€éšæ å ±ã·ã¹ãã ã®å®çŸ© ãšä¿¡é Œæ§ãåæ€èšŒãã 376 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY establish a clear documented technical or business case for use and an acceptance of the risk inherent in the use of an external information system. Control Enhancement: (1, 2) No ICS Supplemental Guidance. AC-21 INFORMATION SHARING CONTROL NAME CNTL NO. AC-21 CONTROL BASELINES Control Enhancement Name Collaboration and Information Sharing LOW MOD HIGH Added Selected Selected ICS Supplemental Guidance: The organization should collaborate and share information about potential incidents on a timely basis. The DHS National Cybersecurity & Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecuritycommunications-integration-center serves as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) http://ics-cert.us-cert.gov/ics-cert/ collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. Organizations should consider having both an unclassified and classified information sharing capability. Rationale for adding AC-21 to low baseline: ICS systems provide essential services and control functions and are often connected to other ICS systems or business systems that can be vectors of attack. It is therefore necessary to provide a uniform defense encompassing all baselines. AC-22 PUBLICLY ACCESSIBLE CONTENT CONTROL NAME CNTL NO. AC-22 CONTROL BASELINES Control Enhancement Name Publicly Accessible Content LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Generally, public access to ICS systems is not permitted. Selected information may be transferred to a publicly accessible information system, possibly with added controls (e.g., introduction of fuzziness or delay). 377 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å€éšæ å ±ã·ã¹ãã ã®å©çšãšãå©çšã«äŒŽããªã¹ã¯ãåãå ¥ããæšã®æ確ãªæè¡ã»äºæ¥ææžãäœæã ãã 管çæ¡åŒµïŒ(1) (2) ICS è£è¶³ã¬ã€ãã³ã¹ãªã AC-21 æ å ±å ±æ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå é£æºã»æ å ±å ±æ AC-21 äœ äž é« è¿œå éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãçãåŸãã€ã³ã·ãã³ãã«é¢ããŠãé£æºãæ å ±ãé©æã«å ±æã ã¹ãã§ãããäžèš DHS åœå®¶ãµã€ããŒã»ãã¥ãªãã£éä¿¡çµ±åã»ã³ã¿ãŒ(NCCIC)ã¯éäžæåšå°ãšã㊠æ©èœãããµã€ããŒã»ãã¥ãªãã£ãšéä¿¡ã®ä¿¡é Œæ§ã«é¢ããéçšèŠçŽ ã¯ããã§èª¿æŽãããçµ±ååãã ãŠãããhttp://www.dhs.gov/about-national-cybersecurity-communications-integration-center äžèšç£æ¥çšå¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT)ã¯ãæµ·å€åã³æ°éã®ã³ã³ãã¥ãŒ ã¿ç·æ¥å¯Ÿå¿ããŒã (CERT)ãšé£æºããŠãå¶åŸ¡ã·ã¹ãã é¢é£ã»ãã¥ãªãã£ã€ã³ã·ãã³ãæ å ±ãšç·©å 察çãå ±æããŠããã http://ics-cert.us-cert.gov/ics-cert/ çµç¹ã¯ãç§å¯æ å ±ãšæ®éæ å ±ã®å ±æåã«ã€ããŠæ€èšãã¹ãã§ããã AC-21 ãäœããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒICS ã·ã¹ãã ã¯ãéèŠãªãµãŒãã¹ãšå¶åŸ¡æ©èœãæ äŸããŠãããæ»æçµè·¯ãšãªãåŸãä»ã® ICS ã·ã¹ãã ãäºæ¥ã·ã¹ãã ã«æ¥ç¶ããŠããããšãå€ãã ãããã£ãŠãå šãŠã®ããŒã¹ã©ã€ã³ãç¶²çŸ ããçµ±äžçãªé²åŸ¡ãå¿ èŠãšãªãã AC-22 å ¬éã³ã³ãã³ã 管çå 管ççªå· AC-22 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå å ¬éã³ã³ãã³ã äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒäžè¬çã«ãICS ã·ã¹ãã ãžã®å ¬éã¢ã¯ã»ã¹ã¯èš±å¯ãããŠããªããéžå¥ ããæ å ±ããä»å çãªç®¡çå¶éïŒææ§ããé ãçïŒãå ããäžã§ãå ¬éã®æ å ±ã·ã¹ãã ã«è»¢éã ããããšãããã 378 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY AWARENESS AND TRAINING â AT Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. AT-1 SECURITY AWARENESS AND TRAINING POLICY AND PROCEDURES CONTROL NAME CNTL NO. AT-1 CONTROL BASELINES Control Enhancement Name Security Awareness and Training Policy and Procedures LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. AT-2 SECURITY AWARENESS TRAINING CONTROL NAME CNTL NO. AT-2 CONTROL BASELINES Control Enhancement Name Security Awareness LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Security awareness training includes initial and periodic review of ICS-specific policies, standard operating procedures, security trends, and vulnerabilities. The ICS security awareness program is consistent with the requirements of the security awareness and training policy established by the organization. Control Enhancement: (2) No ICS Supplemental Guidance. AT-3 ROLE-BASED SECURITY TRAINING CONTROL NAME CNTL NO. AT-3 CONTROL BASELINES Control Enhancement Name Role-Based Security Training LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Security training includes initial and periodic review of ICS-specific policies, standard operating procedures, security trends, and vulnerabilities. The ICS security training program is consistent with the requirements of the security awareness and training policy established by the organization. AT-4 SECURITY TRAINING RECORDS CONTROL NAME CNTL NO. AT-4 CONTROL BASELINES Control Enhancement Name Security Training Records No ICS Supplemental Guidance. 379 LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æèã»èšç·Ž â AT è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã AT-1 ã»ãã¥ãªãã£æèã»èšç·Žããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£æèã»èšç·Žããªã·ãŒã»æé AT-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã AT-2 ã»ãã¥ãªãã£æèèšç·Ž 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£æè AT-2 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒã»ãã¥ãªãã£æèèšç·Žã«ã¯ãICS åºæããªã·ãŒãæšæºéçšæé ãã»ã ã¥ãªãã£åååã³è匱æ§ã«å¯Ÿããåœåã®èšç·Žãšå®æçãªåŸ©ç¿ãå«ãŸãããICS ã»ãã¥ãªãã£æè ããã°ã©ã ã¯ãçµç¹ãèšå®ããã»ãã¥ãªãã£æèã»èšç·Žããªã·ãŒèŠä»¶ãšæŽåããŠããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ãªã AT-3 圹å²ããŒã¹ã»ãã¥ãªãã£èšç·Ž 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå 圹å²ããŒã¹ã»ãã¥ãªãã£èšç·Ž AT-3 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒã»ãã¥ãªãã£èšç·Žã«ã¯ãICS åºæããªã·ãŒãæšæºéçšæé ãã»ãã¥ãª ãã£åååã³è匱æ§ã«å¯Ÿããåœåã®èšç·Žãšå®æçãªåŸ©ç¿ãå«ãŸãããICS ã»ãã¥ãªãã£ããã°ã© ã ã¯ãçµç¹ãèšå®ããã»ãã¥ãªãã£æèã»èšç·Žããªã·ãŒèŠä»¶ãšæŽåããŠããã AT-4 ã»ãã¥ãªãã£èšç·Žèšé² 管çå 管ççªå· AT-4 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£èšç·Žèšé² ICS è£è¶³ã¬ã€ãã³ã¹ãªã 380 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY AUDITING AND ACCOUNTABILITY â AU Tailoring Considerations for Audit Family In general, audit information and audit tools are not present on legacy ICS, but on a separate information system (e.g., the historian). In situations where the ICS cannot support the specific Audit and Accountability requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. AU-1 AUDIT AND ACCOUNTABILITY POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. AU-1 Audit and Accountability Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. AU-2 AUDIT EVENTS CONTROL NAME Control Enhancement Name CNTL NO. AU-2 AU-2 (3) Auditable Events CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected AUDITABLE EVENTS | REVIEWS AND UPDATES ICS Supplemental Guidance: The organization may designate ICS events as audit events, requiring that ICS data and/or telemetry be recorded as audit data. Control Enhancement: (3) No ICS Supplemental Guidance. AU-3 CONTENT OF AUDIT RECORDS CNTL NO. AU-3 AU-3 (1) AU-3 (2) CONTROL NAME Control Enhancement Name Content of Audit Records CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected CONTENT OF AUDIT RECORDS | ADDITIONAL AUDIT INFORMATION CONTENT OF AUDIT RECORDS | CENTRALIZED MANAGEMENT OF PLANNED AUDIT RECORD CONTENT Selected ICS Supplemental Guidance: Example compensating controls include providing an auditing capability on a separate information system. Control Enhancement: (1, 2) No ICS Supplemental Guidance. AU-4 AUDIT STORAGE CAPACITY CNTL NO. AU-4 AU-4 (1) CONTROL NAME Control Enhancement Name Audit Storage Capacity AUDIT STORAGE CAPACITY | TRANSFER TO ALTERNATE STORAGE CONTROL BASELINES LOW MOD HIGH Selected Added Selected Added Selected Added No ICS Supplemental Guidance. Control Enhancement: (1) ICS Supplemental Guidance: Legacy ICS are typically configured with remote storage on a separate information system (e.g., the historian accumulates historical operational ICS data and is backed up for 381 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç£æ»ã»èª¬æ責任 â AU ç£æ»ãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé äžè¬ã«ãç£æ»æ å ±ãç£æ»ããŒã«ã¯ãã¬ã¬ã·ãŒICS ã«ã¯ãªãããå¥åã®æ å ±ã·ã¹ãã äžã«ããïŒã ã¹ããªã¢ã³çïŒãICS ãããå¶åŸ¡ã®ç¹å®ã®ç£æ»ã»èª¬æ責任èŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœ çãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡çšãããè£åç管ççã®äŸãå¿ èŠã«å¿ã ãŠã管ççããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã AU-1 ç£æ»ã»èª¬æ責任ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»ã»èª¬æ責任ããªã·ãŒã»æé AU-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã AU-2 ç£æ»äºè±¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»äºè±¡ AU-2 AU-2 (3) äœ äž é« éžå® éžå® éžå® éžå® éžå® ç£æ»äºè±¡ | 審æ»ã»æŽæ° ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ ICS äºè±¡ãç£æ»äºè±¡ãšæå®ããICS ããŒã¿ããã¬ã¡ããª-ãç£æ» ããŒã¿ãšããŠã®èšé²ã矩åã¥ããã 管çæ¡åŒµïŒ(3) ICS è£è¶³ã¬ã€ãã³ã¹ãªã AU-3 ç£æ»èšé²å 容 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»èšé²å 容 AU-3 AU-3 (1) ç£æ»èšé²å 容| è£è¶³ç£æ»æ å ± AU-3 (2) ç£æ»èšé²å 容 | èšç»ç£æ»èšé²å 容ã®éäžç®¡ç äœ äž é« éžå® éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãå¥åã®æ å ±ã·ã¹ãã ãžã®ç£æ»èœåã®ä»äžã ããã 管çæ¡åŒµïŒ(1) (2) ICS è£è¶³ã¬ã€ãã³ã¹ãªã AU-4 ç£æ»ã¹ãã¬ãŒãžå®¹é 管çå 管ççªå· AU-4 AU-4 (1) 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« ç£æ»ã¹ãã¬ãŒãžå®¹é éžå® éžå® éžå® ç£æ»ã¹ãã¬ãŒãžå®¹é | 代æ¿ã¹ãã¬ãŒãžãžã®ç§»è¡ è¿œå è¿œå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒéåžžã¬ã¬ã·ãŒICS ã¯ãå¥åã®æ å ±ã·ã¹ãã äžã®é éã¹ãã¬ãŒãž ã«èšå®ãããïŒãã¹ããªã¢ã³ã¯ ICS ã®éçšå±¥æŽããŒã¿ãèç©ããå¥ãµã€ãã®ã¹ãã¬ãŒãžã«ä¿ç®¡ããïŒã 382 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY storage at a different site). ICS are currently using online backup services and increasingly moving to Cloud based and Virtualized services. Retention of some data (e.g., SCADA telemetry) may be required by regulatory authorities. Rationale for adding AU-4 (1) to all baselines: Legacy ICS components typically do not have capacity to store or analyze audit data. The retention periods for some data, particularly compliance data, may require large volumes of storage. AU-5 RESPONSE TO AUDIT PROCESSING FAILURES CONTROL NAME Control Enhancement Name CNTL NO. AU-5 AU-5 (1) Response to Audit Processing Failures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE Selected CAPACITY AU-5 (2) RESPONSE TO AUDIT PROCESSING FAILURES | REAL-TIME ALERTS Selected No ICS Supplemental Guidance. AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING CONTROL NAME Control Enhancement Name CNTL NO. AU-6 AU-6 (1) Audit Review, Analysis, and Reporting CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected Selected Selected AUDIT REVIEW, ANALYSIS, AND REPORTING | PROCESS INTEGRATION AU-6 (3) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATE AUDIT REPOSITORIES AU-6 (5) AUDIT REVIEW, ANALYSIS, AND REPORTING | INTEGRATION / Selected SCANNING AND MONITORING CAPABILITIES AU-6 (6) AUDIT REVIEW, ANALYSIS, AND REPORTING | CORRELATION WITH Selected PHYSICAL MONITORING No ICS Supplemental Guidance. Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include manual mechanisms or procedures. Control Enhancement: (3, 5, 6) No ICS Supplemental Guidance. AU-7 AUDIT REDUCTION AND REPORT GENERATION CONTROL NAME Control Enhancement Name CNTL NO. AU-7 AU-7 (1) CONTROL BASELINES MOD HIGH Audit Reduction and Report Generation LOW Selected Selected AUDIT REDUCTION AND REPORT GENERATION | AUTOMATIC Selected Selected PROCESSING No ICS Supplemental Guidance. Control Enhancement: (1) No ICS Supplemental Guidance. AU-8 TIME STAMPS CONTROL NAME Control Enhancement Name CNTL NO. AU-8 AU-8 (1) Time Stamps TIME STAMPS | SYNCHRONIZATION WITH AUTHORITATIVE TIME CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected SOURCE ICS Supplemental Guidance: Example compensating controls include using a separate information system designated as an authoritative time source. Control Enhancement: (1) ICS Supplemental Guidance: ICS employ suitable mechanisms (e.g., GPS, IEEE 1588) for time stamps. 383 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ICS ã¯ä»ã®ãšãããªã³ã©ã€ã³ããã¯ã¢ãããµãŒãã¹ãå©çšããŠããããã¯ã©ãŠãããŒã¹ã®ä»®æ³ãµ ãŒãã¹ã«æ¬¡ç¬¬ã«ç§»è¡ããŠãããç¹å®ã®ããŒã¿ïŒSCADA ãã¬ã¡ããªãŒçïŒã®ä¿æãèŠå¶åœå±ãã 矩åã¥ããããå Žåãããã AU-4 (1)ãå šãŠã®ããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒäžè¬ã«ã¬ã¬ã·ãŒICS ã³ã³ããŒãã³ãã«ã¯ã ç£æ»ããŒã¿ã®ä¿ååã¯åæ容éããªããç¹å®ã®ããŒã¿ãç¹ã«ã³ã³ãã©ã€ã¢ã³ã¹ããŒã¿ã®ä¿ææé ã«ãã£ãŠä¿ç®¡éã倧ãããªãã ç£æ»åŠçäžåãžã®å¯Ÿå¿ AU-5 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»åŠçäžåãžã®å¯Ÿå¿ AU-5 äœ äž é« éžå® éžå® éžå® AU-5 (1) ç£æ»åŠçäžåãžã®å¯Ÿå¿ | ç£æ»ã¹ãã¬ãŒãžå®¹é éžå® AU-5 (2) ç£æ»åŠçäžåãžã®å¯Ÿå¿ | ãªã¢ã«ã¿ã€ã èŠå ± éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã AU-6 ç£æ»ã®å¯©æ»ã»åæã»å ±å 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»ã®å¯©æ»ã»åæã»å ±å AU-6 äœ äž é« éžå® éžå® éžå® AU-6 (1) ç£æ»ã®å¯©æ»ã»åæã»å ±å | ããã»ã¹ã®äžäœå éžå® éžå® AU-6 (3) ç£æ»ã®å¯©æ»ã»åæã»å ±å | ç£æ»ã¬ããžããªã®çžé¢ éžå® éžå® AU-6 (5) ç£æ»ã®å¯©æ»ã»åæã»å ±å | äžäœå éžå® ã¹ãã£ã³ã»ç£èŠèœå AU-6 (6) ç£æ»ã®å¯©æ»ã»åæã»å ±å | ç©ççç£èŠãšã®çžé¢ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãæåã¡ã«ããºã åã¯æé ãã ãã 管çæ¡åŒµïŒ(3, 5, 6) ICS è£è¶³ã¬ã€ãã³ã¹ãªã AU-7 ç£æ»åæžã»å ±åæžäœæ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ AU-7 AU-7 (1) äž é« ç£æ»åæžã»å ±åæžäœæ éžå® éžå® ç£æ»åæžã»å ±åæžäœæ | èªååŠç éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã AU-8 ã¿ã€ã ã¹ã¿ã³ã 管çå 管ççªå· AU-8 AU-8 (1) 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¿ã€ã ã¹ã¿ã³ã ã¿ã€ã ã¹ã¿ã³ã | å ¬èªæéãœãŒã¹ãšã®åæ äœ äž é« éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãå ¬èªæéãœãŒã¹ã«æå®ãããå¥åã®æ å ±ã· ã¹ãã ãå©çšããæ¹æ³ãããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒã¿ã€ã ã¹ã¿ã³ããšããŠãICS ã§ã¯é©æ£ãªã¡ã«ããºã ãæ¡ çšããïŒå šå°ç枬äœã·ã¹ãã [GPS]ãIEEE 1588 çïŒã 384 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY AU-9 PROTECTION OF AUDIT INFORMATION CONTROL NAME Control Enhancement Name CNTL NO. AU-9 AU-9 (2) Protection of Audit Information CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected PROTECTION OF AUDIT INFORMATION | AUDIT BACKUP ON SEPARATE PHYSICAL SYSTEMS / COMPONENTS AU-9 (3) Selected PROTECTION OF AUDIT INFORMATION | CRYPTOGRAPHIC PROTECTION AU-9 (4) Selected PROTECTION OF AUDIT INFORMATION | ACCESS BY SUBSET OF Selected PRIVILEGED USERS No ICS Supplemental Guidance. AU-10 NON-REPUDIATION CONTROL NAME Control Enhancement Name CNTL NO. AU-10 CONTROL BASELINES LOW MOD HIGH Selected Non-repudiation ICS Supplemental Guidance: Example compensating controls include providing non-repudiation on a separate information system. AU-11 AUDIT RECORD RETENTION CONTROL NAME Control Enhancement Name CNTL NO. AU-11 Audit Record Retention CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. AU-12 AUDIT GENERATION CONTROL NAME Control Enhancement Name CNTL NO. AU-12 AU-12 (1) Audit Generation CONTROL BASELINES LOW MOD HIGH Selected Selected Selected AUDIT GENERATION | SYSTEM-WIDE / TIME-CORRELATED AUDIT Selected TRAIL AU-12 (3) AUDIT GENERATION | CHANGES BY AUTHORIZED INDIVIDUALS Selected No ICS Supplemental Guidance. Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include providing time-correlated audit records on a separate information system. Control Enhancement: (3) ICS Supplemental Guidance: Example compensating controls include employing nonautomated mechanisms or procedures. 385 SP800-82 第 2 ç AU-9 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç£æ»æ å ±ã®ä¿è· 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»æ å ±ã®ä¿è· AU-9 AU-9 (2) äœ äž é« éžå® éžå® éžå® ç£æ»æ å ±ã®ä¿è· | å¥ã®ç©çã·ã¹ãã /ã³ã³ããŒãã³ããžã®ç£æ»ãã éžå® ã¯ã¢ãã AU-9 (3) ç£æ»æ å ±ã®ä¿è· | æå·åä¿è· AU-9 (4) ç£æ»æ å ±ã®ä¿è· | ç¹æš©ãŠãŒã¶ã®ãµãã»ããã«ããã¢ã¯ã»ã¹ éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã AU-10 åŠèªé²æ¢ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž åŠèªé²æ¢ AU-10 é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãå¥åã®æ å ±ã·ã¹ãã ãžã®åŠèªé²æ¢æ©èœã®ä» äžãããã AU-11 ç£æ»èšé²ä¿æ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»èšé²ä¿ç AU-11 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã AU-12 ç£æ»äœæ 管çå 管ççªå· AU-12 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç£æ»äœæ äœ äž é« éžå® éžå® éžå® AU-12 (1) ç£æ»äœæ | å šã·ã¹ãã | æéçžé¢ç£æ»èšŒè·¡ éžå® AU-12 (3) ç£æ»äœæ | æš©éããå人ã«ããå€æŽ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãå¥åã®æ å ±ã·ã¹ãã ãžã®æé çžé¢ç£æ»èšé²ã®ä»äžãããã 管çæ¡åŒµïŒ(3) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãéèªåã¡ã«ããºã åã¯æ é ãããã 386 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SECURITY ASSESSMENT AND AUTHORIZATION â CA Tailoring Considerations for Security Assessment and Authorization Family In situations where the ICS cannot support the specific Security Assessment and Authorization requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. CA-1 SECURITY ASSESSMENT AND AUTHORIZATION POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. CA-1 Security Assessment and Authorization Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. CA-2 SECURITY ASSESSMENTS CNTL NO. CA-2 CONTROL NAME Control Enhancement Name Security Assessments CA-2 (1) SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS CA-2 (2) SECURITY ASSESSMENTS | TYPES OF ASSESSMENTS CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected Selected ICS Supplemental Guidance: Assessments are performed and documented by qualified assessors (i.e., experienced in assessing ICS) authorized by the organization. The organization ensures that assessments do not interfere with ICS functions. The individual/group conducting the assessment fully understands the organizational information security policies and procedures, the ICS security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. The organization ensures that the assessment does not affect system operation or result in unintentional system modification. If assessment activities must be performed on the production ICS, it may need to be taken off-line before an assessment can be conducted. If an ICS must be taken off-line to conduct an assessment, the assessment is scheduled to occur during planned ICS outages whenever possible. Control Enhancement: (1) No ICS Supplemental Guidance. Control Enhancement: (2) ICS Supplemental Guidance: The organization conducts risk analysis to support the selection of assessment target (e.g., the live system, an off-line replica, a simulation). CA-3 SYSTEM INTERCONNECTIONS CNTL NO. CA-3 CA-3 (5) CONTROL NAME Control Enhancement Name Information System Connections SYSTEM INTERCONNECTIONS | RESTRICTIONS ON EXTERNAL CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected SYSTEM CONNECTIONS ICS Supplemental Guidance: Organizations perform risk-benefit analysis to support determination whether an ICS should be connected to other information system(s). The Authorizing Official fully understands the organizational information security policies and procedures; the ICS security policies and procedures; the risks to organizational operations and assets, individuals, other organizations, and the Nation associated with the connection to other information system(s); and the specific health, safety, and environmental risks associated with a particular interconnection. The AO documents risk acceptance in the ICS system security plan. Control Enhancement: (5) No ICS Supplemental Guidance. 387 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã»ãã¥ãªãã£è©äŸ¡ã»æš©éä»äž â CA ã»ãã¥ãªãã£è©äŸ¡ã»æš©éä»äžãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé ICS ãããå¶åŸ¡ã®ç¹å®ã®ã»ãã¥ãªãã£è©äŸ¡ã»æš©éä»äžèŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœç㪠ã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡çšãããè£å管çã®äŸãå¿ èŠã«å¿ããŠã管ç çããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã CA-1 ã»ãã¥ãªãã£è©äŸ¡ã»æš©éä»äžããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£è©äŸ¡ã»æš©éä»äžããªã·ãŒã»æé CA-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã CA-2 ã»ãã¥ãªãã£è©äŸ¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£è©äŸ¡ CA-2 CA-2 (1) ã»ãã¥ãªãã£è©äŸ¡ | ç¬ç«è©äŸ¡è CA-2 (2) ã»ãã¥ãªãã£è©äŸ¡ | è©äŸ¡ã®çš®é¡ äœ äž é« éžå® éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒæè³æ Œè ïŒICS è©äŸ¡çç·Žè ïŒã«ããè©äŸ¡ãè¡ãææžåããçµç¹ã®æ¿èª ãåŸããè©äŸ¡ã ICS æ©èœãšå¹²æžããªãããã«ãããè©äŸ¡ãè¡ãå人ãã°ã«ãŒãã¯ãçµç¹ã®æ å ±ã» ãã¥ãªãã£ããªã·ãŒã»æé ãICS ã®ã»ãã¥ãªãã£ããªã·ãŒã»æé åã³ç¹å®ã®æœèšãããã»ã¹ã«ä» éããå ·äœçãªå¥åº·ã»å®å šã»ç°å¢ãªã¹ã¯ãååç解ãããçµç¹ã¯è©äŸ¡ã«ãã£ãŠã·ã¹ãã éçšã圱 é¿ãåãããæå³ããªãã·ã¹ãã å€æŽã«ãªããªãããã«ãããè©äŸ¡æŽ»åãçç£ ICS ã§å®æœããªã ãã°ãªããªãå Žåãè©äŸ¡ã®å®æœåã«ãªãã©ã€ã³ã«ããå¿ èŠãããå Žåãããããªãã©ã€ã³ã«ã㪠ããã°ãªããªãå Žåãå¯èœã§ããã°ãäºãèšç»ããã ICS ã®ææ¥åæ¢æã«è©äŸ¡ãè¡ãããã«äºå® ãçµãã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãªã¹ã¯åæãè¡ããè©äŸ¡å¯Ÿè±¡ã®éžå¥ãæ¯æŽãã ïŒã©ã€ãã·ã¹ãã ããªãã©ã€ã³ã¬ããªã«ãã·ãã¥ã¬ãŒã·ã§ã³çïŒã CA-3 ã·ã¹ãã é£æ¥ 管çå 管ççªå· CA-3 CA-3 (5) 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±ã·ã¹ãã ã®æ¥ç¶ ã·ã¹ãã é£æ¥ | å€éšã·ã¹ãã ãšã®æ¥ç¶å¶é äœ äž é« éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãªã¹ã¯äŸ¿çåæãè¡ããICS ãšä»ã®æ å ±ã·ã¹ãã ãšã®æ¥ç¶ã®æ¯ éãå€æãããèš±å¯æš©è ã¯ã次ã®äºé ã«ã€ããŠååç解ãããçµç¹ã®æ å ±ã»ãã¥ãªãã£ããªã· ãŒã»æé ãICS ã®ã»ãã¥ãªãã£ããªã·ãŒã»æé ãä»ã®æ å ±ã·ã¹ãã ãžã®æ¥ç¶ã«ä»éããçµç¹ã®é çšãè³ç£ãå人ãä»ã®çµç¹åã³åœã«å¯Ÿãããªã¹ã¯ãç¹å®ã®é£æ¥ã«ä»éããå ·äœçãªå¥åº·ã»å®å šã» ç°å¢ãªã¹ã¯ãAO ã¯ãICS ã·ã¹ãã ã»ãã¥ãªãã£èšç»æžã«ããããªã¹ã¯å容æ§ã«ã€ããŠèšèŒããŠã ãã 管çæ¡åŒµïŒ(5) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 388 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CA-5 PLAN OF ACTION AND MILESTONES CONTROL NAME Control Enhancement Name CNTL NO. CA-5 Plan of Action and Milestones CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. CA-6 SECURITY AUTHORIZATION CONTROL NAME Control Enhancement Name CNTL NO. CA-6 Security Authorization CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. CA-7 CONTINUOUS MONITORING CONTROL NAME Control Enhancement Name CNTL NO. CA-7 CA-7 (1) Continuous Monitoring CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected CONTINUOUS MONITORING | INDEPENDENT ASSESSMENT ICS Supplemental Guidance: Continuous monitoring programs for ICS are designed, documented, and implemented by qualified personnel (i.e., experienced with ICS) selected by the organization. The organization ensures that continuous monitoring does not interfere with ICS functions. The individual/group designing and conducting the continuous monitoring fully understands the organizational information security policies and procedures, the ICS security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. The organization ensures that continuous monitoring does not affect system operation or result in intentional or unintentional system modification. Example compensating controls include external monitoring. Control Enhancement: (1) No ICS Supplemental Guidance. CA-8 PENETRATION TESTING CNTL NO. CA-8 CONTROL NAME Control Enhancement Name CONTROL BASELINES LOW MOD HIGH Selected Penetration Testing ICS Supplemental Guidance: Penetration testing is used with care on ICS networks to ensure that ICS functions are not adversely impacted by the testing process. In general, ICS are highly sensitive to timing constraints and have limited resources. Example compensating controls include employing a replicated, virtualized, or simulated system to conduct penetration testing. Production ICS may need to be taken off-line before testing can be conducted. If ICS are taken off-line for testing, tests are scheduled to occur during planned ICS outages whenever possible. If penetration testing is performed on non-ICS networks, extra care is taken to ensure that tests do not propagate into the ICS network. 389 SP800-82 第 2 ç CA-5 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã è¡åã»ãã€ã«ã¹ããŒã³èšç»æž 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå è¡åã»ãã€ã«ã¹ããŒã³èšç»æž CA-5 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CA-6 ã»ãã¥ãªãã£æš©é 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£æš©é CA-6 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CA-7 ç¶ç¶ç£èŠ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç¶ç¶ç£èŠ CA-7 CA-7 (1) äœ äž é« éžå® éžå® éžå® éžå® éžå® ç¶ç¶ç£èŠ | ç¬ç«è©äŸ¡ ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ç¶ç¶ç£èŠã¯ãçµç¹ãéžä»»ããæè³æ Œè ãèæ¡ããææžåããå® æœããïŒICS ã®çç·Žè çïŒãç¶ç¶ç£èŠã ICS æ©èœãšå¹²æžããªãããã«ãããç¶ç¶ç£èŠãèæ¡ã㊠å®æœããå人ãã°ã«ãŒãã¯ãçµç¹ã®æ å ±ã»ãã¥ãªãã£ããªã·ãŒã»æé ãICS ã®ã»ãã¥ãªãã£ã㪠ã·ãŒã»æé åã³ç¹å®ã®èšæŽ¥ãããã»ã¹ã«ä»éããå ·äœçãªå¥åº·ã»å®å šã»ç°å¢ãªã¹ã¯ãååç解ã ããçµç¹ã¯ç¶ç¶ç£èŠã«ãã£ãŠã·ã¹ãã éçšã圱é¿ãåãããæ æåã¯æå³ããªãã·ã¹ãã å€æŽã« ãªããªãããã«ãããè£åç管ççã®äŸãšããŠãå€éšç£èŠãããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã CA-8 ãããã¬ãŒã·ã§ã³ã»ãã¹ã 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ CA-8 ãããã¬ãŒã·ã§ã³ã»ãã¹ã äž é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãããã¯ãŒã¯ã§ã®ãããã¬ãŒã·ã§ã³ã»ãã¹ãã¯æ éã«è¡ããè©Šéš ããã»ã¹ã«ãã ICS æ©èœã«æªåœ±é¿ãåã°ãªãããã«ãããç·ã㊠ICS ã¯ãæéçå¶çŽã«ææã§ã ãªãœãŒã¹ã«éçããããè£åç管ççã®äŸãšããŠãè€è£œãä»®æ³åã¯æš¡æ¬ã·ã¹ãã ã§ãããã¬ãŒã· ã§ã³ã»ãã¹ããè¡ãæ¹æ³ããããçç£ ICS ã¯ãè©Šéšåã«ãªãã©ã€ã³ã«ããå¿ èŠãããããªãã©ã€ ã³ã«ããå Žåãå¯èœã§ããã°ãäºãèšç»ããã ICS ã®ææ¥åæ¢æã«è©Šéšãè¡ãããã«äºå®ãçµãã ãããã¬ãŒã·ã§ã³ã»ãã¹ãã ICS 以å€ã®ãããã¯ãŒã¯ã§è¡ãå Žåãè©Šéšã ICS ã«æã¡èŸŒãŸããªã ããã«æ³šæããã 390 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CA-9 INTERNAL SYSTEM CONNECTIONS CNTL NO. CA-9 CONTROL NAME Control Enhancement Name Internal System Connections CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Organizations perform risk-benefit analysis to support determination whether an ICS should be connected to other internal information system(s) and (separate) constituent system components. The Authorizing Official fully understands the organizational information security policies and procedures; the ICS security policies and procedures; the risks to organizational operations and assets, individuals, other organizations, and the Nation associated with the connected to other information system(s) and (separate) constituent system components, whether by authorizing each individual internal connection or authorizing internal connections for a class of components with common characteristics and/or configurations; and the specific health, safety, and environmental risks associated with a particular interconnection. The AO documents risk acceptance in the ICS system security plan. 391 SP800-82 第 2 ç CA-9 å éšã·ã¹ãã æ¥ç¶ 管çå 管ççªå· CA-9 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå å éšã·ã¹ãã æ¥ç¶ äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãªã¹ã¯äŸ¿çåæãè¡ããICS ãšä»ã®å éšæ å ±ã·ã¹ãã ãïŒå¥ïŒ æ§æã·ã¹ãã ã³ã³ããŒãã³ããšã®æ¥ç¶ã®æ¯éãå€æãããèš±å¯æš©è ã¯ã次ã®äºé ã«ã€ããŠååç 解ãããçµç¹ã®æ å ±ã»ãã¥ãªãã£ããªã·ãŒã»æé ãICS ã®ã»ãã¥ãªãã£ããªã·ãŒã»æé ãåã 人 ã®å éšæ¥ç¶ãèš±å¯ããããå ±éç¹æ§ã»èšå®ã®ã³ã³ããŒãã³ãã¯ã©ã¹ãžã®å éšæ¥ç¶ãèš±å¯ããããš ã«ãããä»ã®æ å ±ã·ã¹ãã åã³ïŒå¥ïŒæ§æã·ã¹ãã ã³ã³ããŒãã³ããžã®æ¥ç¶ã«äŒŽãçµç¹ã®éçšã è³ç£ãå人ãä»ã®çµç¹åã³åœã«å¯Ÿãããªã¹ã¯ãç¹å®ã®é£æ¥ã«ä»éããå ·äœçãªå¥åº·ã»å®å šã»ç°å¢ ãªã¹ã¯ãAO ã¯ãICS ã·ã¹ãã ã»ãã¥ãªãã£èšç»æžã«ããããªã¹ã¯å容æ§ã«ã€ããŠèšèŒããŠããã 392 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CONFIGURATION MANAGEMENT â CM Tailoring Considerations for Configuration Management Family In situations where the ICS cannot be configured to restrict the use of unnecessary functions or cannot support the use of automated mechanisms to implement configuration management functions, the organization employs nonautomated mechanisms or procedures as compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. CM-1 Configuration Management Policy and Procedures CONTROL BASELINES LOW Selected MOD Selected HIGH Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. CM-2 BASELINE CONFIGURATION CONTROL NAME Control Enhancement Name CNTL NO. CM-2 CM-2 (1) CM-2 (2) CM-2 (3) CM-2 (7) Baseline Configuration BASELINE CONFIGURATION | REVIEWS AND UPDATES BASELINE CONFIGURATION | AUTOMATION SUPPORT FOR ACCURACY / CURRENCY BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS CONTROL BASELINES LOW Selected MOD Selected Selected HIGH Selected Selected Selected Selected Selected Selected Selected No ICS Supplemental Guidance. CM-3 CONFIGURATION CHANGE CONTROL CONTROL NAME Control Enhancement Name CNTL NO. CM-3 CM-3 (1) CM-3 (2) CONTROL BASELINES LOW Configuration Change Control CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES MOD Selected HIGH Selected Selected Selected Selected No ICS Supplemental Guidance. CM-4 SECURITY IMPACT ANALYSIS CNTL NO. CM-4 CM-4 (1) CONTROL NAME Control Enhancement Name Security Impact Analysis SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS CONTROL BASELINES LOW Selected ICS Supplemental Guidance: The organization considers ICS safety and security interdependencies. Control Enhancement: (1) No ICS Supplemental Guidance. 393 MOD Selected HIGH Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã èšå®ç®¡ç â CM èšå®ç®¡çãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé ICS ã§äžèŠãªæ©èœã®å¶éãèšå®ç®¡çæ©èœã®èªåã¡ã«ããºã ã®å©çšãã§ããªãç¶æ³ã§ã¯ãå šäœç㪠ã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã åã¯æé ãè£åç管ççãšããŠæ¡çš ãããè£åç管ççã®äŸãå¿ èŠã«å¿ããŠã管ççããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã CM-1 èšå®ç®¡çããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå èšå®ç®¡çããªã·ãŒã»æé CM-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã CM-2 ããŒã¹ã©ã€ã³èšå® 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ããŒã¹ã©ã€ã³èšå® CM-2 CM-2 (1) ããŒã¹ã©ã€ã³èšå® | 審æ»ã»æŽæ° CM-2 (2) ããŒã¹ã©ã€ã³èšå® | æ£ç¢ºæ§ã»ã«ã¬ã³ã·ãŒã®èªåãµããŒã äœ äž é« éžå® éžå® éžå® éžå® éžå® éžå® CM-2 (3) ããŒã¹ã©ã€ã³èšå® | 以åã®èšå®ä¿æ CM-2 (7) ããŒã¹ã©ã€ã³èšå® | é«ãªã¹ã¯ãšãªã¢çšã·ã¹ãã ã»ã³ã³ããŒãã³ éžå® éžå® éžå® éžå® ãã»ããã€ã¹ã®èšå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CM-3 èšå®å€æŽç®¡ç 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ èšå®å€æŽç®¡ç CM-3 CM-3 (1) äž é« éžå® éžå® èšå®å€æŽç®¡ç | èªåææžåã» éžå® éç¥ã»å€æŽçŠæ¢ CM-3 (2) èšå®å€æŽç®¡ç | è©Šéšã»æ€èšŒã»ææžå€æŽ éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CM-4 ã»ãã¥ãªãã£åœ±é¿åæ 管çå 管ççªå· CM-4 CM-4 (1) 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£åœ±é¿åæ ã»ãã¥ãªãã£åœ±é¿åæ | ç¬ç«è©Šéšç°å¢ äœ äž é« éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ ICS ã®å®å šæ§ãšã»ãã¥ãªãã£ã®çžäºé¢ä¿ãæ€èšããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 394 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CM-5 ACCESS RESTRICTIONS FOR CHANGE CONTROL NAME Control Enhancement Name CNTL NO. CONTROL BASELINES LOW CM-5 CM-5 (1) Access Restrictions for Change ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE | AUDIT SYSTEM CHANGES CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS No ICS Supplemental Guidance. MOD Selected HIGH Selected Selected Selected Selected CM-6 CONFIGURATION SETTINGS CONTROL NAME Control Enhancement Name CNTL NO. CM-6 CM-6 (1) Configuration Settings CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION CM-6 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES No ICS Supplemental Guidance. CONTROL BASELINES LOW Selected MOD Selected HIGH Selected Selected Selected CM-7 LEAST FUNCTIONALITY CNTL NO. CM-7 CM-7 (1) CM-7 (2) CM-7 (4) CONTROL NAME Control Enhancement Name Least Functionality LEAST FUNCTIONALITY | PERIODIC REVIEW LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION LEAST FUNCTIONALITY | UNAUTHORIZED SOFTWARE CONTROL BASELINES LOW Selected Added MOD Selected Selected Removed Added HIGH Selected Selected Selected Selected ICS Supplemental Guidance: Ports, as used in NIST SP 800-53 Rev. 4, are part of the address space in network protocols and are often associated with specific protocols or functions. As such, ports are not relevant to non-routable protocols and devices. When dealing with non-routable and non-addressable protocols and devices, prohibiting or restricting the use of specified functions, protocols, and/or services must be implemented for the (sub)system granularity that is available (e.g., at a low level, interrupts could be disabled; at a high level, set points could be made read-only except for privileged users). Example compensating controls include employing nonautomated mechanisms or procedures. Control Enhancement: (1, 2, 5) No ICS Supplemental Guidance. Control Baseline Supplement Rationale: (1) Periodic review and removal of unnecessary and/or nonsecure functions, ports, protocols, and services are added to the LOW baseline because many of the LOW impact ICS components could adversely affect the systems to which they are connected. (4, 5) Whitelisting (CE 5) is more effective than blacklisting (CE 4). The set of applications that run in ICS is essentially static, making whitelisting practical. ICS-CERT recommends deploying application whitelisting on ICS. Reference: http://icscert.us-cert.gov/tips/ICS-TIP-12-146-01B CM-8 INFORMATION SYSTEM COMPONENT INVENTORY CNTL NO. CM-8 CM-8 (1) CM-8 (2) CM-8 (3) CONTROL NAME Control Enhancement Name Information System Component Inventory INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION 395 CONTROL BASELINES LOW Selected MOD Selected Selected HIGH Selected Selected Selected Selected Selected SP800-82 第 2 ç CM-5 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å€æŽçšã¢ã¯ã»ã¹å¶é 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ å€æŽçšã¢ã¯ã»ã¹å¶é CM-5 äž é« éžå® éžå® CM-5 (1) å€æŽçšã¢ã¯ã»ã¹å¶é | èªåã¢ã¯ã»ã¹ã®æœè¡ / ç£æ» éžå® CM-5 (2) å€æŽçšã¢ã¯ã»ã¹å¶é | ç£æ»ã·ã¹ãã å€æŽ éžå® CM-5 (3) å€æŽçšã¢ã¯ã»ã¹å¶é | 眲åã³ã³ããŒãã³ã éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CM-6 æ§æèšå® 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ§æèšå® CM-6 CM-6 (1) äœ äž é« éžå® éžå® éžå® æ§æèšå® | èªåéäžç®¡ç éžå® ã¢ããªã±ãŒã·ã§ã³ / æ€èšŒ CM-6 (2) æ§æèšå® | ç¡æå€æŽå¯Ÿå¿ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CM-7 æå°æš©é 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« æäœéæ©èœ éžå® éžå® éžå® CM-7 (1) æäœéæ©èœ | å®æçèŠçŽã è¿œå éžå® éžå® CM-7 (2) æäœéæ©èœ | ããã°ã©ã å®è¡é²æ¢ åé€ éžå® CM-7 (4) æäœéæ©èœ | æªèš±å¯ãœãããŠãšã¢ è¿œå éžå® CM-7 ICS è£è¶³ã¬ã€ãã³ã¹ïŒNIST SP 800-53 第 4 çã§äœ¿çšãããããŒãã¯ããããã¯ãŒã¯ãããã³ã«ã«ãããã¢ã ã¬ã¹ç©ºéã®äžéšã§ãç¹å®ã®ãããã³ã«ãæ©èœã«é¢é£ã¥ããããŠããããšãå€ãããã®ãããªããŒãã¯ãçµè·¯æå® äžèœãããã³ã«åã³ããã€ã¹ã§ã¯ãªããã¢ãã¬ã¹/ã«ãŒãæå®äžèœãããã³ã«åã³ããã€ã¹ã®å Žåãæå®æ©èœãã ããã³ã«åã¯ãµãŒãã¹å©çšã®çŠæ¢åã¯å¶éã¯ãå©çšã§ããïŒãµãïŒã·ã¹ãã ã®ç²åºŠã«å®è£ ããªããã°ãªããªã ïŒäœã¬ãã«ã§ã¯äžæãç¡å¹ã«ããé«ã¬ãã«ã§ã¯èšå®ç¹ãç¹æš©ãŠãŒã¶ä»¥å€ã¯èªã¿åãå°çšãšãããªã©ïŒãè£åç管 ççã®äŸãšããŠãéèªåã¡ã«ããºã åã¯æé ãããã 管çæ¡åŒµïŒ(1, 2, 5) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çããŒã¹ã©ã€ã³è£è¶³çç±ïŒ(1)äžèŠåã¯ã»ãã¥ã¢ã§ãªãæ©èœãããŒãããããã³ã«åã³ãµãŒãã¹ã®å®æç㪠èŠçŽããšåé€ãäœããŒã¹ã©ã€ã³ã«è¿œå ãããçç±ã¯åœ±é¿åºŠäœã® ICS ã³ã³ããŒãã³ãã®å€ãã¯ãæ¥ç¶å ã·ã¹ãã ã« æªåœ±é¿ãåãŒãããã (4, 5) ãã¯ã€ããªã¹ã(CE 5)ã¯ãã©ãã¯ãªã¹ã(CE 4)ãããå¹æçãICS ã§å®è¡ããã¢ããªã±ãŒã·ã§ã³ã»ããã¯åºæ¬ çã«éçã§ããããããã¯ã€ããªã¹ããçŸå®çã§ãããICS-CERT ã¯ããã¯ã€ããªã¹ãã¢ããªã±ãŒã·ã§ã³ã® ICS å± éãæšå¥šããŠãããåèæç®ïŒhttp://ics-cert.us- cert.gov/tips/ICS-TIP-12-146-01B CM-8 æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² 管ççªå· CM-8 管çå 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² CM-8 (1) æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² | ã€ã³ã¹ããŒã«ã»åé€æã®æŽæ° CM-8 (2) æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² | èªåä¿å® CM-8 (3) æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² | èªåç¡èš±å¯ã³ã³ããŒãã³ãæ€ç¥ äœ äž é« éžå® éžå® éžå® éžå® éžå® éžå® 396 éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 CONTROL NAME Control Enhancement Name CNTL NO. CM-8 (4) GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CONTROL BASELINES LOW MOD HIGH Selected INFORMATION SYSTEM COMPONENT INVENTORY | PROPERTY ACCOUNTABILITY INFORMATION CM-8 (5) Selected INFORMATION SYSTEM COMPONENT INVENTORY | ALL Selected COMPONENTS WITHIN AUTHORIZATION BOUNDARY No ICS Supplemental Guidance. CM-9 CONFIGURATION MANAGEMENT PLAN CONTROL NAME Control Enhancement Name CNTL NO. CM-9 CONTROL BASELINES LOW Configuration Management Plan MOD HIGH Selected Selected No ICS Supplemental Guidance. CM-10 SOFTWARE USAGE RESTRICTIONS CONTROL NAME Control Enhancement Name CNTL NO. CM-10 Software Usage Restrictions CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. CM-11 USER-INSTALLED SOFTWARE CONTROL NAME Control Enhancement Name CNTL NO. CM-11 User-Installed Software No ICS Supplemental Guidance. 397 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ CM-8 (4) æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² | è³ç£èª¬æ責任æ å ± CM-8 (5) æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãç®é² | å šã³ã³ããŒãã³ããæš©éå äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CM-9 èšå®ç®¡çèšç»æž 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ CM-9 èšå®ç®¡çèšç»æž äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CM-10 ãœãããŠãšã¢äœ¿çšå¶é 管çå 管ççªå· CM-10 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãœãããŠãšã¢äœ¿çšå¶é äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CM-11 ãŠãŒã¶ãã€ã³ã¹ããŒã«ãããœãããŠãšã¢ 管çå 管ççªå· CM-11 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãŠãŒã¶ãã€ã³ã¹ããŒã«ãããœãããŠãšã¢ ICS è£è¶³ã¬ã€ãã³ã¹ãªã 398 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CONTINGENCY PLANNING - CP Tailoring Considerations for Contingency Planning Family ICS systems often contain a physical component at a fixed location. Such components may not be relocated logically. Some replacement components may not be readily available. Continuance of essential missions and business functions with little or no loss of operational continuity may not be possible. In situations where the organization cannot provide necessary essential services, support, or automated mechanisms during contingency operations, the organization provides nonautomated mechanisms or predetermined procedures as compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. CP-1 CONTINGENCY PLANNING POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. CP-1 Contingency Planning Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. CP-2 CONTINGENCY PLAN CONTROL NAME Control Enhancement Name CNTL NO. CP-2 Contingency Plan CP-2 (1) CONTINGENCY PLAN | COORDINATE WITH RELATED PLANS CP-2 (2) CONTINGENCY PLAN | CAPACITY PLANNING CP-2 (3) CONTINGENCY PLAN | RESUME ESSENTIAL MISSIONS / CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected Selected Selected Selected BUSINESS FUNCTIONS CP-2 (4) CONTINGENCY PLAN | RESUME ALL MISSIONS / BUSINESS Selected FUNCTIONS CP-2 (5) CONTINGENCY PLAN | CONTINUE ESSENTIAL MISSIONS / Selected BUSINESS FUNCTIONS CP-2 (8) CONTINGENCY PLAN | IDENTIFY CRITICAL ASSETS Selected Selected ICS Supplemental Guidance: The organization defines contingency plans for categories of disruptions or failures. In the event of a loss of processing within the ICS or communication with operational facilities, the ICS executes predetermined procedures (e.g., alert the operator of the failure and then do nothing, alert the operator and then safely shut down the industrial process, alert the operator and then maintain the last operational setting prior to failure). Control Enhancement: (1) ICS Supplemental Guidance: Organizational elements responsible for related plans may include suppliers such as electric power, fuel, fresh water and wastewater. Control Enhancement: (2) No ICS Supplemental Guidance. Control Enhancement: (3, 4) ICS Supplemental Guidance: Plans for the resumption of essential missions and business functions, and for resumption of all missions and business functions take into account the effects of the disruption on the environment of operation. Restoration and resumption plans should include prioritization of efforts. Disruptions may affect the quality and quantity of resources in the environment, such as electric power, fuel, fresh water and wastewater, and the ability of these suppliers to also resume provision of essential mission and business functions. Contingency plans for widespread disruption may involve specialized organizations (e.g., FEMA, emergency services, regulatory authorities). Reference: NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs. Control Enhancement: (5, 8) No ICS Supplemental Guidance. 399 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã äžæž¬äºæ èšç» - CP äžæž¬äºæ èšç»ãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé ICS ã·ã¹ãã ã«ã¯ãå®ããããå Žæã«ç©çã³ã³ããŒãã³ããããå Žåãå€ãããããã¯è«çç㪠移åãã§ããªãã代ããã®ã³ã³ããŒãã³ããããã«å©çšã§ããªããã®ããããäžæãã»ãšãã©å ã¯å šãèš±ãããªãéèŠä»»åãäºæ¥ããããäžæž¬äºæ éçšäžã«ãå¿ èŠãªéèŠãµãŒãã¹ããµããŒãå ã¯èªåã¡ã«ããºã ãæäŸã§ããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯ éèªåã¡ã«ããºã åã¯äºåèšå®æé ãè£åç管ççãšããŠæ¡çšãããè£åç管ççã®äŸãå¿ èŠã« å¿ããŠã管ççããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã CP-1 äžæž¬äºæ èšç»ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äžæž¬äºæ èšç»ããªã·ãŒã»æé CP-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã CP-2 ç·æ¥æ察å¿èšç» 管çå 管ççªå· CP-2 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç·æ¥æ察å¿èšç» CP-2 (1) ç·æ¥æ察å¿èšç» | é¢é£èšç»æžãšã®æŽå CP-2 (2) ç·æ¥æ察å¿èšç» | 容éèšç» CP-2 (3) ç·æ¥æ察å¿èšç» | éèŠä»»åã»äºæ¥æ©èœã®åé CP-2 (4) ç·æ¥æ察å¿èšç» | å šä»»åã»äºæ¥æ©èœã®åé CP-2 (5) ç·æ¥æ察å¿èšç» | éèŠä»»åã»äºæ¥æ©èœã®åé CP-2 (8) ç·æ¥æ察å¿èšç» | éèŠè³ç£èå¥ äœ äž é« éžå® éžå® éžå® éžå® éžå® éžå® éžå® éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãäžæãæ éã®åé¡å¥ã«ç·æ¥æ察å¿èšç»ãå®ãããICS å ã§ã® åŠçãéçšæœèšãšã®éä¿¡ã倱ãããå ŽåãICS ã¯äºãå®ããããæé ãå®è¡ããïŒæäœå¡ã«èŠå ± ãçºä¿¡ããŠäœãããªããæäœå¡ã«èŠå ±ãçºä¿¡ããŠç£æ¥ããã»ã¹ãå®å šã«é®æãããæäœå¡ã«èŠå ± ãçºä¿¡ããŠæ éçŽåã®åäœãç¶æãããªã©ïŒã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒé¢é£èšç»æžã®æ åœéšçœ²ã«ã¯ãé»åãçæãäžäžæ°Žéçã® ãµãã©ã€ã€ãå«ãŸããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(3, 4) ICS è£è¶³ã¬ã€ãã³ã¹ïŒéèŠä»»åã»äºæ¥æ©èœã®åéã«é¢ããèšç»æžåã³å šãŠã® ä»»åã»äºæ¥æ©èœã®åéã«é¢ããèšç»æžã«ã¯ãéçšç°å¢ã厩å£ããå Žåã®åœ±é¿ãèæ ®ã«å ¥ããã埩 æ§ã»åéèšç»æžã«ã¯ãåçµã®åªå é äœãå«ããã¹ãã§ãããäžæãçãããšé»åãçæãäžäžæ°Ž éçã®ãªãœãŒã¹ã®è³ªã»éã®ã¿ãªãããéèŠä»»åã»äºæ¥ãåéãããµãã©ã€ã€ã®èœåã«ã圱é¿ãåº ãã倧èŠæš¡äžæã®ç·æ¥æ察å¿èšç»ã«ã¯ãç¹å¥çµç¹ãå«ããïŒFEMAãç·æ¥ãµãŒãã¹ãèŠå¶åœå± çïŒãåèæç®ïŒNFPA 1600:çœå®³ã»æ°çæ管çã»äºæ¥ç¶ç¶ããã°ã©ã ã®åºæº 管çæ¡åŒµïŒ(5) (8) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 400 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CP-3 CONTINGENCY TRAINING CONTROL NAME Control Enhancement Name CNTL NO. CP-3 Contingency Training CP-3 (1) CONTINGENCY TRAINING | SIMULATED EVENTS No ICS Supplemental Guidance. CONTROL BASELINES LOW Selected MOD Selected HIGH Selected Selected CP-4 CONTINGENCY PLAN TESTING CONTROL NAME Control Enhancement Name CNTL NO. CP-4 CP-4 (1) Contingency Plan Testing CONTINGENCY PLAN TESTING | COORDINATE WITH RELATED PLANS P-4 (2) CONTINGENCY PLAN TESTING | ALTERNATE PROCESSING SITE No ICS Supplemental Guidance. CONTROL BASELINES LOW Selected MOD Selected Selected HIGH Selected Selected Selected CP-6 ALTERNATE STORAGE SITE CNTL NO. CONTROL NAME Control Enhancement Name CP-6 CP-6 (1) Alternate Storage Site ALTERNATE STORAGE SITE | SEPARATION FROM PRIMARY SITE CONTROL BASELINES LOW ALTERNATE STORAGE SITE | RECOVERY TIME / POINT OBJECTIVES CP-6 (3) ALTERNATE STORAGE SITE | ACCESSIBILITY No ICS Supplemental Guidance. MOD Selected Selected CP-6 (2) HIGH Selected Selected Selected Selected Selected CP-7 ALTERNATE PROCESSING SITE CNTL NO. CONTROL NAME Control Enhancement Name CONTROL BASELINES LOW CP-7 CP-7 (1) Alternate Processing Site ALTERNATE PROCESSING SITE | SEPARATION FROM PRIMARY SITE CP-7 (2) ALTERNATE PROCESSING SITE | ACCESSIBILITY CP-7 (3) ALTERNATE PROCESSING SITE | PRIORITY OF SERVICE CP-7 (4) ALTERNATE PROCESSING SITE | CONFIGURATION FOR USE No ICS Supplemental Guidance. MOD Selected Selected HIGH Selected Selected Selected Selected Selected Selected Selected CP-8 TELECOMMUNICATIONS SERVICES CNTL NO. CONTROL NAME Control Enhancement Name CP-8 CP-8 (1) Telecommunications Services TELECOMMUNICATIONS SERVICES | PRIORITY OF SERVICE PROVISIONS CP-8 (2) TELECOMMUNICATIONS SERVICES | SINGLE POINTS OF FAILURE CP-8 (3) TELECOMMUNICATIONS SERVICES | SEPARATION OF PRIMARY / ALTERNATE PROVIDERS CP-8 (4) TELECOMMUNICATIONS SERVICES | PROVIDER CONTINGENCY PLAN ICS Supplemental Guidance: Quality of service factors for ICS include latency and throughput. Control Enhancement: (1, 2, 3, 4) No ICS Supplemental Guidance. 401 CONTROL BASELINES LOW MOD Selected Selected HIGH Selected Selected Selected Selected Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã äžæž¬äºæ èšç·Ž CP-3 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äžæž¬äºæ èšç·Ž CP-3 CP-3 (1) äœ äž é« éžå® éžå® éžå® äžæž¬äºæ èšç·Ž | æš¡æ¬äºè±¡ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CP-4 ç·æ¥æ察å¿èšç»ã®æ€èšŒ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç·æ¥æ察å¿èšç»ã®æ€èšŒ CP-4 CP-4 (1) äœ äž é« éžå® éžå® éžå® éžå® éžå® ç·æ¥æ察å¿èšç»ã®æ€èšŒ | é¢é£èšç»æžãšã®æŽå ç·æ¥æ察å¿èšç»ã®æ€èšŒ | 代æ¿åŠçãµã€ã P-4 (2) éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CP-6 代æ¿ã¹ãã¬ãŒãžãµã€ã 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« ä»£æ¿ã¹ãã¬ãŒãžãµã€ã éžå® éžå® CP-6 (1) 代æ¿ã¹ãã¬ãŒãžãµã€ã | ãã©ã€ããªãµã€ãããã®åé¢ éžå® éžå® CP-6 (2) 代æ¿ã¹ãã¬ãŒãžãµã€ã | 埩æ§æéã»ãã€ã³ãç®æš CP-6 (3) 代æ¿ã¹ãã¬ãŒãžãµã€ã | ã¢ã¯ã»ã·ããªã㣠CP-6 éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CP-7 代æ¿åŠçãµã€ã 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« ä»£æ¿åŠçãµã€ã äœ éžå® éžå® CP-7 (1) 代æ¿åŠçãµã€ã | ãã©ã€ããªãµã€ãããã®åé¢ éžå® éžå® CP-7 (2) 代æ¿åŠçãµã€ã | ã¢ã¯ã»ã·ããªã㣠éžå® éžå® CP-7 (3) 代æ¿åŠçãµã€ã | ãµãŒãã¹ã®åªå é äœ éžå® éžå® CP-7 (4) 代æ¿åŠçãµã€ã | å©çšåãèšå® CP-7 éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CP-8 é»æ°éä¿¡ãµãŒã㹠管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ CP-8 CP-8 (1) CP-8 (2) CP-8 (3) CP-8 (4) é»æ°éä¿¡ãµãŒãã¹ é»æ°éä¿¡ãµãŒãã¹ | ãµãŒãã¹æäŸã®åªå é äœ é»æ°éä¿¡ãµãŒãã¹ | é害åç¹ é»æ°éä¿¡ãµãŒãã¹ | äž»ã»å¯ãããã€ãã®åå² é»æ°éä¿¡ãµãŒãã¹ | ãããã€ãã®äžæž¬äºæ äœèšç»æž äž é« éžå® éžå® éžå® éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ãµãŒãã¹å質ã«ã¯åŸ ã¡æéãšã¹ã«ãŒããããå«ãŸããã 管çæ¡åŒµïŒ(1, 2, 3, 4) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 402 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY CP-9 INFORMATION SYSTEM BACKUP CONTROL NAME Control Enhancement Name CNTL NO. CP-9 CP-9 (1) Information System Backup CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected INFORMATION SYSTEM BACKUP | TESTING FOR RELIABILITY / INTEGRITY CP-9 (2) INFORMATION SYSTEM BACKUP | TEST RESTORATION Selected USING SAMPLING CP-9 (3) INFORMATION SYSTEM BACKUP | SEPARATE STORAGE FOR Selected CRITICAL INFORMATION CP-9 (5) INFORMATION SYSTEM BACKUP | TRANSFER TO Selected ALTERNATE SITE No ICS Supplemental Guidance. CP-10 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION CONTROL NAME Control Enhancement Name CNTL NO. CP-10 CP-10 (2) Information System Recovery and Reconstitution CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | TRANSACTION RECOVERY CP-10 (4) INFORMATION SYSTEM RECOVERY AND RECONSTITUTION | Selected RESTORE WITHIN TIME PERIOD ICS Supplemental Guidance: Reconstitution of the ICS includes consideration whether system state variables should be restored to initial values or values before disruption (e.g., are valves restored to full open, full closed, or settings prior to disruption). Restoring system state variables may be disruptive to ongoing physical processes (e.g., valves initially closed may adversely affect system cooling). Control Enhancement: (2, 4) No ICS Supplemental Guidance. CP-12 SAFE MODE CONTROL NAME Control Enhancement Name CNTL NO. CP-12 Safe Mode CONTROL BASELINES LOW MOD HIGH Added Added Added ICS Supplemental Guidance: The organization-defined conditions and corresponding restrictions of safe mode of operation may vary among baselines. The same condition(s) may trigger different response depending on the impact level. The conditions may be external to the ICS (e.g., electricity supply brown-out). Related controls: SI-17. Rationale for adding CP-12 to all baselines: This control provides a framework for the organization to plan their policy and procedures for dealing with conditions beyond their control in the environment of operations. Creating a written record of the decision process for selecting incidents and appropriate response is part of risk management in light of changing environment of operations. 403 SP800-82 第 2 ç CP-9 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ å ±ã·ã¹ãã ããã¯ã¢ãã 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±ã·ã¹ãã ããã¯ã¢ãã CP-9 äœ äž é« éžå® éžå® éžå® éžå® éžå® CP-9 (1) æ å ±ã·ã¹ãã ããã¯ã¢ãã | ä¿¡é Œæ§ã»å®å šæ§ã®æ€èšŒ CP-9 (2) æ å ±ã·ã¹ãã ããã¯ã¢ãã | ãµã³ããªã³ã°ã«ãã埩æ§è©Šéš éžå® CP-9 (3) æ å ±ã·ã¹ãã ããã¯ã¢ãã | éèŠæ å ±ã®åé¢ä¿ç®¡ éžå® CP-9 (5) æ å ±ã·ã¹ãã ããã¯ã¢ãã | 代æ¿ãµã€ããžã®ç§»è¡ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã CP-10 æ å ±ã·ã¹ãã ã®åŸ©æ§ã»åæ§ç¯ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±ã·ã¹ãã ã®åŸ©æ§ã»åæ§ç¯ CP-10 äœ äž é« éžå® éžå® éžå® éžå® éžå® CP-10 (2) æ å ±ã·ã¹ãã ã®åŸ©æ§ã»åæ§ç¯ | ãã©ã³ã¶ã¯ã·ã§ã³ã®åŸ©æ§ CP-10 (4) æ å ±ã·ã¹ãã ã®åŸ©æ§ã»åæ§ç¯ | æéå ã®åŸ©æ§ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®åæ§ç¯ã«ã¯ãã·ã¹ãã ç¶æ å€æ°ãäžæåã®åæå€ã«æ»ããã©ã ãã®æ€èšãå«ãŸããïŒãã«ãã¯å šéãå šéããäžæåã®èšå®å€ããªã©ïŒãã·ã¹ãã ç¶æ å€æ°ãå ã«æ»ããšãé²è¡äžã®ç©çããã»ã¹ãäžæããå ŽåãããïŒãã«ããéããŠã·ã¹ãã ã®å·åŽã«æªåœ± é¿çïŒã 管çæ¡åŒµïŒ(2) (4) ICS è£è¶³ã¬ã€ãã³ã¹ãªã CP-12 ã»ãŒãã¢ãŒã 管çå 管ççªå· CP-12 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãŒãã¢ãŒã äœ äž é« è¿œå è¿œå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ãå®çŸ©ããæ¡ä»¶åã³å¯Ÿå¿ããå®å šéçšã¢ãŒãã®å¶éã¯ãããŒã¹ã© ã€ã³ã«ãã£ãŠãŸã¡ãŸã¡ã§ãããåãæ¡ä»¶ã§ãã圱é¿åºŠã«ãã£ãŠå¥ã®å¯Ÿå¿ãšãªããæ¡ä»¶ã¯ ICS ã«ãš ã£ãŠãå€éšã®ãã®ãšãªãïŒåé»çïŒãé¢é£ãã管çïŒSI-17 CP-12 ãå šãŠã®ããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒãã®ç®¡çã¯ãçµç¹ãéçšç°å¢ã§èªãã®å¶åŸ¡ã åã°ãªãæ¡ä»¶ãæ±ãå Žåã«ãããªã·ãŒã»æé ãèšç»ããäœç³»ãšãªããã€ã³ã·ãã³ããšé©åãªå¯Ÿå¿ ãéžã¶éã®æ±ºå®ããã»ã¹ãææžã«ããããšã¯ãéçšç°å¢ã®å€åãšãã芳ç¹ããããªã¹ã¯ç®¡çã®äž éšãšãªã 404 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY IDENTIFICATION AND AUTHENTICATION - IA Tailoring Considerations for Identification and Authentication Family Before implementing controls in the IA family, consider the tradeoffs among security, privacy, latency, performance, and throughput. For example, the organization considers whether latency induced from the use of authentication mechanisms employing cryptographic mechanisms would adversely impact the operational performance of the ICS. In situations where the ICS cannot support the specific Identification and Authentication requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. IA-1 IDENTIFICATION AND AUTHENTICATION POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. IA-1 Security Identification and Authentication Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. IA-2 USER IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) CONTROL NAME Control Enhancement Name CNTL NO. IA-2 IA-2 (1) CONTROL BASELINES LOW MOD HIGH Identification and Authentication (Organizational Users) Selected Selected Selected IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO Selected Selected Selected Selected Selected Selected Selected PRIVILEGED ACCOUNTS IA-2 (2) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO NON-PRIVILEGED ACCOUNTS IA-2 (3) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO PRIVILEGED ACCOUNTS IA-2 (4) IDENTIFICATION AND AUTHENTICATION | LOCAL ACCESS TO NON- Selected PRIVILEGED ACCOUNTS IA-2 (8) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO Selected Selected PRIVILEGED ACCOUNTS - REPLAY RESISTANT IA-2 (9) IDENTIFICATION AND AUTHENTICATION | NETWORK ACCESS TO Selected NON-PRIVILEGED ACCOUNTS - REPLAY RESISTANT IA-2 (11) IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS - Selected Selected Selected Selected SEPARATE DEVICE IA-2 (12) IDENTIFICATION AND AUTHENTICATION | ACCEPTANCE OF PIV Selected CREDENTIALS ICS Supplemental Guidance: Where users function as a single group (e.g., control room operators), user identification and authentication may be role-based, group-based, or device-based. For certain ICS, the capability for immediate operator interaction is critical. Local emergency actions for ICS are not hampered by identification or authentication requirements. Access to these systems may be restricted by appropriate physical security controls. Example compensating controls include providing increased physical security, personnel security, and auditing measures. For example, manual voice authentication of remote personnel and local, manual actions may be required in order to establish a remote access. See AC-17 ICS Supplemental Guidance. Local user access to ICS components is enabled only when necessary, approved, and authenticated. 405 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã èå¥åã³èªèšŒ - IA èå¥åã³èªèšŒãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé IA ãã¡ããªã§ç®¡çãå®æœããåã«ãã»ãã¥ãªãã£ããã©ã€ãã·ãŒãåŸ ã¡æéãããã©ãŒãã³ã¹ã ã¹ã«ãŒããããæ¯èŒèéãããäŸãã°ãæå·ã¡ã«ããºã ãæ¡çšããŠèªèšŒã¡ã«ããºã ãå©çšããã« ããçããåŸ ã¡æéããICS ã®éçšããã©ãŒãã³ã¹ãé»å®³ããªããçµç¹ã¯æ€èšããã ICS ãããå¶åŸ¡ã®ç¹å®ã®èå¥ã»èªèšŒèŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡çšããã è£åç管ççã®äŸãå¿ èŠã«å¿ããŠã管ççããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãã㊠ICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã IA-1 èå¥ã»èªèšŒããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£èå¥ã»èªèšŒããªã·ãŒã»æé IA-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã IA-2 ãŠãŒã¶èå¥ã»èªèšŒïŒçµç¹ãŠãŒã¶ïŒ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« èå¥ã»èªèšŒïŒçµç¹ãŠãŒã¶ïŒ éžå® éžå® éžå® IA-2 (1) èå¥ã»èªèšŒ | ç¹æš©ã¢ã«ãŠã³ããžã®ãããã¯ãŒã¯ã¢ã¯ã»ã¹ éžå® éžå® éžå® IA-2 (2) èå¥ã»èªèšŒ | ç¹æš©ã®ãªãã¢ã«ãŠã³ããžã®ãããã¯ãŒã¯ã¢ã¯ã»ã¹ éžå® éžå® IA-2 (3) èå¥ã»èªèšŒ | ç¹æš©ã¢ã«ãŠã³ããžã®ããŒã«ã«ã¢ã¯ã»ã¹ éžå® éžå® IA-2 (4) èå¥ã»èªèšŒ | ç¹æš©ã®ãªãã¢ã«ãŠã³ããžã®ããŒã«ã«ã¢ã¯ã»ã¹ IA-2 (8) èå¥ã»èªèšŒ | ç¹æš©ã¢ã«ãŠã³ããžã®ãããã¯ãŒã¯ã¢ã¯ã»ã¹ - ãªãã¬ãŒ IA-2 éžå® éžå® éžå® æµæ IA-2 (9) èå¥ã»èªèšŒ | ç¹æš©ã®ãªãã¢ã«ãŠã³ããžã®ãããã¯ãŒã¯ã¢ã¯ã»ã¹ - 㪠éžå® ãã¬ãŒæµæ IA-2 (11) èå¥ã»èªèšŒ | ãªã¢ãŒãã¢ã¯ã»ã¹ - å¥ããã€ã¹ IA-2 (12) èå¥ã»èªèšŒ | PIV èªèšŒæ å ±ã®åè«Ÿ éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒãŠãŒã¶ã 1 ã€ã®ã°ã«ãŒããšããŠæ©èœããå ŽåïŒå¶åŸ¡å®€æäœå¡çïŒã㊠ãŒã¶ã®èå¥åã³èªèšŒã¯åœ¹å²ããŒã¹ãã°ã«ãŒãããŒã¹åã¯ããã€ã¹ããŒã¹ãšãªãããã皮㮠ICS 㧠ã¯ãæäœå¡ã®å³æ察å¿ãç·èŠã§ãããICS ã®ããŒã«ã«ç·æ¥å¯Ÿå¿ã¯ãèå¥ã»èªèšŒèŠä»¶ã«é»å®³ãã㪠ãããã®ãããªã·ã¹ãã ãžã®ã¢ã¯ã»ã¹ã¯ãé©æ£ãªç©ççã»ãã¥ãªãã£å¯Ÿçã«ããå¶éãããã è£åç管ççã®äŸãšããŠãç©ççã»ãã¥ãªãã£ã人çã»ãã¥ãªãã£ãç£æ»æ段ã®åŒ·åããããäŸ ãã°ããªã¢ãŒãã¢ã¯ã»ã¹ã確ç«ããããã«ãé éè·å¡ã®æåé³å£°èªèšŒåã³ããŒã«ã«ã®æå察å¿ã å¿ èŠãšãªããAC-17 è£è¶³ã¬ã€ãã³ã¹ãåç §ãICS ã³ã³ããŒãã³ããžã®ããŒã«ã«ãŠãŒã¶ã¢ã¯ã»ã¹ã¯ã å¿ èŠæã«æ¿èªãšæš©éãããå Žåã®ã¿èš±å¯ãããã 406 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Control Enhancement: (1, 2, 3, 4) ICS Supplemental Guidance: Example compensating controls include implementing physical security measures. Control Enhancement: (8, 9) ICS Supplemental Guidance: Example compensating controls include provide replay-resistance in an external system. Control Enhancement: (11) No ICS Supplemental Guidance. Control Enhancement: (12) ICS Supplemental Guidance: Example compensating controls include implementing support for PIV external to the ICS. IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION CONTROL NAME Control Enhancement Name CNTL NO. IA-3 IA-3 (1) Device Identification and Authentication CONTROL BASELINES LOW MOD HIGH Added Selected Selected Added Added Added Added DEVICE IDENTIFICATION AND AUTHENTICATION | CRYPTOGRAPHIC BIDIRECTIONAL AUTHENTICATION IA-3 (4) DEVICE IDENTIFICATION AND AUTHENTICATION | DEVICE ATTESTATION ICS Supplemental Guidance: The organization may permit connection of devices, also known as non-person entities (NPE), belonging to and authorized by another organization (e.g., business partners) to their ICS. Especially when these devices are non-local, their identification and authentication can be vital. Organizations may perform risk and impact analysis to determine the required strength of authentication mechanisms. Example compensating controls for devices and protocols which do not provide authentication for remote network connections, include implementing physical security measures. Control Enhancement: (1, 4) ICS Supplemental Guidance: Configuration management for NPE identification and authentication customarily involves a human surrogate or representative for the NPE. Devices are provided with their identification and authentication credentials based on assertions by the human surrogate. The human surrogate also responds to events and anomalies (e.g., credential expiration). Credentials for software entities (e.g., autonomous processes not associated with a specific person) based on properties of that software (e.g., digital signatures) may change every time the software is changed or patched. Special purpose hardware (e.g., custom integrated circuits and printed-circuit boards) may exhibit similar dependencies. Organization definition of parameters may be different among the impact levels. Rationale (applies to control and control enhancements): ICS may exchange information with many external systems and devices. Identifying and authenticating the devices introduces situations that do not exist with humans. These controls include assignments that enable the organization to categorize devices by types, models, or other group characteristics. Assignments also enable the organizations to select appropriate controls for local, remote, and network connections. IA-4 IDENTIFIER MANAGEMENT CONTROL NAME Control Enhancement Name CNTL NO. IA-4 Identifier Management No ICS Supplemental Guidance. 407 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 管çæ¡åŒµïŒ(1, 2, 3, 4) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãç©ççã»ãã¥ãªãã£å¯Ÿ çãããã 管çæ¡åŒµïŒ(8, 9) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãå€éšã·ã¹ãã ãžã®ãªãã¬ãŒ æµææ§ã®ä»äžãããã 管çæ¡åŒµïŒ(11) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(12) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãICS å€éšã«å¯Ÿãã PIV å¯Ÿå¿ ã®å®è£ ãããã ããã€ã¹èå¥ã»èªèšŒ IA-3 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ããã€ã¹èå¥ã»èªèšŒ IA-3 äœ äž é« è¿œå éžå® éžå® IA-3 (1) ããã€ã¹èå¥ã»èªèšŒ | æå·ååæ¹åèªèšŒ è¿œå è¿œå IA-3 (4) ããã€ã¹èå¥ã»èªèšŒ | ããã€ã¹èªèšŒ è¿œå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãããã®çµç¹ïŒææºäŒæ¥çïŒãæ¿èªããŠããä¿æããã€ã¹ïŒäºº é以å€ã®å®äœ[NPE]ãšããŠãç¥ãããïŒã«ããèªç€Ÿ ICS ãžã®æ¥ç¶ãèªããå Žåãããããã®ãã ãªããã€ã¹ãããŒã«ã«ä»¥å€ã®å Žåãèå¥ãšèªèšŒãéèŠãšãªããçµç¹ã¯ãªã¹ã¯ã»åœ±é¿åæãè¡ãã èªèšŒã¡ã«ããºã ã®å¿ èŠåŒ·åºŠãå€å®ãããé éãããã¯ãŒã¯æ¥ç¶ã®èªèšŒããªãããã€ã¹åã³ããã ã³ã«ã«å¯Ÿããè£åç管ççã®äŸãšããŠãç©ççã»ãã¥ãªãã£å¯Ÿçãããã 管çæ¡åŒµïŒ(1, 4) ICS è£è¶³ã¬ã€ãã³ã¹ïŒNEP ã®èå¥ã»èªèšŒã«å¯Ÿããèšå®ç®¡çã«ã¯ãéåžžãäººç© ã NEP ã«ä»£ããæ¹æ³ãããã人ç©ã®ä»£çèªèšŒãåºã«ãããã€ã¹ã«èå¥ã»èªèšŒæ å ±ãä»äžãããã 人ç©ã®ä»£çã«ãããäºè±¡åã³ç°ç¶äºæ ã«ã察å¿ããïŒèªèšŒæ å ±ã®æéåãçïŒããœãããŠãšã¢ã® ç¹æ§ïŒããžã¿ã«çœ²åçïŒã«åºã¥ããœãããŠãšã¢å®äœã®èªèšŒæ å ±ïŒç¹å®ã®äººç©ã«é¢é£ã¥ããããŠã ãªãèªåŸããã»ã¹çïŒã¯ããœãããŠãšã¢ãå€æŽãããããããåœãŠããããã³ã«å€ãããç¹æ®ç® çã®ããŒããŠãšã¢ïŒã«ã¹ã¿ã IC åºæ¿ãããªã³ãåºæ¿çïŒã¯ã䌌ããããªäŸåæ§ãæã€ãçµç¹ã® ãã©ã¡ãŒã¿å®çŸ©ã¯ã圱é¿åºŠã«ããç°ãªãã çç±ïŒç®¡çã»ç®¡çæ¡åŒµã«é©çšïŒïŒICS ã¯ãå€æ°ã®å€éšã·ã¹ãã ãããã€ã¹ãšæ å ±äº€æãè¡ãã ããã€ã¹ã®èå¥ã»èªèšŒã¯ã人éã§ã¯ååšããªãç¶æ³ãçããããã®ãããªç®¡çã«ã¯ãçµç¹ããã ã€ã¹ãã¿ã€ããã¢ãã«ãã®ä»ã°ã«ãŒãç¹æ§ã§åé¡ããããã®å²åœãå«ãŸããããŸããã®å²åœã«ã ããããŒã«ã«æ¥ç¶ãé éæ¥ç¶åã³ãããã¯ãŒã¯æ¥ç¶ãéžæããããšãã§ããã èå¥å管ç IA-4 管çå 管ççªå· IA-4 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå èå¥å管ç ICS è£è¶³ã¬ã€ãã³ã¹ãªã 408 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY IA-5 AUTHENTICATOR MANAGEMENT CONTROL NAME Control Enhancement Name CNTL NO. IA-5 IA-5 (1) IA-5 (2) IA-5 (3) IA-5 (11) Authenticator Management AUTHENTICATOR MANAGEMENT | PASSWORD-BASED AUTHENTICATION AUTHENTICATOR MANAGEMENT | PKI-BASED AUTHENTICATION AUTHENTICATOR MANAGEMENT | IN PERSON REGISTRATION AUTHENTICATOR MANAGEMENT | HARDWARE TOKENBASED AUTHENTICATION CONTROL BASELINES LOW Selected Selected Selected MOD Selected Selected HIGH Selected Selected Selected Selected Selected Selected Selected Selected ICS Supplemental Guidance: Example compensating controls include physical access control, encapsulating the ICS to provide authentication external to the ICS. Control Enhancement: (1, 2, 3, 11) No ICS Supplemental Guidance. IA-6 AUTHENTICATOR FEEDBACK CONTROL NAME Control Enhancement Name CNTL NO. IA-6 Authenticator Feedback CONTROL BASELINES LOW Selected MOD Selected HIGH Selected ICS Supplemental Guidance: This control assumes a visual interface that provides feedback of authentication information during the authentication process. When ICS authentication uses an interface that does not support visual feedback, (e.g., protocol-based authentication) this control may be tailored out. IA-7 CRYPTOGRAPHIC MODULE AUTHENTICATION CONTROL NAME Control Enhancement Name CNTL NO. IA-7 Cryptographic Module Authentication CONTROL BASELINES LOW Selected MOD Selected HIGH Selected No ICS Supplemental Guidance. IA-8 IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) CONTROL NAME Control Enhancement Name CNTL NO. IA-8 IA-8 (1) CONTROL BASELINES LOW MOD HIGH Identification and Authentication (Non-Organizational Users) Selected Selected Selected IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected USERS) | ACCEPTANCE OF PIV CREDENTIALS FROM OTHER AGENCIES IA-8 (2) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | ACCEPTANCE OF THIRD-PARTY CREDENTIALS IA-8 (3) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-APPROVED PRODUCTS IA-8 (4) IDENTIFICATION AND AUTHENTICATION (NON-ORGANIZATIONAL USERS) | USE OF FICAM-ISSUED PROFILES ICS Supplemental Guidance: The ICS Supplemental Guidance for IA-2, Identification and Authentication (Organizational Users), is applicable for Non- Organizational Users. Control Enhancement: (1, 2, 3, 4) ICS Supplemental Guidance: Example compensating controls include implementing support external to the ICS and multi-factor authentication. 409 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã èªèšŒã³ãŒã管ç IA-5 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« èªèšŒã³ãŒã管ç éžå® éžå® éžå® IA-5 (1) èªèšŒã³ãŒã管ç | ãã¹ã¯ãŒãããŒã¹èªèšŒ éžå® éžå® éžå® IA-5 (2) èªèšŒã³ãŒã管ç | PKI ããŒã¹èªèšŒ éžå® éžå® IA-5 (3) èªèšŒã³ãŒã管ç | çŽæ¥ç»é² éžå® éžå® IA-5 (11) èªèšŒã³ãŒã管ç | ããŒããŠãšã¢ã®ããŒã¯ã³ããŒã¹èªèšŒ éžå® éžå® IA-5 éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãç©ççã¢ã¯ã»ã¹å¶åŸ¡ãICS ã®ã«ãã»ã«åã« ãã ICS å€éšèªèšŒãããã 管çæ¡åŒµïŒ(1, 2, 3, 11) ICS è£è¶³ã¬ã€ãã³ã¹ãªã èªèšŒã³ãŒããã£ãŒããã㯠IA-6 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå èªèšŒãã£ãŒããã㯠IA-6 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒãã®ç®¡çã¯ãèªèšŒäžã®èªèšŒæ å ±ããã£ãŒãããã¯ããèŠèŠã€ã³ã¿ã㧠ãŒã¹ãæ³å®ããŠãããèŠèŠãã£ãŒãããã¯ã«å¯Ÿå¿ããŠããªãã€ã³ã¿ãã§ãŒã¹ã® ICS èªèšŒã®å Žå ïŒãããã³ã«ããŒã¹èªèšŒçïŒãã«ã¹ã¿ãã€ãºããã æå·åã¢ãžã¥ãŒã«èªèšŒ IA-7 管çå 管ççªå· IA-7 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æå·åã¢ãžã¥ãŒã«èªèšŒ äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã IA-8 èå¥ã»èªèšŒ(çµç¹å€ãŠãŒã¶) 管ççªå· 管çå 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« èå¥ã»èªèšŒïŒçµç¹å€ãŠãŒã¶ïŒ éžå® éžå® éžå® IA-8 (1) èå¥ã»èªèšŒïŒçµç¹å€ãŠãŒã¶ïŒ | ä»æ©é¢ PIV èªèšŒæ å ±ã®èš±è«Ÿ éžå® éžå® éžå® IA-8 (2) èå¥ã»èªèšŒïŒçµç¹å€ãŠãŒã¶ïŒ | ãµãŒãããŒãã£èªèšŒæ å ±ã®èš±è«Ÿ éžå® éžå® éžå® IA-8 (3) èå¥ã»èªèšŒïŒçµç¹å€ãŠãŒã¶ïŒ | FICAM èªå®è£œåã®äœ¿çš éžå® éžå® éžå® IA-8 (4) èå¥ã»èªèšŒïŒçµç¹å€ãŠãŒã¶ïŒ | FICAM çºè¡ãããã¡ã€ã«ã®äœ¿çš éžå® éžå® éžå® IA-8 ICS è£è¶³ã¬ã€ãã³ã¹ïŒIA-2 èå¥ã»èªèšŒã«é¢ãã ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ãŠãŒã¶ïŒã¯ãçµç¹ å€ãŠãŒã¶ã«é©çšã§ããã 管çæ¡åŒµïŒ(1, 2, 3, 4) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãICS ã®å€éšåã³å€èŠçŽ èªèšŒãžã®å¯Ÿå¿å®è£ ãããã 410 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY INCIDENT RESPONSE - IR Tailoring Considerations for Incident Response Family The automated mechanisms used to support the tracking of security incidents are typically not part of, or connected to, the ICS. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. IR-1 INCIDENT RESPONSE POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. IR-1 Incident Response Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. IR-2 INCIDENT RESPONSE TRAINING CONTROL NAME Control Enhancement Name CNTL NO. IR-2 Incident Response Training CONTROL BASELINES LOW MOD HIGH Selected Selected Selected IR-2 (1) INCIDENT RESPONSE TRAINING | SIMULATED EVENTS Selected IR-2 (2) INCIDENT RESPONSE TRAINING | AUTOMATED TRAINING Selected ENVIRONMENTS No ICS Supplemental Guidance. IR-3 INCIDENT RESPONSE TESTING CONTROL NAME Control Enhancement Name CNTL NO. IR-3 IR-3 (2) CONTROL BASELINES MOD HIGH Incident Response Testing LOW Selected Selected INCIDENT RESPONSE TESTING | COORDINATION WITH Selected Selected RELATED PLANS No ICS Supplemental Guidance. IR-4 INCIDENT HANDLING CONTROL NAME Control Enhancement Name CNTL NO. IR-4 IR-4 (1) Incident Handling INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected PROCESSES IR-4 (4) INCIDENT HANDLING | INFORMATION CORRELATION No ICS Supplemental Guidance. 411 Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã€ã³ã·ãã³ãå¯Ÿå¿ - IR ã€ã³ã·ãã³ã察å¿ãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé æ¥ç¶ã€ã³ã·ãã³ã远跡çšã«äœ¿çšããèªåã¡ã«ããºã ã¯ãéåžž ICS ã®äžéšã§ã¯ãªããICS ã«æ¥ç¶ã ããŠãããªãã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã ã€ã³ã·ãã³ã察å¿ããªã·ãŒã»æé IR-1 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã€ã³ã·ãã³ã察å¿ããªã·ãŒã»æé IR-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã ã€ã³ã·ãã³ã察å¿èšç·Ž IR-2 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã€ã³ã·ãã³ã察å¿èšç·Ž IR-2 äœ äž é« éžå® éžå® éžå® IR-2 (1) ã€ã³ã·ãã³ã察å¿èšç·Ž | æš¡æ¬äºè±¡ éžå® IR-2 (2) ã€ã³ã·ãã³ã察å¿èšç·Ž | èªåèšç·Žç°å¢ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã ã€ã³ã·ãã³ã察å¿è©Šéš IR-3 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ IR-3 IR-3 (2) äž é« ã€ã³ã·ãã³ã察å¿è©Šéš éžå® éžå® ã€ã³ã·ãã³ã察å¿èšç·Ž | é¢é£èšç»æžãšã®æŽå éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã ã€ã³ã·ãã³ããã³ããªã³ã° IR-4 管çå 管ççªå· IR-4 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã€ã³ã·ãã³ãåŠç IR-4 (1) ã€ã³ã·ãã³ãåŠç | èªåã€ã³ã·ãã³ãåŠçããã»ã¹ IR-4 (4) ã€ã³ã·ãã³ãåŠç | æ å ±çžé¢ äœ äž é« éžå® éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 412 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY IR-5 INCIDENT MONITORING CONTROL NAME Control Enhancement Name CNTL NO. IR-5 IR-5 (1) Incident Monitoring CONTROL BASELINES LOW MOD HIGH Selected Selected Selected INCIDENT MONITORING | AUTOMATED TRACKING / DATA Selected COLLECTION / ANALYSIS No ICS Supplemental Guidance. IR-6 INCIDENT REPORTING CONTROL NAME Control Enhancement Name CNTL NO. IR-6 IR-6 (1) Incident Reporting CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected INCIDENT REPORTING | AUTOMATED REPORTING ICS Supplemental Guidance: The organization should report incidents on a timely basis. The DHS National Cybersecurity & Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecurity-communications-integration-center, serves as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) http://ics-cert.us-cert.gov/ics-cert/, collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. Control Enhancement: (1) ICS Supplemental Guidance: The automated mechanisms used to support the incident reporting process are not necessarily part of, or connected to, the ICS. IR-7 INCIDENT RESPONSE ASSISTANCE CONTROL NAME Control Enhancement Name CNTL NO. IR-7 IR-7 (1) Incident Response Assistance CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION / SUPPORT No ICS Supplemental Guidance. IR-8 INCIDENT RESPONSE PLAN CONTROL NAME Control Enhancement Name CNTL NO. IR-8 Incident Response Plan CONTROL BASELINES LOW Selected No ICS Supplemental Guidance. 413 MOD Selected HIGH Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã IR-5 ã€ã³ã·ãã³ãç£èŠ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã€ã³ã·ãã³ãç£èŠ IR-5 äœ äž é« éžå® éžå® éžå® ã€ã³ã·ãã³ãç£èŠ | èªå远跡ã»ããŒã¿åéã»åæ IR-5 (1) éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã ã€ã³ã·ãã³ãå ±å IR-6 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã€ã³ã·ãã³ãå ±å IR-6 äœ äž é« éžå® éžå® éžå® éžå® éžå® ã€ã³ã·ãã³ãå ±å | èªåå ±å IR-6 (1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãã¿ã€ã ãªãŒã«ã€ã³ã·ãã³ãå ±åãè¡ãã¹ãã§ãããäžèš DHS åœå®¶ãµã€ããŒã»ãã¥ãªãã£éä¿¡çµ±åã»ã³ã¿ãŒ(NCCIC)ã¯éäžæåšå°ãšããŠæ©èœãããµã€ããŒã»ã ã¥ãªãã£ãšéä¿¡ã®ä¿¡é Œæ§ã«é¢ããéçšéšçœ²ã¯ããã§èª¿æŽãããçµ±ååãããŠããã http://www.dhs.gov/about-national-cybersecurity-communications-integration-center äžèšç£æ¥çšå¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT)ã¯ãæµ·å€åã³æ°éã®ã³ã³ãã¥ãŒã¿ç· æ¥å¯Ÿå¿ããŒã (CERT)ãšé£æºããŠãå¶åŸ¡ã·ã¹ãã é¢é£ã»ãã¥ãªãã£ã€ã³ã·ãã³ãæ å ±ãšç·©å察ç ãå ±æããŠãããhttp://ics-cert.us-cert.gov/ics-cert/ 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒã€ã³ã·ãã³ãå ±åããã»ã¹ãžã®å¯Ÿå¿ã«äœ¿çšããèªåã¡ã« ããºã ã¯ãå¿ ããã ICS ã®äžéšã§ã¯ãªããICS ã«æ¥ç¶ãããŠããããã§ã¯ãªãã ã€ã³ã·ãã³ã察å¿æ¯æŽ IR-7 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã€ã³ã·ãã³ã察å¿æ¯æŽ IR-7 äœ äž é« éžå® éžå® éžå® éžå® éžå® ã€ã³ã·ãã³ã察å¿æ¯æŽ | æ å ±ã»ãµããŒãå¯çšæ§ãžã®èªåå¯Ÿå¿ IR-7 (1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã ã€ã³ã·ãã³ã察å¿èšç» IR-8 管çå 管ççªå· IR-8 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã€ã³ã·ãã³ã察å¿èšç»æž ICS è£è¶³ã¬ã€ãã³ã¹ãªã 414 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY MAINTENANCE - MA Tailoring Considerations for Maintenance Family The automated mechanisms used to schedule, conduct, and document maintenance and repairs are not necessarily part of, or connected to, the ICS. In situations where the ICS cannot support the specific Maintenance requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NISTSP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. MA-1 SYSTEM MAINTENANCE POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. MA-1 Maintenance Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. MA-2 CONTROLLED MAINTENANCE CONTROL NAME Control Enhancement Name CNTL NO. MA-2 MA-2 (2) Controlled Maintenance CONTROL BASELINES LOW MOD HIGH Selected Selected Selected CONTROLLED MAINTENANCE | AUTOMATED MAINTENANCE Selected ACTIVITIES No ICS Supplemental Guidance. MA-3 MAINTENANCE TOOLS CONTROL NAME Control Enhancement Name CNTL NO. MA-3 CONTROL BASELINES LOW MOD HIGH Maintenance Tools Selected Selected MA-3 (1) MAINTENANCE TOOLS | INSPECT TOOLS Selected Selected MA-3 (2) MAINTENANCE TOOLS | INSPECT MEDIA Selected Selected MA-3 (3) MAINTENANCE TOOLS | PREVENT UNAUTHORIZED REMOVAL No ICS Supplemental Guidance. 415 Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ä¿å® - MA ä¿å®ãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé ä¿å®ã»ä¿®çã®äºå®äœæãå®æœåã³ææžåã«äœ¿çšããèªåã¡ã«ããºã ã¯ãå¿ ããã ICS ã®äžéšã§ã¯ ãªããICS ã«æ¥ç¶ãããŠããããã§ã¯ãªãã ICS ãããå¶åŸ¡ã®ç¹å®ã®ä¿å®èŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ ã«åŸã£ãŠè£åç管ççãæ¡çšãããè£åç管ççã®äŸãå¿ èŠã«å¿ããŠã管ççããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã MA-1 ã·ã¹ãã ä¿å®ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ä¿å®ããªã·ãŒã»æé MA-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã MA-2 管çä¿å® 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå 管çä¿å® MA-2 äœ äž é« éžå® éžå® éžå® MA-2 (2) 管çä¿å® | èªåä¿å®æŽ»å éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã MA-3 ä¿å®ããŒã« 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« éžå® éžå® MA-3 (1) ä¿å®ããŒã« | æ€æ»ããŒã« éžå® éžå® MA-3 (2) ä¿å®ããŒã« | æ€æ»åªäœ éžå® éžå® MA-3 ä¿å®ããŒã« MA-3 (3) ä¿å®ããŒã« | ç¡æåé€é²æ¢ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 416 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY MA-4 NONLOCAL MAINTENANCE CONTROL NAME Control Enhancement Name CNTL NO. MA-4 Non-Local Maintenance MA-4 (2) NON-LOCAL MAINTENANCE | DOCUMENT NON-LOCAL CONTROL BASELINES LOW Selected MOD HIGH Selected Selected Selected Selected MAINTENANCE MA-4 (3) NON-LOCAL MAINTENANCE | COMPARABLE SECURITY / Selected SANITIZATION No ICS Supplemental Guidance. Control Enhancement: (2) No ICS Supplemental Guidance. Control Enhancement: (3) ICS Supplemental Guidance: In crisis or emergency situations, the organization may need immediate access to non-local maintenance and diagnostic services in order to restore essential ICS operations or services. Example compensating controls include limiting the extent of the maintenance and diagnostic services to the minimum essential activities, carefully monitoring and auditing the non-local maintenance and diagnostic activities. MA-5 MAINTENANCE PERSONNEL CONTROL NAME Control Enhancement Name CNTL NO. MA-5 MA-5 (1) Maintenance Personnel CONTROL BASELINES LOW MOD HIGH Selected Selected Selected MAINTENANCE PERSONNEL | INDIVIDUALS WITHOUT Selected APPROPRIATE ACCESS No ICS Supplemental Guidance. MA-6 TIMELY MAINTENANCE CONTROL NAME Control Enhancement Name CNTL NO. MA-6 Timely Maintenance No ICS Supplemental Guidance. 417 CONTROL BASELINES LOW MOD HIGH Selected Selected SP800-82 第 2 ç MA-4 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã éããŒã«ã«ä¿å® 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå éããŒã«ã«ä¿å® MA-4 äœ äž é« éžå® éžå® éžå® éžå® éžå® MA-4 (2) éããŒã«ã«ä¿å® | éããŒã«ã«ä¿å®ã®ææžå MA-4 (3) éããŒã«ã«ä¿å® | åçã»ãã¥ãªãã£ã»ãµãã¿ã€ãº éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(3) ICS è£è¶³ã¬ã€ãã³ã¹ïŒå±æ©åã¯ç·æ¥äºæ ã«ã¯ãéèŠ ICS éçšåã¯ãµãŒãã¹ã埩 æ§ãããããçµç¹ã¯éããŒã«ã«ä¿å®åã³èšºæãµãŒãã¹ãçŽã¡ã«å©çšããå¿ èŠããããè£åç管ç çã®äŸãšããŠãä¿å®åã³èšºæãµãŒãã¹ãæäœéå¿ èŠãªçšåºŠã«éå®ããéããŒã«ã«ä¿å®åã³èšºæ掻 åãæ éã«ç£èŠã»ç£æ»ããã MA-5 ä¿å®èŠå¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ä¿å®èŠå¡ MA-5 äœ äž é« éžå® éžå® éžå® MA-5 (1) ä¿å®èŠå¡ | é©æ§ã¢ã¯ã»ã¹ä»¥å€ã®å人 éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã MA-6 é©æçä¿å® 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ MA-6 é©æçä¿å® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 418 äž é« éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY MEDIA PROTECTION âMP Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. MP-1 MEDIA PROTECTION POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. MP-1 Media Protection Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. MP-2 MEDIA ACCESS CONTROL NAME Control Enhancement Name CNTL NO. MP-2 Media Access CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. MP-3 MEDIA MARKING CONTROL NAME Control Enhancement Name CNTL NO. MP-3 CONTROL BASELINES LOW Media Marking MOD Selected HIGH Selected No ICS Supplemental Guidance. MP-4 MEDIA STORAGE CONTROL NAME Control Enhancement Name CNTL NO. MP-4 CONTROL BASELINES LOW Media Storage MOD Selected HIGH Selected No ICS Supplemental Guidance. MP-5 MEDIA TRANSPORT CONTROL NAME Control Enhancement Name CNTL NO. MP-5 MP-5 (4) CONTROL BASELINES MOD HIGH Media Transport Selected Selected MEDIA TRANSPORT | CRYPTOGRAPHIC PROTECTION Selected Selected No ICS Supplemental Guidance. 419 LOW SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã¡ãã£ã¢ä¿è· âMP è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã MP-1 ã¡ãã£ã¢ä¿è·ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¡ãã£ã¢ä¿è·ããªã·ãŒã»æé MP-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã MP-2 ã¡ãã£ã¢ã¢ã¯ã»ã¹ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¡ãã£ã¢ã¢ã¯ã»ã¹ MP-2 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã MP-3 ã¡ãã£ã¢ããŒãã³ã° 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã¡ãã£ã¢ããŒãã³ã° MP-3 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã MP-4 ã¡ãã£ã¢ã¹ãã¬ãŒãž 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã¡ãã£ã¢ã¹ãã¬ãŒãž MP-4 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã MP-5 ã¡ãã£ã¢è»¢é 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ MP-5 MP-5 (4) äž é« ã¡ãã£ã¢è»¢é éžå® éžå® ã¡ãã£ã¢è»¢é | æå·åä¿è· éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 420 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY MP-6 MEDIA SANITIZATION CONTROL NAME Control Enhancement Name CNTL NO. MP-6 MP-6 (1) Media Sanitization CONTROL BASELINES LOW MOD HIGH Selected Selected Selected MEDIA SANITIZATION | TRACKING / DOCUMENTING / Selected VERIFYING MP-6 (2) MEDIA SANITIZATION | EQUIPMENT TESTING Selected MP-6 (3) MEDIA SANITIZATION | NON-DESTRUCTIVE TECHNIQUES Selected No ICS Supplemental Guidance. MP-7 MEDIA USE CONTROL NAME Control Enhancement Name CNTL NO. MP-7 MP-7 (1) Media Use MEDIA USE | ORGANIZATIONAL RESTRICTIONS No ICS Supplemental Guidance. 421 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected SP800-82 第 2 ç MP-6 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã¡ãã£ã¢ãµãã¿ã€ãº 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¡ãã£ã¢ãµãã¿ã€ãº MP-6 äœ äž é« éžå® éžå® éžå® MP-6 (1) ã¡ãã£ã¢ãµãã¿ã€ãº | 远跡ã»ææžåã»æ€èšŒ éžå® MP-6 (2) ã¡ãã£ã¢ãµãã¿ã€ãº | è£ ååè©Šéš éžå® MP-6 (3) ã¡ãã£ã¢ãµãã¿ã€ãº | éç Žå£æè¡ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã MP-7 ã¡ãã£ã¢å©çš 管çå 管ççªå· MP-7 MP-7 (1) 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¡ãã£ã¢å©çš ã¡ãã£ã¢å©çš | çµç¹äžã®å¶é ICS è£è¶³ã¬ã€ãã³ã¹ãªã 422 äœ äž é« éžå® éžå® éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PHYSICAL AND ENVIRONMENTAL PROTECTION â PE Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. PE-1 PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY AND PROCEDURES CNTL NO. CONTROL NAME Control Enhancement Name PE-1 Physical and Environmental Protection Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. The ICS components can be distributed over a large facility footprint or geographic area and can be an entry point into the entire organizational network ICS. Regulatory controls may also apply. PE-2 PHYSICAL ACCESS AUTHORIZATIONS CONTROL NAME Control Enhancement Name CNTL NO. PE-2 Physical Access Authorizations CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. PE-3 PHYSICAL ACCESS CONTROL CONTROL NAME Control Enhancement Name CNTL NO. PE-3 PE-3 (1) Physical Access Control CONTROL BASELINES LOW MOD HIGH Selected Selected Selected PHYSICAL ACCESS CONTROL | INFORMATION SYSTEM Selected ACCESS ICS Supplemental Guidance: The organization considers ICS safety and security interdependencies. The organization considers access requirements in emergency situations. During an emergency-related event, the organization may restrict access to ICS facilities and assets to authorized individuals only. ICS are often constructed of devices that either do not have or cannot use comprehensive access control capabilities due to time-restrictive safety constraints. Physical access controls and defense-in-depth measures are used by the organization when necessary and possible to supplement ICS security when electronic mechanisms are unable to fulfill the security requirements of the organizationâs security plan. Primary nodes, distribution closets, and mechanical/electrical rooms should be locked and require key or electronic access control and incorporate intrusion detection sensors. Control Enhancement: (1) No ICS Supplemental Guidance. PE-4 ACCESS CONTROL FOR TRANSMISSION MEDIUM CONTROL NAME Control Enhancement Name CNTL NO. PE-4 Access Control for Transmission Medium No ICS Supplemental Guidance. 423 CONTROL BASELINES LOW MOD HIGH Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç©ççç°å¢çä¿è· â PE è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã PE-1 ç©ççç°å¢çä¿è·ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç©çç°å¢ä¿è·ããªã·ãŒã»æé PE-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžãããICS ã³ã³ããŒãã³ãã¯ãåºç¯ãªæœèšåã³å°åã«ãŸããã£ãŠåæ£ããŠãããçµ ç¹ã® ICS ãããã¯ãŒã¯ãžã®å ¥å£ã«ãªã£ãŠããå ŽåããããèŠå¶ç®¡çãé©çšã§ãããã PE-2 ç©ççã¢ã¯ã»ã¹æš©é 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç©ççã¢ã¯ã»ã¹æš©é PE-2 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã PE-3 ç©ççã¢ã¯ã»ã¹å¶åŸ¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç©ççã¢ã¯ã»ã¹å¶åŸ¡ PE-3 PE-3 (1) äœ äž é« éžå® éžå® éžå® ç©ççã¢ã¯ã»ã¹å¶åŸ¡ | æ å ±ã·ã¹ãã ã¢ã¯ã»ã¹ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ ICS ã®å®å šæ§ãšã»ãã¥ãªãã£ã®çžäºé¢ä¿ãæ€èšãããçµç¹ã¯ã ç·æ¥ç¶æ³äžã§ã®ã¢ã¯ã»ã¹èŠä»¶ãæ€èšãããç·æ¥é¢é£äºè±¡ãçºçããå Žåãçµç¹ã¯ ICS æœèšåã³è³ ç£ãžã®ã¢ã¯ã»ã¹ãæš©éã®ãã人ç©ã ãã«å¶éãããICS ã¯ãæéçãªå¶çŽããå®å šæ§ã«éçãã ããããå æ¬çãªã¢ã¯ã»ã¹å¶åŸ¡èœåããªããå©çšã§ããªãããã€ã¹ã§æ§æãããŠããããšãå€ãã é»åçã¡ã«ããºã ã§ã¯çµç¹ã®ã»ãã¥ãªãã£èšç»æžèŠä»¶ã«æºããªãå ŽåãICS ã»ãã¥ãªãã£ã«ãšã£ ãŠå¿ èŠãã€è£è¶³å¯èœã§ããã°ãç©ççã¢ã¯ã»ã¹å¶åŸ¡åã³å€å±€é²åŸ¡å¯Ÿçãæ¡çšãããäž»èŠããŒãã é é»ã¯ããŒãŒããåã³æ©æ¢°ã»é»æ°å®€ã¯æœé ããéµåã¯é»åçæ段ã§ã¢ã¯ã»ã¹å¶åŸ¡ããäŸµå ¥æ€ç¥ã» ã³ãµãåãä»ããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã PE-4 éä¿¡ã¡ãã£ã¢ã®ã¢ã¯ã»ã¹å¶åŸ¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ PE-4 éä¿¡ã¡ãã£ã¢ã®ã¢ã¯ã»ã¹å¶åŸ¡ ICS è£è¶³ã¬ã€ãã³ã¹ãªã 424 äž é« éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PE-5 ACCESS CONTROL FOR OUTPUT DEVICES CONTROL NAME Control Enhancement Name CNTL NO. PE-5 CONTROL BASELINES LOW Access Control for Output Devices MOD HIGH Selected Selected No ICS Supplemental Guidance. PE-6 MONITORING PHYSICAL ACCESS CONTROL NAME Control Enhancement Name CNTL NO. PE-6 PE-6 (1) Monitoring Physical Access CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected Added Selected MONITORING PHYSICAL ACCESS | INTRUSION ALARMS / SURVEILLANCE EQUIPMENT PE-6 (4) MONITORING PHYSICAL ACCESS | MONITORING PHYSICAL ACCESS TO INFORMATION SYSTEMS ICS Supplemental Guidance: Physical access controls and defense-in-depth measures are used as compensating controls by the organization when necessary and possible to supplement ICS security when electronic mechanisms are unable to monitor, detect and alarm when an ICS has been accessed. These compensating controls are in addition to the PE-6 controls (e.g., employing PE-3(4) Lockable Casings and/or PE-3(5) Tamper Protection). Control Enhancement: (1) No ICS Supplemental Guidance. Control Enhancement: (4) ICS Supplemental Guidance: The locations of ICS components (e.g., field devices, remote terminal units) can include various remote locations (e.g., substations, pumping stations). Rationale (adding CE 4 to MODERATE baseline): Many of the ICS components are in remote geographical and dispersed locations with little capability to monitor all ICS components. Other components may be in ceilings, floors, or distribution closets with minimal physical barriers to detect, delay or deny access to the devices and no electronic surveillance or guard forces response capability. PE-8 VISITOR ACCESS RECORDS CONTROL NAME Control Enhancement Name CNTL NO. PE-8 PE-8 (1) Visitor Access Records CONTROL BASELINES LOW MOD HIGH Selected Selected Selected VISITOR ACCESS RECORDS | AUTOMATED RECORDS Selected MAINTENANCE / REVIEW No ICS Supplemental Guidance. PE-9 POWER EQUIPMENT AND CABLING CONTROL NAME Control Enhancement Name CNTL NO. PE-9 PE-9 (1) CONTROL BASELINES LOW Power Equipment and Cabling POWER EQUIPMENT AND CABLING | REDUNDANT CABLING No ICS Supplemental Guidance. Control Enhancement: (1) No ICS Supplemental Guidance. Rationale (for adding (1): Continuity of ICS control and operation requires redundant power cabling. 425 MOD HIGH Selected Selected Added Added SP800-82 第 2 ç PE-5 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã åºåããã€ã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ åºåããã€ã¹ã®ã¢ã¯ã»ã¹å¶åŸ¡ PE-5 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã PE-6 ç©ççã¢ã¯ã»ã¹ç£èŠ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç©ççã¢ã¯ã»ã¹ç£èŠ PE-6 äœ äž é« éžå® éžå® éžå® PE-6 (1) ç©ççã¢ã¯ã»ã¹ç£èŠ | äŸµå ¥ã¢ã©ãŒã ã»ãµãŒãã€ã©ã³ã¹è£ 眮 éžå® éžå® PE-6 (4) ç©ççã¢ã¯ã»ã¹ç£èŠ | æ å ±ã·ã¹ãã ãžã®ç©ççã¢ã¯ã»ã¹ç£èŠ è¿œå éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒé»åçã¡ã«ããºã ã§ã¯ ICS ãžã®ã¢ã¯ã»ã¹ãç£èŠã»æ€ç¥ã»èŠå ±ã§ããªã å ŽåãICS ã»ãã¥ãªãã£ã«ãšã£ãŠå¿ èŠãã€è£è¶³å¯èœã§ããã°ãç©ççã¢ã¯ã»ã¹å¶åŸ¡åã³å€å±€é²åŸ¡ 察çãè£åç管ççãšããŠæ¡çšããããã®ãããªè£åç管ççã¯ãPE-6 管çãè£è¶³ãããã®ãšãª ãïŒPE-3(4)æœé å¯èœé庫å㯠PE-3(5)æ¹ç«é²æ¢ïŒã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(4) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã³ã³ããŒãã³ãïŒãã£ãŒã«ãããã€ã¹ãé é端æ«è£ 眮çïŒã®å Žæã«ã¯ãæ§ã ãªé éå°ãå«ãŸããïŒå€é»æããã³ãã¹ããŒã·ã§ã³çïŒã çç±ïŒCE 4 ãäžããŒã¹ã©ã€ã³ã«è¿œå ïŒïŒICS ã³ã³ããŒãã³ãã®å€ãã¯é éå°ã«ç¹åšããŠãã ããããã¹ãŠãç£èŠããããšã¯ã»ãŒäžå¯èœã§ããã倩äºãåºåã³é é»ã¯ããŒãŒããã«é 眮ãã㊠ãããã®ããããã¢ã¯ã»ã¹ãæ€ç¥ã»é 延ã»é²æ¢ããç©ççéå£ã¯ä¹ãããé»åçãµãŒãã€ã©ã³ã¹ ãèŠåå¡çã®åãããªãã PE-8 æ¥èšªè ç«å ¥èšé² 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ¥èšªè ç«å ¥èšé² PE-8 PE-8 (1) äœ äž é« éžå® éžå® éžå® æ¥èšªè ç«å ¥èšé² | èªåèšé²ä¿å® éžå® èŠçŽã ICS è£è¶³ã¬ã€ãã³ã¹ãªã PE-9 é»æ°è£ 眮åã³é ç· ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ PE-9 PE-9 (1) äž é« é»æ°è£ 眮åã³é ç· éžå® éžå® é»æ°è£ 眮åã³é ç· | åé·é ç· è¿œå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã çç±ïŒ(1)ã®è¿œå ïŒïŒICS å¶åŸ¡ã»éçšãç¶ç¶ããããã«é»æºã±ãŒãã«ã®åé·åãå¿ èŠã 426 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PE-10 EMERGENCY SHUTOFF CONTROL NAME Control Enhancement Name CNTL NO. PE-10 CONTROL BASELINES LOW Emergency Shutoff MOD HIGH Selected Selected ICS Supplemental Guidance: It may not be possible or advisable to shutoff power to some ICS. Example compensating controls include fail in known state and emergency procedures. PE-11 EMERGENCY POWER CONTROL NAME Control Enhancement Name CNTL NO. PE-11 PE-11 (1) CONTROL BASELINES LOW MOD HIGH Emergency Power Added Selected Selected EMERGENCY POWER | LONG-TERM ALTERNATE POWER Added Added Selected SUPPLY - MINIMAL OPERATIONAL CAPABILITY PE-11 (2) EMERGENCY POWER | LONG-TERM ALTERNATE POWER Added SUPPLY - SELF-CONTAINED ICS Supplemental Guidance: Emergency power production, transmission and distribution systems are a type of ICS that are required to meet extremely high performance specifications. The systems are governed by international, national, state and local building codes, must be tested on a continual basis, and must be repaired and placed back into operations within a short period of time. Traditionally, emergency power has been provided by generators for short to mid-term power (typically for fire and life safety systems, some IT load, and evacuation transport) and UPS battery packs in distribution closets and within work areas to allow some level of business continuity and for the orderly shutdown of non-essential IT and facility systems. Traditional emergency power systems typically are off-line until a loss of power occurs and are typically on a separate network and control system specific to the facility they support. New methods of energy generation and storage (e.g., solar voltaic, geothermal, flywheel, microgrid, distributed energy) that have a real-time demand and storage connection to local utilities or cross connected to multiple facilities should be carefully analyzed to ensure that the power can meet the load and signal quality without disruption of mission essential functions. Control Enhancement: (1) No ICS Supplemental Guidance. Rationale for adding control to baseline: ICS may support critical activities which will be needed for safety and reliability even in the absence of reliable power from the public grid. PE-12 EMERGENCY LIGHTING CONTROL NAME Control Enhancement Name CNTL NO. PE-12 Emergency Lighting No ICS Supplemental Guidance. 427 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç PE-10 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ç·æ¥é®æ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ç·æ¥é®æ PE-10 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒç¹å®ã® ICS ã®é»æºé®æã¯äžå¯èœåã¯æšå¥šã§ããªããè£åç管ççã®äŸ ãšããŠãæ¢ç¥ç¶æ ã®å€±æåã³ç·æ¥æé ãããã PE-11 ç·æ¥é»æº 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç·æ¥é»æº PE-11 PE-11 (1) ç·æ¥é»æº | é·æ代æ¿é»æº - æäœéã®éçšèœå äœ äž é« è¿œå éžå® éžå® è¿œå è¿œå éžå® PE-11 (2) ç·æ¥é»æº | é·æ代æ¿é»æº - å èµå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ïŒç·æ¥çºé»ã»éé é»ã·ã¹ãã ã¯äžçš®ã® ICS ã§ã極ããŠé«åºŠãªæ§èœä»æ§èŠ 件ã課ããããåœéã»åœå®¶ã»å·ã»èªæ²»äœã®å»ºç¯æ³ã«æºæ ããå®æçè©Šéšã課ãããçæéã«ä¿® çã»åŸ©æ§ã§ããªããã°ãªããªããåŸæ¥ãç·æ¥é»æºãšããŠçã»äžæçšçºé»æ©ïŒéåžžç«çœã»å®å šè£ 眮ã ç¹å®ã® IT äœæ¥åã³é¿é£èŒžéïŒãš UPS ããããªãŒããã¯ãé é»ã¯ããŒãŒãããäœæ¥ãšãªã¢ã«èšçœ® ãããŠãããããçšåºŠã®äºæ¥ç¶ç¶ãäžèŠ IT è£ çœ®ã»æœèšè£ 眮ã®ç§©åºã ã£ãé®æãã§ããããã«ãªã£ ãŠãããåŸæ¥ç·æ¥é»æºè£ 眮ã¯ãé»æºã倱ããããŸã§ãªãã©ã€ã³ã«ãªã£ãŠããããšãå€ãã察å¿ã ãæœèšåºæã®å¥ãããã¯ãŒã¯åã³å¶åŸ¡ã·ã¹ãã äžã«çœ®ãããŠãããæ°ããªãšãã«ã®ãŒçºçã»ä¿å æ段ïŒå€ªéœå ãå°ç±ããã©ã€ãã€ãŒã«ããã€ã¯ãã°ãªãããåæ£ãšãã«ã®ãŒçïŒã§ãå°æ¹å ¬å ±äº æ¥è ãè€æ°æœèšã«ãªã¢ã«ã¿ã€ã éèŠã»èç©æ¥ç¶ããŠãã®ã«ã€ããŠã¯ãé倧ãªä»»åã»æ©èœãäžæã ãããšãªããé»åãè² è·ã»ä¿¡å·å質èŠä»¶ãæºãããããæ éã«åæãã¹ãã§ããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã ããŒã¹ã©ã€ã³ã«ç®¡çãè¿œå ããçç±ïŒå ¬å ±é é»ç¶²ããã®é»åãåœãŠã«ã§ããªãå Žåã§ãã£ãŠ ããICS ã¯ãå®å šæ§ãä¿¡é Œæ§ã®ç¢ºä¿ã«å¿ èŠãªéèŠæŽ»åãæ¯ããŠããã PE-12 ç·æ¥ç §æ 管çå 管ççªå· PE-12 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ç·æ¥ç §æ ICS è£è¶³ã¬ã€ãã³ã¹ãªã 428 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PE-13 FIRE PROTECTION CONTROL NAME Control Enhancement Name CNTL NO. PE-13 Fire Protection PE-13 (1) FIRE PROTECTION | DETECTION DEVICES / SYSTEMS PE-13 (2) FIRE PROTECTION | SUPPRESSION DEVICES / SYSTEMS PE-13 (3) FIRE PROTECTION | AUTOMATIC FIRE SUPPRESSION CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected Selected Selected ICS Supplemental Guidance: Fire suppression mechanisms should take the ICS environment into account (e.g., water sprinkler systems could be hazardous in specific environments). Control Enhancement: (1, 2, 3) No ICS Supplemental Guidance. PE-14 TEMPERATURE AND HUMIDITY CONTROLS CONTROL NAME Control Enhancement Name CNTL NO. PE-14 Temperature and Humidity Controls CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Temperature and humidity controls are typically components of other ICS systems such as the HVAC, process, or lighting systems, or can be a standalone and unique ICS system. ICS can operate in extreme environments and both interior and exterior locations. For a specific ICS, the temperature and humidity design and operational parameters dictate the performance specifications. As ICS and IS become interconnected and the network provides connectivity across the hybrid domain, power circuits, distribution closets, routers and switches that support fire protection and life safety systems must be maintained at the proper temperature and humidity. PE-15 WATER DAMAGE PROTECTION CONTROL NAME Control Enhancement Name CNTL NO. PE-15 PE-15 (1) Water Damage Protection CONTROL BASELINES LOW MOD HIGH Selected Selected Selected WATER DAMAGE PROTECTION | AUTOMATION SUPPORT Selected ICS Supplemental Guidance: Water damage protection and use of shutoff and isolation valves is both a procedural action, and also a specific type of ICS. ICS that are used in the manufacturing, hydropower, transportation/navigation, water and wastewater industries rely on the movement of water and are specifically designed to manage the quantity/flow and pressure of water. As ICS and IS become interconnected and the network provides connectivity across the hybrid domain, power circuits, distribution closets, routers and switches that support fire protection and life safety systems should ensure that water will not disable the system (e.g. a fire that activates the sprinkler system does not spray onto the fire control servers, router, switches and short out the alarms, egress systems, emergency lighting, and suppression systems). Control Enhancement: (1) No ICS Supplemental Guidance. PE-16 DELIVERY AND REMOVAL CONTROL NAME Control Enhancement Name CNTL NO. PE-16 Delivery and Removal No ICS Supplemental Guidance. 429 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç PE-13 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã é²ç« 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå é²ç« PE-13 äœ äž é« éžå® éžå® éžå® PE-13 (1) é²ç« | æ€ç¥ããã€ã¹ã»ã·ã¹ãã éžå® PE-13 (2) é²ç« | æ¶ç«ããã€ã¹ã»ã·ã¹ãã éžå® PE-13 (3) é²ç« | èªåæ¶ç« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒæ¶åæ©æ§ã«ã¯ ICS ç°å¢ãèæ ®ã«å ¥ããïŒã¹ããªã³ã¯ã©ãŒã¯ç°å¢ã«ãã æ害ïŒã 管çæ¡åŒµïŒ(1, 2, 3) ICS è£è¶³ã¬ã€ãã³ã¹ãªã PE-14 枩床ã»æ¹¿åºŠå¶åŸ¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå 枩床ã»æ¹¿åºŠå¶åŸ¡ PE-14 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒæž©åºŠã»æ¹¿åºŠå¶åŸ¡ã¯ HVACãããã»ã¹ãç §æè£ çœ®çã® ICS ã·ã¹ãã ã®ã³ ã³ããŒãã³ãã§ãããã¹ã¿ã³ãã¢ããŒã³åã·ã¹ãã ãããã°ç¹æã® ICS ã·ã¹ãã ããããICS 㯠å±å å€ã®éé ·ãªç°å¢äžã«çœ®ãããå Žåãããããã皮㮠ICS ã¯ã枩床ã»æ¹¿åºŠèšèšãéçšãã©ã¡ãŒ ã¿ã«ãã£ãŠæ§èœä»æ§ã決ãŸããICS ãš IS ã¯é£æ¥ããããããã¯ãŒã¯ã¯ãã€ããªããé åã«ãŸãã ããããé²ç«è£ 眮ãçåœå®å šè£ 眮ãæ¯ããé»æ°åè·¯ãé é»ã¯ããŒãŒãããã«ãŒã¿åã³ã¹ã€ããã¯ã é©æ§æž©åºŠã»æ¹¿åºŠã«ä¿ãããªããã°ãªããªãã PE-15 氎害é²è· 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå 氎害é²è· PE-15 äœ äž é« éžå® éžå® éžå® PE-15 (1) 氎害é²è· | èªåå¯Ÿå¿ éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒæ°Žå®³é²è·ãšéæ¢ã»é®æåŒã®äœ¿çšã¯ããšãã«æé è¡çºã§ãããåæã«ã ã皮㮠ICS ã§ãããã補é ã»æ°Žåçºé»ã»èŒžé/éèªã»äžäžæ°Žéæ¥çã§äœ¿çšããã ICS ã¯ãæ°Žã®éå ã«äŸåããŠãããç¹ã«æ°Žã®éã»æµéåã³å§åã管çããããã«èšèšãããŠãããICS ãš IS ã¯é£æ¥ ããããããã¯ãŒã¯ã¯ãã€ããªãããã¡ã€ã³ã«ãŸããããããé²ç«è£ 眮ãçåœå®å šè£ 眮ãæ¯ãã é»æ°åè·¯ãé é»ã¯ããŒãŒãããã«ãŒã¿åã³ã¹ã€ããã¯ã氎害ã§ã·ã¹ãã ãäœåäžèœã«ãªããªãã ãã«ãã¹ãã§ããïŒç«äºã§ã¹ããªã³ã¯ã©ãŒãäœåããŠããé²ç«ãµãŒããã«ãŒã¿ãã¹ã€ããã«ã¯æ°Ž ãããããªãããã«ããã¢ã©ãŒã ãè±åºã·ã¹ãã ãç·æ¥ç §æãæ¶ç«ã·ã¹ãã ãã·ã§ãŒãããªãã ãã«ããïŒã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã PE-16 é éã»æ€å» 管çå 管ççªå· PE-16 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå é éã»æ€å» ICS è£è¶³ã¬ã€ãã³ã¹ãªã 430 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PE-17 ALTERNATE WORK SITE CONTROL NAME Control Enhancement Name CNTL NO. PE-17 CONTROL BASELINES LOW Alternate Work Site MOD HIGH Selected Selected No ICS Supplemental Guidance. PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS CONTROL NAME Control Enhancement Name CNTL NO. PE-18 Location of Information System Components No ICS Supplemental Guidance. 431 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç PE-17 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 代æ¿äœæ¥å Ž 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ä»£æ¿äœæ¥å Ž PE-17 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã PE-18 æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãã®å Žæ 管çå 管ççªå· PE-18 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±ã·ã¹ãã ã³ã³ããŒãã³ã ICS è£è¶³ã¬ã€ãã³ã¹ãªã 432 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PLANNING â PL Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. PL-1 SECURITY PLANNING POLICY AND PROCEDURES CONTROL NAME CNTL NO. Control Enhancement Name PL-1 Security Planning Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. PL-2 SYSTEM SECURITY PLAN CONTROL NAME Control Enhancement Name CNTL NO. PL-2 PL-2 (3) System Security Plan SYSTEM SECURITY PLAN | PLAN / COORDINATE WITH CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Added Selected Selected OTHER ORGANIZATIONAL ENTITIES No ICS Supplemental Guidance. Control Enhancement: (3) No ICS Supplemental Guidance. Rationale for adding PL-2 (3) to low baseline: When systems are highly inter-connected, coordinated planning is essential. A low impact system could adversely affect a higher impact system. PL-4 RULES OF BEHAVIOR CONTROL NAME Control Enhancement Name CNTL NO. PL-4 PL-4 (1) Rules of Behavior CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected RULES OF BEHAVIOR | SOCIAL MEDIA AND NETWORKING RESTRICTIONS No ICS Supplemental Guidance. PL-7 SECURITY CONCEPT OF OPERATIONS (CONOPS) CONTROL NAME Control Enhancement Name CNTL NO. PL-7 Security Concept of Operations CONTROL BASELINES LOW MOD HIGH Added Added No ICS Supplemental Guidance. Rationale for adding PL-7 to moderate and high baselines: ICS are complex systems. Organizations typically employ a CONOPS to help define a system and share that understanding with personnel involved with that system and other systems with which it interacts. A CONOPS often helps identify information protection requirements. 433 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãã©ã³ãã³ã° â PL è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã PL-1 ã»ãã¥ãªãã£èšç»ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£èšç»ããªã·ãŒã»æé PL-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã PL-2 ã·ã¹ãã ã®ã»ãã¥ãªãã£èšç»æž 管çå 管ççªå· PL-2 PL-2 (3) 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž é« ã·ã¹ãã ã»ãã¥ãªãã£èšç»æž éžå® éžå® éžå® ã·ã¹ãã ã»ãã¥ãªãã£èšç»æž | ä»ã®çµç¹ãšã®èšç»ã»èª¿æŽ è¿œå éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(3) ICS è£è¶³ã¬ã€ãã³ã¹ãªã PL-2 (3)ãäœããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒã·ã¹ãã å士ãé«åºŠã«çžäºé£æ¥ããŠããå Žåã èšç»ã®èª¿æŽãèèŠã§ããã圱é¿åºŠã®äœãã·ã¹ãã ãé«ãã·ã¹ãã ã«æªåœ±é¿ãäžããããšãããã PL-4 è¡åèŠå 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå è¡åèŠå PL-4 PL-4 (1) äœ äž é« éžå® éžå® éžå® éžå® éžå® è¡åèŠå | ãœãŒã·ã£ã«ã¡ãã£ã¢/ãããã¯ãŒãã³ã°ã®å¶é ICS è£è¶³ã¬ã€ãã³ã¹ãªã PL-7 éçšã»ãã¥ãªãã£æŠå¿µ (CONOPS) 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ PL-7 éçšã»ãã¥ãªãã£æŠå¿µ äž é« è¿œå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ãªã PL-7 ãäžã»é«ããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒICS ã·ã¹ãã ãè€éãªãããéåžžãçµç¹ã¯ CONOPS ãæ¡çšããŠãã·ã¹ãã ãå®çŸ©ããåœè©²ã·ã¹ãã ãçžäºäœçšãè¡ãä»ã®ã·ã¹ãã ã®é¢ä¿è ãšç解ãå ±æãããCONOPS ã¯ãæ å ±ä¿è·èŠä»¶ãæããã«ããäžã§åœ¹ç«ã€ããšãå€ãã 434 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PL-8 INFORMATION SECURITY ARCHITECTURE CONTROL NAME Control Enhancement Name CNTL NO. PL-8 Information Security Architecture No ICS Supplemental Guidance. 435 CONTROL BASELINES LOW MOD HIGH Selected Selected SP800-82 第 2 ç PL-8 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ å ±ã»ãã¥ãªãã£ã¢ãŒããã¯ã㣠管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ PL-8 æ å ±ã»ãã¥ãªãã£ã¢ãŒããã¯ã㣠ICS è£è¶³ã¬ã€ãã³ã¹ãªã 436 äž é« éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PERSONNEL SECURITY â PS Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. PS-1 Personnel Security Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. PS-2 POSITION RISK DESIGNATION CONTROL NAME Control Enhancement Name CNTL NO. PS-2 Position Risk Designation CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. PS-3 PERSONNEL SCREENING CONTROL NAME Control Enhancement Name CNTL NO. PS-3 Personnel Screening CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. PS-4 PERSONNEL TERMINATION CONTROL NAME Control Enhancement Name CNTL NO. PS-4 Personnel Termination PS-4 (2) PERSONNEL TERMINATION | AUTOMATED NOTIFICATION CONTROL BASELINES LOW Selected MOD Selected HIGH Selected Selected No ICS Supplemental Guidance. PS-5 PERSONNEL TRANSFER CONTROL NAME Control Enhancement Name CNTL NO. PS-5 Personnel Transfer No ICS Supplemental Guidance. 437 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 人å¡ã®ã»ãã¥ãªã㣠â PS è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã 人å¡ã®ã»ãã¥ãªãã£ããªã·ãŒã»æé PS-1 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå 人å¡ã®ã»ãã¥ãªãã£ããªã·ãŒã»æé PS-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã é 眮ãªã¹ã¯æå® PS-2 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå é 眮ãªã¹ã¯æå® PS-2 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã äººéž PS-3 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äººéž PS-3 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã éè· PS-4 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå éè· PS-4 äœ äž é« éžå® éžå® éžå® éè· | èªåéç¥ PS-4 (2) éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã è»¢å€ PS-5 管çå 管ççªå· PS-5 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå è»¢å€ ICS è£è¶³ã¬ã€ãã³ã¹ãªã 438 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PS-6 ACCESS AGREEMENTS CONTROL NAME Control Enhancement Name CNTL NO. PS-6 Access Agreements CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. PS-7 THIRD-PARTY PERSONNEL SECURITY CONTROL NAME Control Enhancement Name CNTL NO. PS-7 Third-Party Personnel Security CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. PS-8 PERSONNEL SANCTIONS CONTROL NAME Control Enhancement Name CNTL NO. PS-8 Personnel Sanctions No ICS Supplemental Guidance. 439 CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã¢ã¯ã»ã¹åæ PS-6 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã¢ã¯ã»ã¹åæ PS-6 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã ãµãŒãããŒãã£ç€Ÿå¡ã»ãã¥ãªã㣠PS-7 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãµãŒãããŒãã£ç€Ÿå¡ã»ãã¥ãªã㣠PS-7 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã æ²æ PS-8 管çå 管ççªå· PS-8 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ²æ ICS è£è¶³ã¬ã€ãã³ã¹ãªã 440 äœ äž é« éžå® éžå® éžå® SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY RISK ASSESSMENT â RA Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. RA-1 RISK ASSESSMENT POLICY AND PROCEDURES CONTROL NAME CNTL NO. RA-1 CONTROL BASELINES Control Enhancement Name Risk Assessment Policy and Procedures LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. RA-2 SECURITY CATEGORIZATION CONTROL NAME CNTL NO. RA-2 CONTROL BASELINES Control Enhancement Name Security Categorization LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. RA-3 RISK ASSESSMENT CONTROL NAME CNTL NO. RA-3 CONTROL BASELINES Control Enhancement Name Risk Assessment LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. RA-5 VULNERABILITY SCANNING CONTROL NAME CNTL NO. RA-5 CONTROL BASELINES Control Enhancement Name Vulnerability Scanning LOW MOD HIGH Selected Selected Selected RA-5 (1) VULNERABILITY SCANNING | UPDATE TOOL CAPABILITY Selected Selected RA-5 (2) VULNERABILITY SCANNING | UPDATE BY FREQUENCY / PRIOR TO NEW SCAN / WHEN IDENTIFIED Selected Selected RA-5 (4) VULNERABILITY SCANNING | DISCOVERABLE INFORMATION RA-5 (5) VULNERABILITY SCANNING | PRIVILEGED ACCESS Selected Selected Selected ICS Supplemental Guidance: Active vulnerability scanning, which introduces network traffic, is used with care on ICS systems to ensure that ICS functions are not adversely impacted by the scanning process. The organization makes a risk-based determination whether to employ active scanning. Passive monitoring /sniffing may be used as part of a compensating control. Example compensating controls include providing a replicated, virtualized, or simulated system to conduct scanning. Production ICS may need to be taken off-line before scanning can be conducted. If ICS are taken off-line for scanning, scans are scheduled to occur during planned ICS outages whenever possible. If vulnerability scanning tools are used on non-ICS networks, extra care is taken to ensure that they do not scan the ICS network. Network scanning is not applicable to non-addressable communications. Vulnerability examination may be performed using other mechanisms than scanning to identify the objects being examined. Host-based vulnerability examination is an example compensating control. Control Enhancement: (1, 2, 4, 5) No ICS Supplemental Guidance. 441 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãªã¹ã¯è©äŸ¡ â RA è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã RA-1 ãªã¹ã¯è©äŸ¡ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãªã¹ã¯è©äŸ¡ããªã·ãŒã»æé RA-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã RA-2 ã»ãã¥ãªãã£åé¡ ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£åé¡ RA-2 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã RA-3 ãªã¹ã¯è©äŸ¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãªã¹ã¯è©äŸ¡ RA-3 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã RA-5 è匱æ§æ€çŽ¢ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« éžå® éžå® éžå® RA-5 (1) è匱æ§æ€çŽ¢ | æŽæ°ããŒã«æ©èœ éžå® éžå® RA-5 (2) æ€è匱æ§çŽ¢ | æ°èŠã¹ãã£ã³åã»èå¥æã®åšæ³¢æ°ã«ããæŽæ° éžå® éžå® RA-5 (4) è匱æ§æ€çŽ¢ | æ€åºå¯èœæ å ± RA-5 (5) è匱æ§æ€çŽ¢ | ç¹æš©ã¢ã¯ã»ã¹ RA-5 è匱æ§æ€çŽ¢ äœ éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒã¢ã¯ãã£ãè匱æ§èšç»æ€çŽ¢ã¯ããããã¯ãŒã¯ãã©ãã£ãã¯ãçãã㮠㧠ICS ã·ã¹ãã äžã§æ éã«è¡ããæ€çŽ¢ããã»ã¹ã«ãã ICS æ©èœã«æªåœ±é¿ãåã°ãªãããã«ããã çµç¹ã¯ãªã¹ã¯ã«ç«èããŠãã¢ã¯ãã£ãæ€çŽ¢å®è¡ã®æ¯éãå€æãããããã·ãç£èŠã»ã¹ãããã£ã³ ã°ã¯ãè£åç管ççã®äžç°ãšããŠäœ¿çšã§ãããè£åç管ççã®äŸãšããŠãè€è£œãä»®æ³åã¯æš¡æ¬ã· ã¹ãã ã§æ€çŽ¢ããæ¹æ³ããããçç£ ICS ã¯ãæ€çŽ¢åã«ãªãã©ã€ã³ã«ããå¿ èŠãããããªãã©ã€ã³ ã«ããå Žåãå¯èœã§ããã°ãäºãèšç»ããã ICS ã®ææ¥åæ¢æã«æ€çŽ¢ãè¡ãããã«äºå®ãçµãã è匱æ§æ€çŽ¢ããŒã«ã ICS 以å€ã®ãããã¯ãŒã¯ã§è¡ãå Žåãæ€çŽ¢ã ICS ãããã¯ãŒã¯ã«åã°ãªãã ãã«æ³šæããããããã¯ãŒã¯æ€çŽ¢ã¯ãã¢ãã¬ã¹æå®äžèœã®éä¿¡ã«ã¯é©çšãããªãã è匱æ§æ€èšŒã¯ãæ€èšŒäžã®å¯Ÿè±¡ãèå¥ããæ€çŽ¢ä»¥å€ã®ã¡ã«ããºã ã䜿çšããŠè¡ãããã¹ãã㌠ã¹ã®è匱æ§æ€èšŒã¯ãè£åç管ççã®äžäŸã§ããã 管çæ¡åŒµïŒ(1, 2, 4, 5) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 442 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SYSTEM AND SERVICES ACQUISITION â SA Tailoring Considerations for System and Services Acquisition Family In situations where the ICS cannot support the specific System and Services Acquisition requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. SA-1 SYSTEM AND SERVICES ACQUISITION POLICY AND PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. SA-1 System and Services Acquisition Policy and Procedures CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. SA-2 ALLOCATION OF RESOURCES CONTROL NAME Control Enhancement Name CNTL NO. SA-2 Allocation of Resources CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. SA-3 SYSTEM DEVELOPMENT LIFE CYCLE CONTROL NAME Control Enhancement Name CNTL NO. SA-3 System Development Life Cycle CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. SA-4 ACQUISITION PROCESS CNTL NO. SA-4 SA-4 (1) SA-4 (2) SA-4 (9) SA-4 (10) CONTROL NAME Control Enhancement Name Acquisition Process ACQUISITION PROCESS | FUNCTIONAL PROPERTIES OF SECURITY CONTROLS ACQUISITION PROCESS | DESIGN / IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS ACQUISITION PROCESS | FUNCTIONS / PORTS / PROTOCOLS / SERVICES IN USE ACQUISITION PROCESS | USE OF APPROVED PIV PRODUCTS CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected Selected ICS Supplemental Guidance: Since ICS security has historically focused on physical protection and isolation, vendors and developers may be unfamiliar with cybersecurity. Organizations should anticipate a need to engage with ICS suppliers to raise awareness of cybersecurity needs. The SCADA/Control Systems Procurement Project provides example cybersecurity procurement language for ICS. References: Web: https://ics-cert.us-cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809.pdf Control Enhancements: (1, 2, 9) ICS Supplemental Guidance: Developers may not have access to required information. 443 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã·ã¹ãã åã³ãµãŒãã¹ååŸ â SA ã·ã¹ãã åã³ãµãŒãã¹ååŸãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé ICS ãããå¶åŸ¡ã®ç¹å®ã®ã·ã¹ãã åã³ãµãŒãã¹ååŸèŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœçãªã« ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡çšããã è£åç管ççã®äŸãå¿ èŠã«å¿ããŠã管ççããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã SA-1 ã·ã¹ãã åã³ãµãŒãã¹ååŸããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã·ã¹ãã åã³ãµãŒãã¹ååŸããªã·ãŒã»æé SA-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã SA-2 ãªãœãŒã¹å²åœ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãªãœãŒã¹å²åœ SA-2 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-3 ã·ã¹ãã éçºã©ã€ããµã€ã¯ã« 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã·ã¹ãã éçºã©ã€ããµã€ã¯ã« SA-3 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-4 ååŸããã»ã¹ 管çå 管ççªå· SA-4 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ååŸããã»ã¹ äœ äž é« éžå® éžå® éžå® SA-4 (1) ååŸããã»ã¹ | ã»ãã¥ãªãã£å¯Ÿçã®æ©èœç¹æ§ éžå® éžå® SA-4 (2) ååŸããã»ã¹ | ã»ãã¥ãªãã£å¯Ÿçã®èšèšã»å®è£ æ å ± éžå® éžå® SA-4 (9) ååŸããã»ã¹ | æ©èœã»ããŒãã»ãããã³ã« éžå® éžå® éžå® éžå® å®çšãµãŒãã¹ SA-4 (10) ååŸããã»ã¹ | èªå¯æžã¿ PIV 補åã®å©çš éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ã»ãã¥ãªãã£ã¯ãæŽå²çã«ç©ççãªä¿è·ãšéé¢ãéç¹ã ã£ãã ãããã³ããŒãéçºè ã¯ãµã€ããŒã»ãã¥ãªãã£ã«ãªãã¿ããªããçµç¹ã¯ ICS ãµãã©ã€ã€ãšãšãã«ã ãµã€ããŒã»ãã¥ãªãã£ã«å¯Ÿããæèé«æã®å¿ èŠæ§ãäºæãã¹ãã§ãããSCADA å¶åŸ¡ã·ã¹ãã 調 éãããžã§ã¯ãã«ã¯ãICS ã®ãµã€ããŒã»ãã¥ãªãã£çšèªã瀺ãããŠãããåèæç®ïŒãŠã§ãïŒ https://ics-cert.us- cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809.pdf 管çæ¡åŒµïŒ(1, 2, 9) ICS è£è¶³ã¬ã€ãã³ã¹ïŒéçºè ã¯å¿ èŠãªæ å ±ãå©çšã§ããªãå¯èœæ§ãããã 444 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Control Enhancement: (10) ICS Supplemental Guidance: Example compensating controls include employing external products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability in conjunction with ICS products. SA-5 INFORMATION SYSTEM DOCUMENTATION CONTROL NAME CNTL NO. SA-5 CONTROL BASELINES Control Enhancement Name Information System Documentation LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. SA-8 SECURITY ENGINEERING PRINCIPLES CONTROL NAME CNTL NO. SA-8 CONTROL BASELINES Control Enhancement Name LOW Security Engineering Principles MOD HIGH Selected Selected No ICS Supplemental Guidance. SA-9 EXTERNAL INFORMATION SYSTEM SERVICES CONTROL NAME CNTL NO. SA-9 SA-9 (2) CONTROL BASELINES Control Enhancement Name External Information System Services LOW MOD HIGH Selected Selected Selected Selected Selected EXTERNAL INFORMATION SYSTEMS | IDENTIFICATION OF FUNCTIONS / PORTS / PROTOCOLS / SERVICES No ICS Supplemental Guidance. SA-10 DEVELOPER CONFIGURATION MANAGEMENT CONTROL NAME CNTL NO. SA-10 CONTROL BASELINES Control Enhancement Name LOW Developer Configuration Management MOD HIGH Selected Selected No ICS Supplemental Guidance. SA-11 DEVELOPER SECURITY TESTING AND EVALUATION CONTROL NAME CNTL NO. SA-11 CONTROL BASELINES Control Enhancement Name LOW Developer Security Testing and Evaluation MOD HIGH Selected Selected No ICS Supplemental Guidance. SA-12 SUPPLY CHAIN PROTECTION CONTROL NAME CNTL NO. SA-12 CONTROL BASELINES Control Enhancement Name Supply Chain Protection LOW MOD HIGH Selected No ICS Supplemental Guidance. 445 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã 管çæ¡åŒµïŒ(10) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãICS 補åã«é¢é£ãã身å蚌 æïŒPIVïŒæ©èœã® FIPS 201 æ¿èªè£œåãªã¹ãã®å€éšè£œåæ¡çšãããã SA-5 æ å ±ã·ã¹ãã ææžå 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±ã·ã¹ãã ææžå SA-5 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-8 ã»ãã¥ãªãã£ãšã³ãžãã¢ãªã³ã°åå 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã»ãã¥ãªãã£ãšã³ãžãã¢ãªã³ã¯åå SA-8 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-9 å€éšæ å ±ã·ã¹ãã ãµãŒã㹠管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå SA-9 å€éšæ å ±ã·ã¹ãã ãµãŒãã¹ SA-9 (2) å€éšæ å ±ã·ã¹ãã | æ©èœã» äœ äž é« éžå® éžå® éžå® éžå® éžå® ããŒãã»ãããã³ã«ã»ãµãŒãã¹ã®èå¥ ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-10 éçºè èšå®ç®¡ç 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ éçºè èšå®ç®¡ç SA-10 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-11 éçºè ã»ãã¥ãªãã£è©Šéšè©äŸ¡ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ éçºè ã»ãã¥ãªãã£è©Šéšè©äŸ¡ SA-11 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-12 ãµãã©ã€ãã§ãŒã³ä¿è· 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SA-12 ãµãã©ã€ãã§ãŒã³ä¿è· äž é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 446 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SA-15 DEVELOPMENT PROCESS, STANDARDS, AND TOOLS CONTROL NAME Control Enhancement Name CNTL NO. SA-15 Development Process, Standards, and Tools CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. SA-16 DEVELOPER-PROVIDED TRAINING CONTROL NAME Control Enhancement Name CNTL NO. SA-16 CONTROL BASELINES LOW MOD Developer-Provided Training HIGH Selected No ICS Supplemental Guidance. SA-17 DEVELOPER SECURITY ARCHITECTURE AND DESIGN CONTROL NAME Control Enhancement Name CNTL NO. SA-17 Developer Security Architecture and Design CONTROL BASELINES LOW MOD HIGH Selected No ICS Supplemental Guidance. 447 SP800-82 第 2 ç SA-15 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã éçºããã»ã¹ã»èŠæ Œã»ããŒã« 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž éçºããã»ã¹ã»èŠæ Œã»ããŒã« SA-15 é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-16 éçºè ã«ããèšç·Ž 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž éçºè ã«ããèšç·Ž SA-16 é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SA-17 éçºè ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ã»èšèš 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SA-17 éçºè ã»ãã¥ãªãã£ã¢ãŒããã¯ãã£ã»èšèš äž é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 448 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SYSTEM AND COMMUNICATIONS PROTECTION - SC Tailoring Considerations for System and Communications Protection Family The use of cryptography is determined after careful consideration of the security needs and the potential ramifications on system performance. For example, the organization considers whether latency induced from the use of cryptography would adversely impact the operational performance of the ICS. While the legacy devices commonly found within ICS often lack direct support of cryptographic functions, compensating controls (e.g., encapsulations) may be used to meet the intent of the control. In situations where the ICS cannot support the specific System and Communications Protection requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES CONTROL NAME CNTL NO. SC-1 CONTROL BASELINES Control Enhancement Name System and Communications Protection Policy and Procedures LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. SC-2 APPLICATION PARTITIONING CONTROL NAME CNTL NO. SC-2 CONTROL BASELINES Control Enhancement Name LOW Application Partitioning MOD HIGH Selected Selected ICS Supplemental Guidance: Systems used to manage the ICS should be separate from the operational ICS components. Example compensating controls include providing increased auditing measures. SC-3 SECURITY FUNCTION ISOLATION CONTROL NAME CNTL NO. SC-3 CONTROL BASELINES Control Enhancement Name LOW MOD Security Function Isolation HIGH Selected ICS Supplemental Guidance: Example compensating controls include providing increased auditing measures, limiting network connectivity, architectural allocation. SC-4 INFORMATION IN SHARED RESOURCES CONTROL NAME CNTL NO. SC-4 CONTROL BASELINES Control Enhancement Name Information in Shared Resources LOW MOD HIGH Selected Selected ICS Supplemental Guidance: Example compensating controls include architecting the use of the ICS to prevent sharing system resources. 449 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã·ã¹ãã åã³éä¿¡ä¿è· - SC ã·ã¹ãã åã³éä¿¡ä¿è·ãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé æå·åã®äœ¿çšã¯ãã»ãã¥ãªãã£äžã®å¿ èŠæ§ãšã·ã¹ãã ããã©ãŒãã³ã¹ãžã®æªåœ±é¿ãæ éã«èæ ®ã ãŠå€æãããäŸãã°ãæå·ãå©çšããã«ããçããåŸ ã¡æéããICS ã®éçšããã©ãŒãã³ã¹ãé» å®³ããªããçµç¹ã¯æ€èšãããéåžž ICS ã«èŠãããã¬ã¬ã·ãŒããã€ã¹ã¯ãæå·é¢æ°ã«çŽæ¥å¯Ÿå¿ã㊠ããªãããšãå€ããããè£åç管ççïŒã«ãã»ã«åçïŒã䜿çšããŠã管çç®çãéæããã ICS ãããå¶åŸ¡ã®ç¹å®ã®ã·ã¹ãã åã³éä¿¡ä¿è·èŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡çšãããè£åç管ççã®äŸãå¿ èŠã«å¿ããŠã管çç ããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã SC-1 ã·ã¹ãã åã³éä¿¡ä¿è·ããªã·ãŒã»æé 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã·ã¹ãã éä¿¡ä¿è·ããªã·ãŒã»æé SC-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã SC-2 ã¢ããªã±ãŒã·ã§ã³åå² ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã¢ããªã±ãŒã·ã§ã³åå² SC-2 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ç®¡çã«äœ¿çšããã·ã¹ãã ã¯ãå®çš ICS ã³ã³ããŒãã³ããšå¥ã«ã ã¹ãã§ãããè£åç管ççã®äŸãšããŠãç£æ»æ段ã®åŒ·åãããã SC-3 ã»ãã¥ãªãã£æ©èœã®éé¢ ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äž ã»ãã¥ãªãã£æ©èœã®éé¢ SC-3 é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãç£æ»æ段ã®åŒ·åããããã¯ãŒã¯æ¥ç¶ã®å¶éã ã¢ãŒããã¯ãã£å²åœãããã SC-4 å ±æãªãœãŒã¹å æ å ± 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SC-4 å ±æãªãœãŒã¹å æ å ± äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãICS ã®äœ¿çšèŠé ãèšå®ããŠã·ã¹ãã ãªãœãŒ ã¹ãå ±æããªãããã«ããæ¹æ³ãããã 450 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SC-5 DENIAL OF SERVICE PROTECTION CONTROL NAME CNTL NO. SC-5 CONTROL BASELINES Control Enhancement Name Denial of Service Protection LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Example compensating controls include ensuring a loss of communication results in the ICS operating in nominal or safe mode. Risk-based analysis informs the establishment of policy and procedure. SC-7 BOUNDARY PROTECTION CONTROL NAME CNTL NO. SC-7 CONTROL BASELINES Control Enhancement Name Boundary Protection LOW MOD HIGH Selected Selected Selected SC-7 (3) BOUNDARY PROTECTION | ACCESS POINTS Selected Selected SC-7 (4) BOUNDARY PROTECTION | EXTERNAL TELECOMMUNICATIONS SERVICES Selected Selected SC-7 (5) BOUNDARY PROTECTION | DENY BY DEFAULT / ALLOW BY EXCEPTION Selected Selected SC-7 (7) BOUNDARY PROTECTION | PREVENT SPLIT TUNNELING FOR REMOTE DEVICES Selected Selected SC-7 (8) BOUNDARY PROTECTION | ROUTE TRAFFIC TO AUTHENTICATED PROXY SERVERS SC-7 (18) BOUNDARY PROTECTION | FAIL SECURE SC-7 (21) BOUNDARY PROTECTION | ISOLATION OF INFORMATION SYSTEM COMPONENTS Selected Added Selected Selected No ICS Supplemental Guidance. Control Enhancement: (3, 4, 5, 7, 8, 21) No ICS Supplemental Guidance. Control Enhancement: (18) ICS Supplemental Guidance: The organization selects an appropriate failure mode (e.g., permit or block all communications). Rationale for adding SC-7 (18) to Moderate Baseline: As part of the architecture and design of the ICS, the organization selects an appropriate failure mode in accordance with the function performed by the ICS and the operational environment. The ability to choose the failure mode for the physical part of the ICS differentiates the ICS from other IT systems. This choice may be a significant influence in mitigating the impact of a failure. SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY CONTROL NAME CNTL NO. SC-8 SC-8 (1) CONTROL BASELINES Control Enhancement Name MOD HIGH Transmission Confidentiality and Integrity LOW Selected Selected transmission confidentiality and integrity | cryptographic or alternate physical protection Selected Selected No ICS Supplemental Guidance. Control Enhancement: (1) ICS Supplemental Guidance: The organization explores all possible cryptographic integrity mechanisms (e.g., digital signature, hash function). Each mechanism has a different delay impact. SC-10 NETWORK DISCONNECT CONTROL NAME CNTL NO. SC-10 CONTROL BASELINES Control Enhancement Name Network Disconnect LOW MOD HIGH Selected Selected ICS Supplemental Guidance: Example compensating controls include providing increased auditing measures or limiting remote access privileges to key personnel. 451 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãµãŒãã¹ä¿è·åŠšå®³ SC-5 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãµãŒãã¹ä¿è·åŠšå®³ SC-5 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãéä¿¡åªå€±æã« ICS ã®éçšãå ¬ç§°ã¢ãŒãå㯠ã»ãŒãã¢ãŒãã«ãªãããã«ããæ¹æ³ãããããªã¹ã¯ã«ç«èããåæã«ãããããªã·ãŒã»æé ã®èš å®æ å ±ãåŸãããã SC-7 å¢çã®ä¿è· 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå å¢çã®ä¿è· SC-7 äœ äž é« éžå® éžå® éžå® SC-7 (3) å¢çã®ä¿è· | ã¢ã¯ã»ã¹ãã€ã³ã éžå® éžå® SC-7 (4) å¢çã®ä¿è· | å€éšé»æ°éä¿¡ãµãŒãã¹ éžå® éžå® SC-7 (5) å¢çã®ä¿è· | ããã©ã«ãã§æ絶ã»äŸå€ã§èš±è«Ÿ éžå® éžå® SC-7 (7) å¢çã®ä¿è· | é éããã€ã¹ã®ã¹ããªãããã³ããªã³ã°é²æ¢ éžå® éžå® SC-7 (8) å¢çã®ä¿è· | èªèšŒæžã¿ãããžã®ãã·ãµãŒããã©ãã£ãã¯ã®çµè·¯æ éžå® å® SC-7 (18) å¢çã®ä¿è· | ãã§ãŒã«ã»ãã¥ã¢ è¿œå SC-7 (21) å¢çã®ä¿è· | æ å ±ã·ã¹ãã ã³ã³ããŒãã³ãã®éé¢ éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(3, 4, 5, 7, 8, 21) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(18) ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯é©åœãªæ éã¢ãŒããéžæããïŒå šãŠã®éä¿¡ãèš± å¯åã¯ãããã¯çïŒã SC-7 (18)ãäžããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒICS ã¢ãŒããã¯ãã£åã³èšèšã®äžè²«ãšããŠãçµ ç¹ã¯ãICS åã³éçšç°å¢ãå®æœããæ©èœã«åŸããé©åœãªæ éã¢ãŒããéžæãããICS ã®ç©çéšåã« æ éã¢ãŒããéžæã§ããèœåã¯ãICS ãšä»ã® IT ã·ã¹ãã ãšã®éãã§ããããã®éžæã¯ãæ éã®åœ± é¿ãç·©åããäžã§å€§ããªå¹æãããã SC-8 éä¿¡æ©å¯æ§ã»å®å šæ§ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SC-8 SC-8 (1) äž é« éä¿¡æ©å¯æ§ã»å®å šæ§ éžå® éžå® éä¿¡æ©å¯æ§ã»å®å šæ§ | æå·ååã¯ä»£æ¿ç©ççä¿è· éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ããããæå·ä¿å šã¡ã«ããºã ã掻çšããïŒããžã¿ ã«çœ²åãããã·ã¥é¢æ°çïŒãåã¡ã«ããºã ã®é 延圱é¿ã¯ããããç°ãªãã SC-10 ãããã¯ãŒã¯åæ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SC-10 ãããã¯ãŒã¯åæ äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãç£æ»æ段ã®åŒ·åããªã¢ãŒãã¢ã¯ã»ã¹ç¹æš©ã éèŠãªäººå¡ã«å¶éããæ¹æ³ãããã 452 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT CONTROL NAME CNTL NO. SC-12 SC-12 (1) CONTROL BASELINES Control Enhancement Name Cryptographic Key Establishment and Management LOW MOD HIGH Selected Selected Selected CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT | AVAILABILITY Selected ICS Supplemental Guidance: The use of cryptographic key management in ICS is intended to support internal nonpublic use. Control Enhancement: (1) No ICS Supplemental Guidance. SC-13 CRYPTOGRAPHIC PROTECTION CONTROL NAME CNTL NO. SC-13 CONTROL BASELINES Control Enhancement Name Cryptographic Protection LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. SC-15 COLLABORATIVE COMPUTING DEVICES CONTROL NAME CNTL NO. SC-15 CONTROL BASELINES Control Enhancement Name Collaborative Computing Devices LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES CONTROL NAME CNTL NO. SC-17 CONTROL BASELINES Control Enhancement Name LOW Public Key Infrastructure Certificates MOD HIGH Selected Selected No ICS Supplemental Guidance. SC-18 MOBILE CODE CONTROL NAME CNTL NO. SC-18 CONTROL BASELINES Control Enhancement Name LOW Mobile Code MOD HIGH Selected Selected No ICS Supplemental Guidance. SC-19 VOICE OVER INTERNET PROTOCOL CONTROL NAME CNTL NO. SC-19 CONTROL BASELINES Control Enhancement Name Voice Over Internet Protocol LOW MOD HIGH Selected Selected ICS Supplemental Guidance: The use of VoIP technologies is determined after careful consideration and after verification that it does not adversely impact the operational performance of the ICS. 453 SP800-82 第 2 ç SC-12 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æå·éµèšå®ç®¡ç 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æå·éµèšå®ç®¡ç SC-12 äœ äž é« éžå® éžå® éžå® SC-12 (1) æå·éµèšå®ç®¡ç | éžå® å¯çšæ§ ICS è£è¶³ã¬ã€ãã³ã¹ïŒæå·éµç®¡çã ICS ã§äœ¿çšããç®çã¯ãå éšã®éå ¬éå©çšã«å¯Ÿå¿ããã ãã§ããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã SC-13 æå·ä¿è· 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æå·ä¿è· SC-13 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SC-15 å ±åã³ã³ãã¥ãŒãã£ã³ã°ããã€ã¹ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå å ±åã³ã³ãã¥ãŒãã£ã³ã°ããã€ã¹ SC-15 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SC-17 å ¬ééµã€ã³ãã©èšŒææž ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ å ¬ééµã€ã³ãã©èšŒææž SC-17 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SC-18 ã¢ãã€ã«ã³ãŒã 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã¢ãã€ã«ã³ãŒã SC-18 äž éžå® é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SC-19 VoIP 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SC-19 VoIP äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒVoIP æè¡ã®å©çšã¯ãICS ã®éçšã«æªåœ±é¿ããªãããšãæ€èšŒããæ éã« æ€èšããŠããå€æããã 454 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SC-20 SECURE NAME / ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE) CONTROL NAME CNTL NO. SC-20 CONTROL BASELINES Control Enhancement Name Secure Name /Address Resolution Service (Authoritative Source) LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The use of secure name/address resolution services is determined after careful consideration and after verification that it does not adversely impact the operation of the ICS. SC-21 SECURE NAME / ADDRESS RESOLUTION SERVICE (RECURSIVE OR CACHING RESOLVER) CONTROL NAME CNTL NO. SC-21 CONTROL BASELINES Control Enhancement Name Secure Name /Address Resolution Service (Recursive or Caching Resolver) LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The use of secure name/address resolution services is determined after careful consideration and after verification that it does not adversely impact the operation of the ICS. SC-22 ARCHITECTURE AND PROVISIONING FOR NAME / ADDRESS RESOLUTION SERVICE CONTROL NAME CNTL NO. SC-22 CONTROL BASELINES Control Enhancement Name Architecture and Provisioning for Name/Address Resolution Service LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The use of secure name/address resolution services is determined after careful consideration and after verification that it does not adversely impact the operational performance of the ICS. SC-23 SESSION AUTHENTICITY CONTROL NAME CONTROL BASELINES CNTL NO. Control Enhancement Name SC-23 Session Authenticity LOW MOD HIGH Selected Selected ICS Supplemental Guidance: Example compensating controls include auditing measures. SC-24 FAIL IN KNOWN STATE CONTROL NAME CONTROL BASELINES CNTL NO. Control Enhancement Name SC-24 Fail in Known State LOW MOD HIGH Added Selected ICS Supplemental Guidance: The organization selects an appropriate failure state. Preserving ICS state information includes consistency among ICS state variables and the physical state which the ICS represents (e.g., whether valves are open or closed, communication permitted or blocked, continue operations). Rationale for adding SC-24 to moderate baseline: As part of the architecture and design of the ICS, the organization selects an appropriate failure state of an ICS in accordance with the function performed by the ICS and the operational environment. The ability to choose the failure mode for the physical part of the ICS differentiates the ICS from other IT systems. This choice may be a significant influence in mitigating the impact of a failure, since it may be disruptive to ongoing physical processes (e.g., valves failing in closed position may adversely affect system cooling). 455 SP800-82 第 2 ç SC-20 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ïŒæš©éãœãŒã¹ïŒ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ïŒæš©éãœãŒã¹ïŒ SC-20 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ã®å©çšã¯ãICS ã®éçšã«æªåœ±é¿ ããªãããšãæ€èšŒããæ éã«æ€èšããŠããå€æããã SC-21 ã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ïŒååž°åã¯ãã£ãã·ã³ã°ãªãŸã«ãïŒ ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ïŒååž°åã¯ãã£ãã·ã³ã°ãª SC-21 äœ äž é« éžå® éžå® éžå® ãŸã«ãïŒ ICS è£è¶³ã¬ã€ãã³ã¹ïŒã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ã®å©çšã¯ãICS ã®éçšã«æªåœ±é¿ ããªãããšãæ€èšŒããæ éã«æ€èšããŠããå€æããã SC-22 åå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹çšã¢ãŒããã¯ãã£ãŒããããžã§ãã³ã° 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå åå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹çšã¢ãŒããã¯ãã£ãŒããããžã§ãã³ã° SC-22 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒã»ãã¥ã¢ãªåå/ã¢ãã¬ã¹è§£æ±ºãµãŒãã¹ã®å©çšã¯ãICS ã®éçšã«æªåœ±é¿ ããªãããšãæ€èšŒããæ éã«æ€èšããŠããå€æããã SC-23 ã»ãã·ã§ã³èªèšŒ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã»ãã·ã§ã³èªèšŒ SC-23 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãç£æ»æ段ãããã SC-24 æ¢ç¥ç¶æ ã®å€±æ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SC-24 æ¢ç¥ç¶æ ã®å€±æ äž é« è¿œå éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯é©åœãªæ éç¶æ ãéžæãããICS ç¶æ æ å ±ã®ä¿åã«ã¯ãICS ç¶ æ å€æ°ãš ICS ã®ç©ççç¶æ ã®æŽåæ§ãå«ãŸããïŒãã«ãã®éåã¯éãéä¿¡ã®èš±å¯åã¯ããã㯠çïŒã SC-24 ãäžããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒICS ã¢ãŒããã¯ãã£åã³èšèšã®äžè²«ãšããŠãçµç¹ ã¯ãICS åã³éçšç°å¢ãå®æœããæ©èœã«åŸããé©åœãª ICS ã®æ éç¶æ ãéžæãããICS ã®ç©çéš åã«æ éã¢ãŒããéžæã§ããèœåã¯ãICS ãšä»ã® IT ã·ã¹ãã ãšã®éãã§ããããã®éžæã¯ãé²è¡ äžã®ç©çããã»ã¹ãäžæãããããæ éã®åœ±é¿ãç·©åããäžã§å€§ããªå¹æãããïŒãã«ããéäœ çœ®ã«ãªããšã·ã¹ãã å·åŽã«æªåœ±é¿ãåºããªã©ïŒã 456 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SC-28 PROTECTION OF INFORMATION AT REST CONTROL NAME CNTL NO. Control Enhancement Name SC-28 CONTROL BASELINES LOW Protection of Information at Rest MOD HIGH Selected Selected ICS Supplemental Guidance: The use of cryptographic mechanisms is determined after careful consideration and after verification that it does not adversely impact the operational performance of the ICS. SC-39 PROCESS ISOLATION CONTROL NAME Control Enhancement Name CNTL NO. SC-39 Process Isolation CONTROL BASELINES LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: Example compensating controls include partition processes to separate platforms. SC-41 PORT AND I/O DEVICE ACCESS CONTROL NAME Control Enhancement Name CNTL NO. SC-41 Port and I/O Device Access CONTROL BASELINES LOW MOD HIGH Added Added Added No ICS Supplemental Guidance. Rationale for adding SC-24 to all baselines: The function of ICS can be readily determined in advance, making it easier to identify ports and I/O devices that are unnecessary. Disabling or removing ports reinforces air-gap policy. 457 SP800-82 第 2 ç SC-28 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã äŒç æ å ±ã®ä¿è· 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ äŒç æ å ±ã®ä¿è· SC-28 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒæå·ã¡ã«ããºã ã®å©çšã¯ãICS ã®éçšã«æªåœ±é¿ããªãããšãæ€èšŒãã æ éã«æ€èšããŠããå€æããã SC-39 ããã»ã¹éé¢ ç®¡çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ããã»ã¹éé¢ SC-39 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠããã©ããããŒã ãåé¢ããããã®ããŒã㣠ã·ã§ã³ããã»ã¹ãããã SC-41 ããŒãåã³ I/O ããã€ã¹ã¢ã¯ã»ã¹ 管ççªå· SC-41 管çå 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ããŒãåã³ I/O ããã€ã¹ã¢ã¯ã»ã¹ äœ äž é« è¿œå è¿œå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ãªã SC-24 ãå šãŠã®ããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒICS ã®æ©èœã¯äºãããã«æ±ºããããããã«ãã äžèŠãªããŒãåã³ I/O ããã€ã¹ã®èå¥ã容æã«ãããããŒãã®ç¡å¹åãåé€ã¯ããšã¢ã®ã£ããã ãªã·ãŒã匷åããã 458 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SYSTEM AND INFORMATION INTEGRITY - SI Tailoring Considerations for System and Information Integrity Family In situations where the ICS cannot support the specific System and Information Integrity requirements of a control, the organization employs compensating controls in accordance with the general tailoring guidance. Examples of compensating controls are given with each control, as appropriate. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. SI-1 SYSTEM AND INFORMATION INTEGRITY POLICY AND PROCEDURES CONTROL NAME CNTL NO. SI-1 CONTROL BASELINES Control Enhancement Name System and Information Integrity Policy and Procedures LOW MOD HIGH Selected Selected Selected ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS and the relationship to non-ICS systems. SI-2 FLAW REMEDIATION CONTROL NAME CNTL NO. SI-2 CONTROL BASELINES Control Enhancement Name Flaw Remediation SI-2 (1) FLAW REMEDIATION | CENTRAL MANAGEMENT SI-2 (2) FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS LOW MOD HIGH Selected Selected Selected Selected Selected Selected ICS Supplemental Guidance: Flaw Remediation is complicated since many ICS employ operating systems and other software that is not current, is no longer being maintained by the vendors, and is not resistant to current threats. ICS operators are often dependent on product vendors to validate the operability of a patch and also sometimes to perform the installation. Often flaws cannot be remediated based on circumstances outside of the ICS operator's control (e.g., lack of a vendor patch). Sometime the organization has no choice but to accept additional risk. In these situations, compensating controls should be implemented (e.g., limit the exposure of the vulnerable system). Other compensating controls that do not decrease the residual risk but increase the ability to respond may be desirable (e.g., provide a timely response in case of an incident; devise a plan to ensure the ICS can identify the exploitation of the flaw). Testing flaw remediation in an ICS may require more resources than the organization can commit. Control Enhancement: (1) No ICS Supplemental Guidance. Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS cannot support the use of automated mechanisms to conduct and report on the status of flaw remediation, the organization employs nonautomated mechanisms or procedures which incorporate methods to apply, track, and verify mitigation efforts as compensating controls in accordance with the general tailoring guidance. SI-3 MALICIOUS CODE PROTECTION CONTROL NAME CNTL NO. SI-3 CONTROL BASELINES Control Enhancement Name Malicious Code Protection LOW MOD HIGH Selected Selected Selected SI-3 (1) MALICIOUS CODE PROTECTION | CENTRAL MANAGEMENT Selected Selected SI-3 (2) MALICIOUS CODE PROTECTION | AUTOMATIC UPDATES Selected Selected ICS Supplemental Guidance: The use and deployment of malicious code protection is determined after careful consideration and after verification that it does not adversely impact the operation of the ICS. Malicious code 459 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ã·ã¹ãã åã³æ å ±ã®å®å šæ§ - SI ã·ã¹ãã åã³æ å ±ã®å®å šæ§ãã¡ããªã®ã«ã¹ã¿ãã€ãºèæ ®äºé ICS ãããå¶åŸ¡ã®ç¹å®ã®ã·ã¹ãã åã³æ å ±å®å šæ§èŠä»¶ã«å¯Ÿå¿ããŠããªãç¶æ³ã§ã¯ãå šäœçãªã« ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡çšããã è£åç管ççã®äŸãå¿ èŠã«å¿ããŠã管ççããšã«ç€ºãããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ã ã³ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã ã·ã¹ãã åã³æ å ±å®å šæ§ããªã·ãŒã»æé SI-1 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã·ã¹ãã æ å ±å®å šæ§ããªã·ãŒã»æé SI-1 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒããªã·ãŒã¯ç¹ã« ICS ã®åºæã®ç¹æ§ã»èŠä»¶åã³ ICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿ãåãäžããã æ¬ é¥ä¿®æ£ SI-2 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ¬ é¥ä¿®æ£ SI-2 SI-2 (1) æ¬ é¥ä¿®æ£ | éäžç®¡ç SI-2 (2) æ¬ é¥ä¿®æ£ | èªåæ¬ é¥ä¿®æ£ç¶æ äœ äž é« éžå® éžå® éžå® éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®å€ãã¯ææ°ç以å€ã® OS ããœãããŠãšã¢ã䜿çšãããã³ããŒã ä¿å®ãè¡ã£ãŠããããææ°ã®è åšã«æµææ§ããªããããæ¬ é¥ä¿®æ£ã¯è€éãšãªããICS æäœå¡ã¯ã ãããã®åäœæ€èšŒãããšãã«ã¯ã€ã³ã¹ããŒã«ãè¡ãã ãã§ãã補åãã³ããŒã«äŸåããããšãå€ ããICS æäœå¡ã®ç®¡çèœåãè¶ ããŠããç¶æ³ã§ã¯ãæ¬ é¥ã®ä¿®æ£ãã§ããªãããšãå€ãïŒãã³ã㌠ãããã®æ¬ åŠçïŒãçµç¹ã¯ãä»å çãªãªã¹ã¯ãåãå ¥ããããåŸãªãããšãããããã®ãããªç¶ æ³ã§ã¯ãè£åç管ççãè¡ãïŒè匱ãªã·ã¹ãã ã®é²åºå¶éçïŒããã®ä»ã®è£åç管ççãšããŠã¯ã æ®çãªã¹ã¯ã¯æžãããªããŸã§ãã察å¿èœåãé«ãããããªãã®ãæãŸããïŒã€ã³ã·ãã³ãæã«ã¿ ã€ã ãªãŒãªå¯Ÿå¿ããæªçšãããŠããæ¬ é¥ãç¹å®ã§ããèšç»ã®äœæçïŒãICS ã®æ¬ é¥ä¿®æ£æ€èšŒã¯ã çµç¹ãæå ¥ã§ãã以äžã®ãªãœãŒã¹ãèŠããå Žåãããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãæ¬ é¥ä¿®æ£å®æœã»å ±åã®èªåã¡ã«ããºã ã«å¯Ÿå¿ã㊠ããªãç¶æ³ã§ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠãçµç¹ã¯éèªåã¡ã«ããºã åã¯æé ãç·©ååªåã®é©çšã»è¿œè·¡ã»æ€èšŒã®ããã®è£åç管ççãšããŠæ¡çšããã æªæããã³ãŒãä¿è· SI-3 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« éžå® éžå® éžå® SI-3 (1) æªæããã³ãŒãä¿è· | éäžç®¡ç éžå® éžå® SI-3 (2) æªæããã³ãŒãä¿è· | èªåæŽæ° éžå® éžå® SI-3 æªæããã³ãŒãä¿è· äœ ICS è£è¶³ã¬ã€ãã³ã¹ïŒæªæããã³ãŒãä¿è·ã®å©çšã¯ãICS ã®éçšã«æªåœ±é¿ããªãããšãæ€èšŒ ããæ éã«æ€èšããŠããå€æãããæªæããã³ãŒã 460 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY protection tools should be configured to minimize their potential impact on the ICS (e.g., employ notification rather than quarantine). Example compensating controls include increased traffic monitoring and auditing. Control Enhancement: (1) ICS Supplemental Guidance: The organization implements central management of malicious code protection with consideration of the impact on operation of the ICS. Example compensating controls include increased auditing. Control Enhancement: (2) ICS Supplemental Guidance: The organization implements automatic updates of malicious code protection with consideration of the impact on operation of the ICS. In situations where the ICS cannot support the use of automatic update of malicious code protection, the organization employs nonautomated procedures as compensating controls in accordance with the general tailoring guidance. SI-4 INFORMATION SYSTEM MONITORING CONTROL NAME Control Enhancement Name CNTL NO. SI-4 SI-4 (2) Information System Monitoring CONTROL BASELINES LOW MOD HIGH Selected Selected Selected Selected Selected Selected Selected Selected Selected INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS ICS Supplemental Guidance: The organization ensures that the use of monitoring tools and techniques does not adversely impact the operational performance of the ICS. Example compensating controls include deploying sufficient network monitoring. Control Enhancement: (2) ICS Supplemental Guidance: In situations where the ICS cannot support the use of automated tools to support near-real-time analysis of events, the organization employs compensating controls (e.g., providing an auditing capability on a separate system, nonautomated mechanisms or procedures) in accordance with the general tailoring guidance. Control Enhancement: (4) ICS Supplemental Guidance: In situations where the ICS cannot monitor inbound and outbound communications traffic, the organization employs compensating controls include providing a monitoring capability on a separate information system. Control Enhancement: (5) ICS Supplemental Guidance: Example compensating controls include manual methods of generating alerts. SI-5 SECURITY ALERTS, ADVISORIES, AND DIRECTIVES CNTL NO. SI-5 SI-5 (1) CONTROL NAME Control Enhancement Name Security Alerts, Advisories, and Directives CONTROL BASELINES LOW MOD HIGH Selected Selected Selected SECURITY ALERTS, ADVISORIES, AND DIRECTIVES | Selected AUTOMATED ALERTS AND ADVISORIES ICS Supplemental Guidance: The DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) generates security alerts and advisories relative to ICS http://ics-cert.us-cert.gov/ . Control Enhancement: (1) No ICS Supplemental Guidance. SI-6 SECURITY FUNCTIONALITY VERIFICATION CNTL NO. SI-6 CONTROL NAME Control Enhancement Name Security Function Verification CONTROL BASELINES LOW MOD HIGH Selected ICS Supplemental Guidance: The shutting down and restarting of the ICS may not always be feasible upon the identification of an anomaly; these actions should be scheduled according to ICS operational requirements. 461 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ä¿è·ããŒã«ã¯ãICS ãžã®åœ±é¿ãæå°ã«ãªãããã«èšå®ãã¹ãã§ããïŒæ€ç«ã§ã¯ãªãéç¥ãæ¡çšã ããªã©ïŒãè£åç管ççã®äŸãšããŠããã©ãã£ãã¯ç£èŠãšç£æ»ã®åŒ·åãããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãICS ã®éçšãžã®åœ±é¿ãèæ ®ã«å ¥ããŠãæªæãã ã³ãŒãä¿è·ã®éäžç®¡çãå®æœãããè£åç管ççã®äŸãšããŠãç£æ»ã®åŒ·åãããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãICS ã®éçšãžã®åœ±é¿ãèæ ®ã«å ¥ããŠãæªæãã ã³ãŒãä¿è·ã®èªåæŽæ°ãå®æœãããICS ãæªæããã³ãŒãä¿è·ã®èªåæŽæ°å©çšã«å¯Ÿå¿ããŠããªã ç¶æ³ã§ã¯ãçµç¹ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠéèªåã¡ã«ããºã ãè£åç管çç ãšããŠæ¡çšããã æ å ±ã·ã¹ãã ç£èŠ SI-4 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±ã·ã¹ãã ç£èŠ SI-4 äœ äž é« éžå® éžå® éžå® SI-4 (2) æ å ±ã·ã¹ãã ç£èŠ | ãªã¢ã«ã¿ã€ã åæçšèªåããŒã« éžå® éžå® SI-4 (4) æ å ±ã·ã¹ãã ç£èŠ | çä¿¡ã»çºä¿¡éä¿¡ãã©ãã£ã㯠éžå® éžå® SI-4 (5) æ å ±ã·ã¹ãã ç£èŠ | ã·ã¹ãã çæã¢ã©ãŒã éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãç£èŠããŒã«ã»æè¡ã®å©çšã ICS ã®éçšããã©ãŒãã³ã¹ã«æªåœ± é¿ããªãããã«ãããè£åç管ççã®äŸãšããŠãååãªãããã¯ãŒã¯ç£èŠã®å±éãããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãã»ãŒãªã¢ã«ã¿ã€ã ã§ã®äºè±¡åæ察å¿èªåããŒã«ã« 察å¿ããŠããªãç¶æ³ã§ã¯ãçµç¹ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççãæ¡ çšããïŒå¥ã·ã¹ãã ãžã®ç£æ»æ©èœä»äžãéèªåã¡ã«ããºã ã»æé çïŒã 管çæ¡åŒµïŒ(4) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãçä¿¡ã»çºä¿¡éä¿¡ãã©ãã£ãã¯ãç£èŠã§ããªãç¶æ³ ã§ã¯ãçµç¹ã¯ãå¥æ å ±ã·ã¹ãã ãžã®ç£èŠæ©èœä»äžçã®è£åç管ççãæ¡çšããã 管çæ¡åŒµïŒ(5) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãæåã«ããã¢ã©ãŒãçæãã ãã ã»ãã¥ãªãã£èŠå ±ã»å§åã»æ瀺 SI-5 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ã»ãã¥ãªãã£èŠå ±ã»å§åã»æ瀺 SI-5 äœ äž é« éžå® éžå® éžå® ã»ãã¥ãªãã£èŠå ±ã»å§åã»æ瀺 | èªåã¢ã©ãŒãã»å§å SI-5 (1) éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒDHS ã®ç£æ¥çšå¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT)ã¯ã ICS ã«é¢é£ããæ¥ç¶ã¢ã©ãŒãåã³å§åãäœæããŠãããhttp://ics-cert.us-cert.gov/ 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ãªã ã»ãã¥ãªãã£æ©èœæ€èšŒ SI-6 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SI-6 ã»ãã¥ãªãã£æ©èœæ€èšŒ äž é« éžå® ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®é®æåã³åèµ·åã¯ãç°ç¶æ€åºæã«å¿ ãããçŽã¡ã«å¯èœã§ã¯ãªãã ICS éçšèŠä»¶ã«åŸã£ãŠã¹ã±ãžã¥ãŒã«ãç«ãŠãã¹ãã§ããã 462 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SI-7 SOFTWARE AND INFORMATION INTEGRITY CONTROL NAME Control Enhancement Name CNTL NO. SI-7 SI-7 (1) CONTROL BASELINES LOW MOD HIGH Software, Firmware, and Information Integrity Selected Selected SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | Selected Selected INTEGRITY CHECKS SI-7 (2) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | Selected AUTOMATED NOTIFICATIONS OF INTEGRITY VIOLATIONS SI-7 (5) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | Selected AUTOMATED RESPONSE TO INTEGRITY VIOLATIONS SI-7 (7) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | Selected Selected INTEGRATION OF DETECTION AND RESPONSE SI-7 (14) SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | Selected BINARY OR MACHINE EXECUTABLE CODE ICS Supplemental Guidance: The organization determines whether the use of integrity verification applications would adversely impact the operation of the ICS and employs compensating controls (e.g., manual integrity verifications that do not affect performance. Control Enhancements: (1) ICS Supplemental Guidance: The organization ensures that the use of integrity verification applications does not adversely impact the operational performance of the ICS. Control Enhancement: (2) ICS Supplemental Guidance: In situations where the organization cannot employ automated tools that provide notification of integrity discrepancies, the organization employs nonautomated mechanisms or procedures. Example compensating controls include performing scheduled manual inspections for integrity violations. Control Enhancement: (5) ICS Supplemental Guidance: The shutting down and restarting of the ICS may not always be feasible upon the identification of an anomaly; these actions should be scheduled according to ICS operational requirements. Control Enhancement: (7) ICS Supplemental Guidance: In situations where the ICS cannot detect unauthorized security-relevant changes, the organization employs compensating controls (e.g., manual procedures) in accordance with the general tailoring guidance. Control Enhancement: (14) No ICS Supplemental Guidance. SI-8 SPAM PROTECTION CONTROL NAME Control Enhancement Name CNTL NO. SI-8 SI-8 (1) CONTROL BASELINES LOW MOD HIGH Spam Protection Selected Selected SPAM PROTECTION | CENTRAL MANAGEMENT OF Selected Selected Selected Selected PROTECTION MECHANISMS SI-8 (2) SPAM PROTECTION | AUTOMATIC UPDATES ICS Supplemental Guidance: ICS spam protection may be implemented by removing spam transport mechanisms, functions and services (e.g., electronic mail, Internet access) from the ICS. If any spam transport mechanisms, functions and services are present in the ICS, spam protection in ICS takes into account operational characteristics of ICS that differ from general purpose information systems, (e.g., unusual traffic flow that may be misinterpreted and detected as spam. Example compensating controls include whitelist mail transfer agents (MTA), digitally signed messages, acceptable sources, and acceptable message types. Control Enhancement: (1) ICS Supplemental Guidance: Example compensating controls include employing local mechanisms or procedures. Control Enhancement: (2) No ICS Supplemental Guidance. 463 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ãœãããŠãšã¢åã³æ å ±ã®å®å šæ§ SI-7 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« ãœãããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»æ å ±ã®å®å šæ§ äœ éžå® éžå® SI-7 (1) ãœãããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»æ å ±ã®å®å šæ§ | å®å šæ§ãã§ã㯠éžå® éžå® SI-7 (2) ãœãããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»æ å ±ã®å®å šæ§ | å®å šæ§éåã®èª SI-7 éžå® åéç¥ ãœãããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»æ å ±ã®å®å šæ§ | å®å šæ§éåã®èª SI-7 (5) éžå® åå¯Ÿå¿ ãœãããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»æ å ±ã®å®å šæ§ | SI-7 (7) éžå® éžå® æ€åºã»å¯Ÿå¿ã®äžäœå SI-7 (14) ãœãããŠãšã¢ã»ãã¡ãŒã ãŠãšã¢ã»æ å ±ã®å®å šæ§ | ãã€ããªåã¯ã éžå® ã·ã³å®è¡å¯èœã³ãŒã ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãå®å šæ§æ€èšŒã¢ããªã±ãŒã·ã§ã³ã®å©çšã«ãããICS ã®éçšã«æª 圱é¿ãåã°ãªããå€å®ããè£åç管ççãæ¡çšããïŒããã©ãŒãã³ã¹ã«åœ±é¿ããªãæåæ€èšŒçïŒã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãå®å šæ§æ€èšŒã¢ããªã±ãŒã·ã§ã³ã®å©çšã ICS ã®é çšããã©ãŒãã³ã¹ã«æªåœ±é¿ããªãããã«ããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ïŒå®å šæ§ã®äžåãéç¥ããèªåããŒã«ãæ¡çšã§ããªãç¶æ³ ã§ã¯ãçµç¹ã¯ãéèªåã¡ã«ããºã ã»æé ãæ¡çšãããè£åç管ççã®äŸãšããŠãå®å šæ§éåã«å¯Ÿ ããã¹ã±ãžã¥ãŒã«åãããæåç¹æ€ã®å®æœãããã 管çæ¡åŒµïŒ(5) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®é®æåã³åèµ·åã¯ãç°ç¶æ€åºæã«å¿ ãããçŽã¡ã« å¯èœãšããããã§ã¯ãªããICS éçšèŠä»¶ã«åŸã£ãŠã¹ã±ãžã¥ãŒã«ãç«ãŠãã¹ãã§ããã 管çæ¡åŒµïŒ(7) ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ãã»ãã¥ãªãã£é¢é£ã®ç¡æå€æŽãæ€åºã§ããªãç¶æ³ ã§ã¯ãçµç¹ã¯ãå šäœçãªã«ã¹ã¿ãã€ãºã¬ã€ãã³ã¹ã«åŸã£ãŠè£åç管ççïŒæåæé çïŒãæ¡çšã ãã 管çæ¡åŒµïŒ(14) ICS è£è¶³ã¬ã€ãã³ã¹ãªã ã¹ãã ä¿è· SI-8 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äž é« ã¹ãã ä¿è· äœ éžå® éžå® SI-8 (1) ã¹ãã ä¿è· | ä¿è·ã¡ã«ããºã ã®éäžç®¡ç éžå® éžå® SI-8 (2) ã¹ãã ä¿è· | èªåæŽæ° éžå® éžå® SI-8 ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ã¹ãã ä¿è·ã¯ãã¹ãã 転éã¡ã«ããºã ãæ©èœåã³ãµãŒãã¹ïŒé» åã¡ãŒã«ãã€ã³ã¿ãŒãããã¢ã¯ã»ã¹çïŒãæé€ããããšã«ããè¡ããããã¹ãã 転éã¡ã«ããºã ã æ©èœåã³ãµãŒãã¹ã ICS ã«ååšããŠããå ŽåãICS ã®ã¹ãã ä¿è·ã¯ãæ±çšçãªæ å ±ã·ã¹ãã ïŒã¹ ãã ãšããŠèª€è§£ã»æ€åºãããéåžžãšéããã©ãã£ãã¯ãããŒçïŒãšã¯ç°ãªã ICS ã®éçšç¹æ§ãè æ ®ã«å ¥ãããè£åç管ççã®äŸãšããŠããã¯ã€ããªã¹ãã¡ãŒã«è»¢éãšãŒãžã§ã³ãïŒMTAïŒãããž ã¿ã«çœ²åå ¥ãã¡ãã»ãŒãžãåãå ¥ãããããœãŒã¹ãåãå ¥ããããã¡ãã»ãŒãžã¿ã€ããããã 管çæ¡åŒµïŒ(1) ICS è£è¶³ã¬ã€ãã³ã¹ïŒè£åç管ççã®äŸãšããŠãããŒã«ã«ã¡ã«ããºã åã¯ã㌠ã«ã«æé ãããã 管çæ¡åŒµïŒ(2) ICS è£è¶³ã¬ã€ãã³ã¹ãªã 464 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY SI-10 INFORMATION INPUT VALIDATION CONTROL NAME Control Enhancement Name CNTL NO. SI-10 CONTROL BASELINES LOW Information Input Validation MOD HIGH Selected Selected No ICS Supplemental Guidance. SI-11 ERROR HANDLING CONTROL NAME Control Enhancement Name CNTL NO. SI-11 CONTROL BASELINES LOW Error Handling MOD HIGH Selected Selected No ICS Supplemental Guidance. SI-12 INFORMATION HANDLING AND RETENTION CONTROL NAME Control Enhancement Name CNTL NO. SI-12 Information Handling and Retention CONTROL BASELINES LOW MOD HIGH Selected Selected Selected No ICS Supplemental Guidance. SI-13 PREDICTABLE FAILURE PREVENTION CNTL NO. SI-13 CONTROL NAME Control Enhancement Name CONTROL BASELINES LOW MOD Predictable Failure Prevention HIGH Added ICS Supplemental Guidance: Failures in ICS can be stochastic or deterministic. Stochastic failures can be analyzed using probability theory, while analysis of deterministic failures is based on non-random properties of the system. Known ICS failure modes and causes are considered. The calculation and use of statistical descriptors, such as Mean Time To Failure (MTTF), should incorporate additional analysis to determine how those failures manifest within the cyber and physical domains. Knowledge of these possible manifestations may be necessary to detect whether a failure has occurred within the ICS, as failures of the information systems may not be easily identifiable. Emergent properties, which may arise both within the information systems and physical processes, can potentially cause system failures should be incorporated into the analysis. For example, cumulative effects of resource exhaustion (e.g., memory leakage) or errors (e.g., rounding and truncation) can occur when ICS processes execute for unexpectedly long periods. Deterministic failures (e.g., integer counter overflow), once identified, are preventable. Often substitute components may not be available or may not be sufficient to protect against faults occurring before predicted failure. Non-automated mechanisms or physical safeguards should be in place in order to protect against these failures. In addition to information concerning newly discovered vulnerabilities (i.e., latent flaws) potentially affecting the system/applications that are discovered by forensic studies, new vulnerabilities may be identified by organizations with responsibility for disseminating vulnerability information (e.g., ICS-CERT) based upon an analysis of a similar pattern of incidents reported to them or vulnerabilities reported by other researchers. Related controls: IR-5, IR-6, RA-5, SI-2, SI-5, SI-11. Rationale for adding control to baseline: ICS are designed and built with certain boundary conditions, design parameters, and assumptions about their environment and mode of operation. ICS may run much longer than conventional systems, allowing latent flaws to become effective that are not manifest in other environments. For example, integer overflow might never occur in systems that are reinitialized more frequently than the occurrence of the overflow. Experience and forensic studies of anomalies and incidents in ICS can lead to identification of emergent properties that were previously unknown, unexpected, or unanticipated. Preventative and restorative 465 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ å ±å ¥åæ€èšŒ SI-10 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ æ å ±å ¥åæ€èšŒ SI-10 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã ãšã©ãŒåŠç SI-11 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ãšã©ãŒåŠç SI-11 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SI-12 æ å ±åŠçä¿ç 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå æ å ±åŠçä¿ç SI-12 äœ äž é« éžå® éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SI-13 äºæ³ãããæ éã®é²æ¢ 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ SI-13 äºæ³ãããæ éã®é²æ¢ äž é« è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã«ãããæ éã¯ã確ççãªãã®ã決å®è«çãªãã®ã®ããããã§ã ãã確ççæ éã¯ç¢ºç«çè«ã§åæã§ãã決å®è«çæ éã®åæã¯ãã·ã¹ãã ã®éã©ã³ãã ç¹æ§ãæ ¹ æ ã«è¡ããæ¢ç¥ã® ICS æ éã¢ãŒãåã³åå ã«ã€ããŠèæ ®ãããå¹³åæ éæéïŒMTTFïŒçã®çµ±èš èšè¿°åã®èšç®åã³äœ¿çšã¯ããµã€ããŒé ååã³ç©çé åã«ããããã®ãããªæ éã®åºçŸã®ä»æ¹ãå€ å¥ããéã®è£è¶³çãªåæåãšãªããæ å ±ã·ã¹ãã ã®æ éã¯å®¹æã«ã¯ç¹å®ã§ããªãããããããã åºçŸã«é¢ããç¥èã¯ãICS ã§ã®æ éçºçã®æç¡ãå€æããã®ã«å¿ èŠãšãªããæ å ±ã·ã¹ãã ã§ãç© çããã»ã¹ã§ãçããåµçºç¹æ§ã¯ãã·ã¹ãã æ éã«ãªããããªããããåæã«å«ããã¹ãã§ããã äŸãã°ãICS ããã»ã¹ã®å®è¡ãäºå®ä»¥äžã«é·ã³ããšããªãœãŒã¹ã®æ¯æžïŒã¡ã¢ãªãªãŒã¯çïŒã«ãã 环ç©åœ±é¿ããšã©ãŒïŒæ°å€ã®åäžãã»åäžãã»åæšãŠçïŒãçãããäžåºŠç¹å®ããã決å®è«çæ é ïŒæŽæ°ã«ãŠã³ã¿ã®ãªãŒããŒãããŒçïŒã¯äºé²å¯èœã§ããã äºæ³ãããæ éãããåã«çºçããæ éã«å¯ŸããŠã¯ã代æ¿ã³ã³ããŒãã³ãããªããããã£ãŠ ãååã«ã¯é²æ¢ã§ããªãããã®ãããªæ éã«å¯ŸããŠã¯ãéèªåã¡ã«ããºã åã¯ç©çç察çãè¬ã ãã¹ãã§ããã 調æ»ã§æ°ãã«èŠã€ãã£ããã·ã¹ãã ãã¢ããªã±ãŒã·ã§ã³ã«åœ±é¿ãäžããããªãè匱æ§ïŒæœåš çæ¬ é¥ïŒæ å ±ã«å ããŠãè匱æ§æ å ±ã®é åžæ åœæ©é¢ïŒICS-CERT çïŒã«ãã£ãŠãæ°èŠã®è匱æ§ã æããã«ãããããšããããããããæ å ±ã¯ãå±åºã®ãã£ãåçš®ãã¿ãŒã³ãå€éšç 究è ãããåŸ ãè匱æ§åæã«åºã¥ããŠããã é¢é£ãã管çïŒIR-5, IR-6, RA-5, SI-2, SI-5, SI-11 ããŒã¹ã©ã€ã³ã«ç®¡çãè¿œå ããçç±ïŒICS ã®èšèšåã³æ§ç¯ã«ã¯ãç¹å®ã®å¢çæ¡ä»¶ãèšèšãã© ã¡ãŒã¿åã³ç°å¢ã»éçšã¢ãŒãæ³å®ãçã蟌ãŸããŠãããICS ã®é転æéã¯ãåšæ¥ã·ã¹ãã ããã ã¯ããã«é·ããä»ã®ç°å¢ã§ã¯è¡šé¢ã«åºãŠããªãæœåšçæ¬ é¥ãçŸãããäŸãã°ãæŽæ°ã®ãªãŒããŒã ããŒã¯ããªãŒããŒãããŒé »åºŠãããå€ãååæåãããã·ã¹ãã ã§ã¯ããŸãçããããšããªãã ICS ã«ãããç°åžžåã³ã€ã³ã·ãã³ãã®èª¿æ»çµéšãããããŸã§ç¥ãããŠããããäºæ³ã»äºæãã㊠ããªãã£ãåµçºç¹æ§ã®ç¹å®ã«çµã³ã€ããŠããã 466 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY actions (e.g., re-starting the system or application) are prudent but may not be acceptable for operational reasons in ICS. SI-16 MEMORY PROTECTION CONTROL NAME Control Enhancement Name CNTL NO. SI-16 CONTROL BASELINES LOW Memory Protection MOD HIGH Selected Selected No ICS Supplemental Guidance. SI-17 FAIL-SAFE PROCEDURES CONTROL NAME Control Enhancement Name CNTL NO. SI-17 Fail-Safe Procedures CONTROL BASELINES LOW MOD HIGH Added Added Added ICS Supplemental Guidance: The selected failure conditions and corresponding procedures may vary among baselines. The same failure event may trigger different response depending on the impact level. Mechanical and analog system can be used to provide mechanisms to ensure fail-safe procedures. Fail-safe states should incorporate potential impacts to human safety, physical systems, and the environment. Related controls: CP-6. Rationale for adding SI-17 to all baselines: This control provides a structure for the organization to identify their policy and procedures for dealing with failures and other incidents. Creating a written record of the decision process for selecting incidents and appropriate response is part of risk management in light of changing environment of operations. 467 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã äºé²ã»å埩è¡åïŒã·ã¹ãã ãã¢ããªã±ãŒã·ã§ã³ã®åèµ·åçïŒã¯è¯èçãªæ¹æ³ã§ã¯ããããICS ã® éçšäžã®çç±ããåãå ¥ããããªãã SI-16 ã¡ã¢ãªä¿è· 管çå 管ççªå· 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå äœ ã¡ã¢ãªä¿è· SI-16 äž é« éžå® éžå® ICS è£è¶³ã¬ã€ãã³ã¹ãªã SI-17 ãã§ãŒã«ã»ãŒãæé 管çå 管ççªå· SI-17 管çããŒã¹ã©ã€ã³ 管çæ¡åŒµå ãã§ãŒã«ã»ãŒãæé äœ äž é« è¿œå è¿œå è¿œå ICS è£è¶³ã¬ã€ãã³ã¹ïŒéžå®ããæ éæ¡ä»¶ãšå¯Ÿå¿æé ã¯ãããŒã¹ã©ã€ã³ã«å¿ããŠç°ãªããåã æ éäºè±¡ã§ãã圱é¿åºŠã«ãã£ãŠå¥ã®å¯Ÿå¿ãšãªããæ©æ¢°åŒã»ã¢ããã°ã·ã¹ãã ã䜿çšããŠããã§ãŒ ã«ã»ãŒãæé ã¡ã«ããºã ãåããããšãã§ããããã§ãŒã«ã»ãŒãç¶æ ã¯ã人å¡ã®å®å šãç©çã·ã¹ ãã åã³ç°å¢ã«åœ±é¿ãåãŒããããªããé¢é£ãã管çïŒCP-6 SI-17 ãå šãŠã®ããŒã¹ã©ã€ã³ã«è¿œå ããçç±ïŒçµç¹ã¯ãã®ç®¡çã«ãããæ éãã®ä»ã®ã€ã³ã· ãã³ãåŠçã®ããªã·ãŒã»æé ãæããã«ã§ãããã€ã³ã·ãã³ããšé©åãªå¯Ÿå¿ãéžã¶éã®æ±ºå®ãã ã»ã¹ãææžã«ããããšã¯ãéçšç°å¢ã®å€åãšãã芳ç¹ããããªã¹ã¯ç®¡çã®äžéšãšãªã 468 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY ORGANIZATION-WIDE INFORMATION SECURITY PROGRAM MANAGEMENT CONTROLS - PM Characteristics of Organization-Wide Information Security Program Management Control Family Organization-Wide Information Security Program Management Controls are deployed organization-wide supporting the information security program. They are not associated with security control baselines and are independent of any system impact level. Supplemental Guidance Supplemental Guidance for all Controls and Control Enhancements in NIST SP 800-53 Rev. 4, Appendix F, should be used in conjunction with the ICS Supplemental Guidance in this overlay, if any. PM-1 INFORMATION SECURITY PROGRAM PLAN CONTROL NAME Control Enhancement Name CNTL NO. PM-1 Information Security Program Plan Policy and Procedures ICS Supplemental Guidance: The policy specifically addresses the unique properties and requirements of ICS, the relationship to non-ICS systems, and the relationship to other programs concerned with operational characteristics of ICS (e.g., safety, efficiency, reliability, resilience). PM-2 SENIOR INFORMATION SECURITY OFFICER CONTROL NAME Control Enhancement Name CNTL NO. PM-2 Senior Information Security Officer No ICS Supplemental Guidance. PM-3 INFORMATION SECURITY RESOURCES CNTL NO. PM-3 CONTROL NAME Control Enhancement Name Information Security Resources ICS Supplemental Guidance: Capital planning and investment decisions address all of the relevant technologies and all phases of the life cycle and needs to be informed by ICS experts as well as other subject matter experts (e.g., information security). Marshaling interdisciplinary working teams to advise capital planning and investment decisions can help tradeoff and balance among conflicting equities, objectives, and responsibilities such as capability, adaptability, resilience, safety, security, usability, and efficiency. PM-4 PLAN OF ACTION AND MILESTONES PROCESS CNTL NO. PM-4 CONTROL NAME Control Enhancement Name Plan of Action and Milestones Process ICS Supplemental Guidance: The plan of action and milestones includes both computational and physical ICS components. Records of observed shortcomings and appropriate remedial action may be maintained in a single document or in multiple coordinated documents (e.g., future engineering plans). 469 SP800-82 第 2 ç ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã å šçµç¹çæ å ±ã»ãã¥ãªãã£ããã°ã©ã 管ç察ç - PM å šçµç¹çæ å ±ã»ãã¥ãªãã£ããã°ã©ã 管ç察çãã¡ããªã®ç¹åŸŽ å šçµç¹çæ å ±ã»ãã¥ãªãã£ããã°ã©ã 管ç察çã¯ãå šçµç¹ã«å±éãããæ å ±ã»ãã¥ãªãã£ããã° ã©ã ãæ¯ãããã»ãã¥ãªãã£å¯ŸçããŒã¹ã©ã€ã³ã¯ä»éããŠãããããããªãã·ã¹ãã 圱é¿ã¬ãã« ãšãç¡é¢ä¿ã§ããã è£è¶³ã¬ã€ãã³ã¹ å©çšã§ããå Žåã«ã¯ãNIST SP 800-53 第 4 çä»é² F ã«ããå šãŠã®ç®¡çã»ç®¡çæ¡åŒµçšè£è¶³ã¬ã€ãã³ ã¹ãããã®ãªãŒããŒã¬ã€ã«ãããŠãICS è£è¶³ã¬ã€ãã³ã¹ãšäœµçšãã¹ãã§ããã PM-1 æ å ±ã»ãã¥ãªãã£ããã°ã©ã èšç»æž 管çå 管ççªå· 管çæ¡åŒµå æ å ±ã»ãã¥ãªãã£ããã°ã©ã èšç»æžããªã·ãŒã»æé PM-1 ICS è£è¶³ã¬ã€ãã³ã¹ïŒç¹ã«ããªã·ãŒã¯ãICS ç¬ç¹ã®ç¹æ§åã³èŠä»¶ãICS 以å€ã®ã·ã¹ãã ãšã® é¢ä¿åã³ ICS ã®éçšç¹æ§ã«é¢ä¿ããä»ã®ããã°ã©ã ãšã®é¢ä¿ïŒå®å šæ§ãå¹çãä¿¡é Œæ§ã匟åæ§ çïŒãåãäžããã PM-2 äžçŽæ å ±ã»ãã¥ãªãã£æ åœå® 管çå 管ççªå· 管çæ¡åŒµå äžçŽæ å ±ã»ãã¥ãªãã£æ åœå® PM-2 ICS è£è¶³ã¬ã€ãã³ã¹ãªã PL-3 æ å ±ã»ãã¥ãªãã£ãªãœãŒã¹ 管çå 管ççªå· 管çæ¡åŒµå æ å ±ã»ãã¥ãªãã£ãªãœãŒã¹ PM-3 ICS è£è¶³ã¬ã€ãã³ã¹ïŒäž»èŠãã©ã³ãã³ã°åã³æè³æ±ºå®ã¯ãé¢ä¿ããå šæè¡ãå šã©ã€ããµã€ã¯ ã«æ®µéåã³ ICS å°é家ãã®ä»ã®å°é家ïŒæ å ±ã»ãã¥ãªãã£çïŒããã®æ å ±ãå¿ èŠãšããåéã«ã€ ããŠåãäžãããäž»èŠãã©ã³ãã³ã°åã³æè³æ±ºå®ã«ã€ããŠå©èšããåé暪æçãªäœæ¥ããŒã ãçµ éããã°ãèœåã»é©å¿æ§ã»åŒŸåæ§ã»å®å šæ§ã»ã»ãã¥ãªãã£ã»ãŠãŒã¶ããªãã£ã»å¹ççã®å ¬æ£ãç® çåã³è²¬ä»»ã®ç«¶åã«ã€ããŠæ¯èŒèéãããã©ã³ã¹ãåãäžã§æ¯æŽãå·®ã䌞ã¹ãããšãã§ããã PM-4 è¡åã»ãã€ã«ã¹ããŒã³ããã»ã¹èšç»æž 管ççªå· PM-4 管çå 管çæ¡åŒµå è¡åã»ãã€ã«ã¹ããŒã³ããã»ã¹èšç»æž ICS è£è¶³ã¬ã€ãã³ã¹ïŒè¡åã»ãã€ã«ã¹ããŒã³èšç»æžã«ã¯ãã³ã³ãã¥ãŒã¿é¢ä¿ãšç©çäž¡é¢ã§ã® ICS ã³ã³ããŒãã³ããå«ãŸããã芳å¯ãããæ¬ ç¹åã³é©åãªä¿®æ£åŠçœ®ã¯ã1 åã®ææžåã¯è€æ°ã® é£æºææžïŒå°æ¥ã®ãšã³ãžãã¢ãªã³ã°èšç»æžçïŒãšããŠç¶æããã 470 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PM-5 INFORMATION SYSTEM INVENTORY CONTROL NAME CNTL NO. PM-5 Control Enhancement Name Information System Inventory No ICS Supplemental Guidance. PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE CONTROL NAME CNTL NO. PM-6 Control Enhancement Name Information Security Measures of Performance No ICS Supplemental Guidance. PM-7 ENTERPRISE ARCHITECTURE CONTROL NAME CNTL NO. PM-7 Control Enhancement Name Enterprise Architecture No ICS Supplemental Guidance. PM-8 CRITICAL INFRASTRUCTURE PLAN CONTROL NAME CNTL NO. PM-8 Control Enhancement Name Critical Infrastructure Plan No ICS Supplemental Guidance. References: Executive Order 13636â Improving Critical Infrastructure Cybersecurity, February 12, 2013 PM-9 RISK MANAGEMENT STRATEGY CONTROL NAME CNTL NO. PM-9 Control Enhancement Name Risk Management Strategy ICS Supplemental Guidance: Risk management of ICS is considered along with other organizational risks affecting mission/business success from an organization-wide perspective. Organization-wide risk management strategy includes sector-specific guidance as appropriate. PM-10 SECURITY AUTHORIZATION PROCESS CONTROL NAME CNTL NO. PM-10 Control Enhancement Name Security Authorization Process ICS Supplemental Guidance: The authorization to operate processes for ICS involves multiple disciplines that have existing approval and risk management process (e.g., physical security, safety). Organization-wide risk management requires harmonization among these disciplines. 471 SP800-82 第 2 ç PM-5 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã æ å ±ã·ã¹ãã ç®é² 管çå 管ççªå· 管çæ¡åŒµå æ å ±ã·ã¹ãã ç®é² PM-5 ICS è£è¶³ã¬ã€ãã³ã¹ãªã PM-6 æ å ±ã»ãã¥ãªãã£ã«é¢ããããã©ãŒãã³ã¹èšæž¬ 管çå 管ççªå· 管çæ¡åŒµå æ å ±ã»ãã¥ãªãã£ã«é¢ããããã©ãŒãã³ã¹èšæž¬ PM-6 ICS è£è¶³ã¬ã€ãã³ã¹ãªã PM-7 äŒæ¥ã¢ãŒããã¯ã㣠管çå 管ççªå· 管çæ¡åŒµå äŒæ¥ã¢ãŒããã¯ã㣠PM-7 ICS è£è¶³ã¬ã€ãã³ã¹ãªã PM-8 éèŠã€ã³ãã©èšç»æž 管çå 管ççªå· 管çæ¡åŒµå éèŠã€ã³ãã©èšç»æž PM-8 ICS è£è¶³ã¬ã€ãã³ã¹ãªã åèæç®ïŒå€§çµ±é åœä»€ 13636ãéèŠã€ã³ãã©ã¹ãã©ã¯ãã£ã®ãµã€ããŒã»ãã¥ãªãã£æ¹åã ïŒ2013 幎 2 æ 12 æ¥ïŒ PM-9 ãªã¹ã¯ç®¡çæŠç¥ 管çå 管ççªå· 管çæ¡åŒµå ãªã¹ã¯ç®¡çæŠç¥ PM-9 ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ãªã¹ã¯ç®¡çã¯ãå šçµç¹ç芳ç¹ã«ç«ã¡ãä»»åã»äºæ¥ã®æåŠã«åœ±é¿ ããçµç¹ã®ä»ã®ãªã¹ã¯ãšåãããŠæ€èšãããå šçµç¹ç管çæŠç¥ã«ã¯ãå¿ èŠã«å¿ããŠéšéåºæã®ã¬ ã€ãã³ã¹ãå«ãŸããã PM-10 ã»ãã¥ãªãã£æš©éããã»ã¹ 管çå 管ççªå· PM-10 管çæ¡åŒµå ã»ãã¥ãªãã£æš©éããã»ã¹ ICS è£è¶³ã¬ã€ãã³ã¹ïŒICS ã®ããã»ã¹ãæäœããæš©éã«ã¯ãå€æ°ã®é åãé¢ä¿ããŠãããæ¢ åã®æ¿èªã»ãªã¹ã¯ç®¡çããã»ã¹ãããïŒç©ççã»ãã¥ãªãã£ãå®å šæ§çïŒãå šçµç¹çãªã¹ã¯ç®¡ç ã«ã¯ããããé åéã§ã®èŠå¶ãå¿ èŠãšãªãã 472 SPECIAL PUBLICATION 800-82 REVISION 2 GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY PM-11 MISSION/BUSINESS PROCESS DEFINITION CONTROL NAME CNTL NO. PM-11 Control Enhancement Name Mission/Business Process Definition ICS Supplemental Guidance: Mission/business processes refinement requires protection of physical assets from damage originating in the cyber domain. These needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. PM-12 INSIDER THREAT PROGRAM CONTROL NAME CNTL NO. PM-13 Control Enhancement Name Information Security Workforce No ICS Supplemental Guidance. PM-13 INFORMATION SECURITY WORKFORCE ICS Supplemental Guidance: All aspects of information security workforce development and improvement programs include knowledge and skill levels in both computational and physical ICS components. PM-14 TESTING, TRAINING, AND MONITORING CONTROL NAME CNTL NO. PM-14 Control Enhancement Name Testing, Training, and Monitoring No ICS Supplemental Guidance. PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS CONTROL NAME CNTL NO. PM-15 Control Enhancement Name Contacts with Security Groups and Associations No ICS Supplemental Guidance. PM-16 THREAT AWARENESS PROGRAM CONTROL NAME CNTL NO. PM-16 Control Enhancement Name Threat Awareness Program ICS Supplemental Guidance: The organization should collaborate and share information about potential incidents on a timely basis. The DHS National Cybersecurity & Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecuritycommunications-integration-center serves as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) http://ics-cert.us-cert.gov/ics-cert/ collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. Organizations should consider having both an unclassified and classified information sharing capability. 473 SP800-82 第 2 ç PM-11 ç£æ¥çšå¶åŸ¡ã·ã¹ãã ïŒICSïŒã»ãã¥ãªãã£ã¬ã€ã ä»»åã»äºæ¥ããã»ã¹å®çŸ© 管çå 管ççªå· 管çæ¡åŒµå ä»»åã»äºæ¥ããã»ã¹å®çŸ© PM-11 ICS è£è¶³ã¬ã€ãã³ã¹ïŒä»»åã»äºæ¥ããã»ã¹ãæŽç·Žãããã«ã¯ãç©ççè³ç£ããµã€ããŒé åã« èµ·å ããæ害ããä¿è·ããªããã°ãªããªãããã®ãããªéèŠã¯ãçµç¹ãæããã«ããä»»åã»äºæ¥ äžã®éèŠãéèŠãæºããããã«éžãã ä»»åã»äºæ¥ããã»ã¹åã³çµç¹ã®ãªã¹ã¯ç®¡çæŠç¥ããçããã PM-12 ã€ã³ãµã€ããŒè åšããã°ã©ã 管çå 管ççªå· 管çæ¡åŒµå ã€ã³ãµã€ããŒè åšããã°ã©ã PM-12 ICS è£è¶³ã¬ã€ãã³ã¹ãªã PL-3 æ å ±ã»ãã¥ãªãã£ã¯ãŒã¯ãã©ãŒã¹ 管çå 管ççªå· 管çæ¡åŒµå æ å ±ã»ãã¥ãªãã£ã¯ãŒã¯ãã©ãŒã¹ PM-13 ICS è£è¶³ã¬ã€ãã³ã¹ïŒæ å ±ã»ãã¥ãªãã£ã¯ãŒã¯ãã©ãŒã¹éçºæ¹åããã°ã©ã ã®ããããé¢ã«ã¯ã ã³ã³ãã¥ãŒã¿é¢ä¿ãšç©çäž¡é¢ã§ã® ICS ã³ã³ããŒãã³ãã«é¢ããç¥èã»æéã¬ãã«ãå«ãŸããã PM-14 è©Šéšã»èšç·Žã»ç£èŠ 管çå 管ççªå· 管çæ¡åŒµå è©Šéšã»èšç·Žã»ç£èŠ PM-14 ICS è£è¶³ã¬ã€ãã³ã¹ãªã PM-15 ã»ãã¥ãªãã£ã°ã«ãŒãã»åäŒãšã®é£çµ¡ 管çå 管ççªå· 管çæ¡åŒµå ã»ãã¥ãªãã£ã°ã«ãŒãã»åäŒãšã®é£çµ¡ PM-15 ICS è£è¶³ã¬ã€ãã³ã¹ãªã PM-16 è åšæèããã°ã©ã 管çå 管ççªå· PM-16 管çæ¡åŒµå è åšæèããã°ã©ã ICS è£è¶³ã¬ã€ãã³ã¹ïŒçµç¹ã¯ãçãåŸãã€ã³ã·ãã³ãã«é¢ããŠé£æºãæ å ±ãé©æã«å ±æãã¹ ãã§ãããäžèš DHS åœå®¶ãµã€ããŒã»ãã¥ãªãã£éä¿¡çµ±åã»ã³ã¿ãŒ(NCCIC)ã¯éäžæåšå°ãšããŠæ© èœãããµã€ããŒã»ãã¥ãªãã£ãšéä¿¡ã®ä¿¡é Œæ§ã«é¢ããéçšèŠçŽ ã¯ããã§èª¿æŽãããçµ±ååãã㊠ãããhttp://www.dhs.gov/about-national-cybersecurity-communications-integration-center äžèšç£æ¥çš å¶åŸ¡ã·ã¹ãã ãµã€ããŒç·æ¥å¯Ÿå¿ããŒã (ICS-CERT)ã¯ãæµ·å€åã³æ°éã®ã³ã³ãã¥ãŒã¿ç·æ¥å¯Ÿå¿ã㌠ã (CERT)ãšé£æºããŠãå¶åŸ¡ã·ã¹ãã é¢é£ã»ãã¥ãªãã£ã€ã³ã·ãã³ãæ å ±ãšç·©å察çãå ±æã㊠ãããhttp://ics-cert.us-cert.gov/ics-cert/ çµç¹ã¯ãç§å¯æ å ±ãšæ®éæ å ±ã®å ±æåã«ã€ããŠæ€èšãã¹ãã§ããã 474
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : Yes Author : NIST,JPCERT/CC Comments : Company : Create Date : 2016:04:05 13:42:33+09:00 Modify Date : 2016:04:12 09:20:04+09:00 Source Modified : D:20160405044107 Subject : ç£æ¥çšå¶åŸ¡ã·ã¹ãã (ICS)ã»ãã¥ãªãã£ã¬ã€ã Has XFA : No Tagged PDF : Yes XMP Toolkit : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03 Metadata Date : 2016:04:12 09:20:04+09:00 Creator Tool : Word çš Acrobat PDFMaker 11 Document ID : uuid:c4256d42-c7e6-4928-aedb-ebc1596eca74 Instance ID : uuid:f273de0f-5f70-4976-8ee3-cc6575384009 Format : application/pdf Title : Guide to Industrial Control System (ICS) Security Description : ç£æ¥çšå¶åŸ¡ã·ã¹ãã (ICS)ã»ãã¥ãªãã£ã¬ã€ã Creator : NIST,JPCERT/CC Producer : Adobe PDF Library 11.0 Page Layout : OneColumn Page Count : 490 Signing Date : 2016:04:12 09:20:04+09:00 Signing Authority : Japan Computer Emergency Response Team Coordination Center Modification Permissions : No changes permittedEXIF Metadata provided by EXIF.tools