API St 1164-2009 pdf download.Pipeline SCADA Security.
1.1 Purpose and Objectives The goal of an operator is to control the pipeline in such a way that there are no adverse effects on employees, the environment, the public, or the customers as a result of actions by the operator, or by other parties. This SCADA security program provides a means to improve the security of the pipeline SCADA operation by: — analyzing vulnerabilities of the SCADA system that can be exploited by unauthorized entities, — listing the processes used to identify and analyze the SCADA system vulnerabilities to unauthorized attacks, — providing a comprehensive list of practices to harden the core architecture, — providing examples of industry best practices. 1.2 Roles and Responsibilities The operator’s senior management shall implement a program of SCADA security for their organization to identify accountability for all aspects of SCADA security at every organizational level. The SCADA security program scope should include the operator’s organization, business partners, vendors, and external suppliers of SCADA products and services for the SCADA system. The SCADA security program should document the SCADA security plan, identify the roles and responsibilities of security professionals and practitioners who will implement policies and procedures, and provide for the coordination of security efforts in the SCADA domain with the cyber security activities of the entire organization. The SCADA security program shall be designed and communicated so that all personnel who have actual or potential impact on the security of the SCADA system are fully informed of their security roles and responsibilities, and receive adequate training to complete their tasks securely. The SCADA security program should be designed to ensure the organization’s ongoing implementation of industry best practices in cyber security and compliance with all relevant standards. 2 Definitions and Acronyms 2.1 Definitions For the purposes of this standard the following definitions apply.
2.1.2 backdoor trapdoor A documented or undocumented way of gaining access to a program, online service, or an entire computer system; written by the programmer who creates the code for the program. 2.1.3 biometrics The study of methods for uniquely identifying humans based upon one or more intrinsic physical or behavioral traits. 2.1.4 confidential Classification applies to sensitive company information that requires tight/strict security to protect it from unauthorized disclosure, modification, or destruction. NOTE Unauthorized disclosure, modification, or destruction could have a significant impact. It is information that requires a higher than normal assurance of accuracy and completeness (see Section 6 for more details). 2.1.5 controlled access Access in which the resources of an area or system is limited to authorized personnel, users, programs, processes, or other systems, and denied to all others. 2.1.6 data center A facility used to house computer systems and associated components, such as telecommunications and storage systems that generally includes redundant power systems, data communication connections, environmental controls, and security devices. 2.1.7 database management system DBMS Computer software designed for the purpose of managing databases based on a variety of data models. 2.1.8 defense in depth A best practice where multiple layers and types of defense strategies are implemented throughout the SCADA system, which may address personnel, technology, and operations throughout the system lifecycle. 2.1.9 demilitarized zone DMZ A DMZ is an intermediary zone between trusted and untrusted networks, providing monitored and controlled access and data transfer (see Figure 3).
2.1.11 domain name system Associates various information with domain names by translating human-readable computer host names into IP addresses. 2.1.12 dual-homed computer A computer that has network interfaces connected to multiple networks or security domains. NOTE This is not the same as two network interface cards used for redundancy. 2.1.13 dynamic host configuration protocol DHCP A protocol used by networked devices to obtain the parameters necessary for operation in an IP network. 2.1.14 eliminated To be rid of, or having removed a threat. 2.1.15 enhanced security Security above the accepted normal level, including, but not limited to, strong or multifactor authentication, encryption, multilevel access control including physical access and biometrics. 2.1.16 extranet An extranet can be viewed as a part of a company’s intranet that is extended to users outside the company. It has also been described as a “state of mind,” in which the internet is perceived as a way to do business with other companies as well as to sell products to customers.