Industrial Control Systems (ICS) Inventory Methodology

2

Contents Executive Summary ....................................................................................................................................... 3

Why is an ICS inventory necessary ................................................................................................................ 5

Who should perform this inventory activity ................................................................................................. 5

When is an inventory necessary ................................................................................................................... 5

ICS Component types that will be inventoried ............................................................................................. 6

Inventory Results – Storage and Protection ................................................................................................. 6

ICS Component Inventory Methodology Levels ........................................................................................... 6

Conducting an ICS Inventory ......................................................................................................................... 8

Logical Inventory ....................................................................................................................................... 9

Physical inventory ................................................................................................................................... 10

Tools required to conduct an ICS inventory activity ................................................................................... 10

Appendix 1- HQDA EXECUTE ORDER 002-13 .............................................................................................. 11

Appendix 2 - ICS Components Subject to Inventory ................................................................................... 15

3

Executive Summary The development and implementation of this Industrial Control Systems (ICS) Inventory Methodology is in support of the Headquarters, Department of the Army (HQDA) Execute Order (EXORD) 002-13; Army-Wide Inventory of Industrial Control Systems and Supervisory Control and Data Acquisition Systems and the implementation of the Cybersecurity Risk Management Framework. Traditionally, “Industrial Control Systems” are fixed installation networked control systems comprised of robust hardware and components to ensure a high level of reliability and redundancy. Within the Department of Defense, ICS is used to refer to a broader range of automated control systems, including those that traditionally have not been considered "industrial" such as building automation, electronic security systems, and metering systems. The DoD definition of ICS includes "real property control systems" and "industrial process (manufacturing)" control systems but excludes weapon systems. The standardized inventory method shall be applicable to a wide range of unrelated ICS including, but not limited to: security; fire; heating, ventilation and air conditioning; medical technologies; and manufacturing. The purpose of this document is to provide amplifying guidance that helps to define the following statements when performing an ICS inventory:

• Reasoning behind conducting an ICS inventory • Identify the appropriate personnel to perform the inventory • Identify when the inventory is necessary • Identify the components to be included in the inventory • Identify the sources of information that can be used to conduct the inventory • Identify tools that may be used to assist the inventory • Identify the steps required to perform the inventory • Discuss the constraints and barriers of conducting the inventory • Maintaining current and accurate inventory information

There are several reasons why an ICS inventory needs to be conducted. At the most basic level, it allows commanders to identify what Army-owned or operated ICS are used to conduct business and execute missions. This information can be used to ensure that systems are not susceptible to specific vulnerabilities which can be used to weaken the ICS mission. It also allows the ICS owner to define the criticality of the ICS as it relates to their specific mission or business processes allowing them to ensure that the ICS is capable of reliably meeting current and future requirements. In short, the information derived can be used to satisfy many different types of data calls.

In order to accurately perform an inventory, personnel must have a basic understanding of what an ICS is. While the inventory personnel may not be cognizant of the specific mission of a particular ICS, they can work with local Subject Mater Experts (SMEs) to identify the components that need to be included in the inventory. This allows for a streamlined and cost effective asset count.

There are two parts to determining the necessity of conducting an ICS inventory. First, a baseline inventory of all relevant components must be conducted using the guidance contained within this document. Once the baseline inventory is conducted, it will need to be maintained as part of the overall

4

sustainment function of the ICS lifecycle. This includes making the appropriate updates when inventoried hardware or software components are modified.

Identification of the components to be included in the inventory is essential to the overall value of the inventory itself. In order to meet the cyber vulnerability assessments, all Ethernet or Ethernet capable devices that comprise an ICS must be part of the ICS inventory. Then, using the tiered ICS architecture as well as the amplifying information contained in this document, the remaining types of components and their rationale for inclusion into the inventory will be shown.

In addition to physically conducting a hardware and software inventory, other sources of information should also be utilized. ICS design documentation, purchase orders, system manuals, control system databases, and drawings should be consulted to aid in the identification and location of ICS components. These artifacts also serve as the basis of which to begin the inventory itself. Utilizing existing documentation will help streamline the inventory process and also help to ensure that all components of the ICS are understood.

To conduct a successful inventory, there are multiple steps involved. Coordinating with the site points of contact and ICS SMEs is paramount to component identification and location. Next, a logical inventory of the Ethernet based devices is performed to create a logical device map of components and ascertain system interfaces. A review of existing documentation and inventories is then performed and finally a physical inventory of the components will be performed.

There are multiple potential roadblocks when conducting an ICS inventory. Most ICS are comprised of hundreds, if not thousands of components that may be part of the inventory. Many of these components are installed where physical access is not easily gained. This roadblock alone is a significant burden to the personnel conducting the inventory and their assigned support personnel. Other barriers to conducting a complete inventory are the scheduling and possible interruption of business processes (especially manufacturing or fabrication) systems resulting in an impact to mission support.

5

Why is an ICS inventory necessary The term Industrial Control System has become such a generalized term, it is important to understand what exactly comprises an ICS. To determine what has been fielded at a facility, an accurate and complete inventory of certain components is required. Having a complete inventory will:

• Enable facilities to respond with a high degree of accuracy to Command or DoD data calls.

• Ensure that funding is allocated for the proper sustainment and lifecycle management of the ICS.

• Allow facility and cybersecurity managers to understand what their vulnerability exposure footprint is for a given ICS.

• Allow the ICS owner to define the criticality of the ICS as it relates to their specific mission or business processes allowing them to ensure that the ICS is capable of reliably meeting current and future requirements.

The accurate and complete inventory also becomes an artifact/information source for the Department of Defense Information Assurance Certification and Accreditation Program (DIACAP) or the Risk Management Framework (RMF).

Who should perform this inventory activity • In order to accurately perform an ICS inventory, inventory personnel must have a

basic understanding of what an ICS is. While they do not have to be familiar with the particular ICS being inventoried, it is expected that they have experience with the various components outlined in Appendix 2 of this document.

• In addition to the inventory personnel, the ICS SME or someone familiar with the ICS being inventoried is required for support. They are the people most familiar with how the ICS is deployed and utilized within the environment, not necessarily the inventory personnel. Their support in this effort ensures that all relevant aspects of the system are included in the inventory process.

• Every team performing an ICS inventory should include someone capable of reading a network diagram.

When is an inventory necessary • Initial inventory – An initial inventory using the guidance provided in this Method is

required to obtain a baseline. • Inventory sustainment – Once the inventory baseline has been performed, the

inventory must remain accurate in order to provide value. Whenever changes (hardware or software application version) to the inventoried equipment are made, the inventory should be updated.

6

ICS Component types that will be inventoried Any Ethernet or TCP/IP device, regardless if it is currently using this capability should be included on the inventory. An accurate inventory of this equipment is important for the ICS owner for awareness of what the configuration and capabilities of the ICS are as presently deployed and what impacts to future configuration changes will be prior to the implementation of change.

• Personnel performing the inventory must start from the ICS front end, or centralized ICS control point, and work their way down to the components contained in the field control system.

• Physical verification, as deemed necessary, of the devices in the field to validate that the system inventories and topologies match deployed configuration.

• Verification of appropriate device physical security, depending on the device. o Is the device behind a locked door o Is the device in an enclosure box o Are there sufficient physical access controls associated with the device

Some ICS component examples are depicted in Appendix 2.

Inventory Results – Storage and Protection The following questions must be answered prior to initiation of the inventory activity.

• What are the protection requirements (sensitivity) of the aggregated inventory data? In most cases, ICS inventory data is For Official Use Only (FOUO). However, there may be specific instances where ICS inventory data is Secret or Top Secret. There is also the possibility the aggregation of ICS inventory data will require a more sensitive classification than FOUO. This must be decided and agreed upon prior to the inventory activity.

Where will this information reside and who will have access to it? Again, this must be decided prior to the inventory activity. There are numerous potential uses for this data, and each purpose would logically dictate a different custodian. It is common for Facilities Management to serve as the primary custodian.

ICS Component Inventory Methodology Levels The ICS Architecture is described in five Tiers (and multiple sub-tiers), where each tier represents a collection of components that can be logically grouped together by function and IA approach. This tiered approach provides foundation to understand the overall architecture and representation of the ICS. However, from an inventory perspective, it does not provide an effective approach to perform an inventory. The ICS tiers are grouped into three inventory levels (see table):

7

Inventory Level ICS Tier and Name Level 1 5- "External" Connection and Platform Information Technology (PIT) Management

4- UMCS Front End and IP Network 3- Facility Points of Connection (FPOCs)

Level 2 2- IP Portion of the Field Control System Level 3 1-Non-IP Portion of the Field Control System

0-Sensors and Actuators

Each level contains a subset of the ICS architecture tiers and builds upon each other. From an inventory perspective, one should start at the top inventory level (level 1) of the ICS and work down to the lowest inventory level (level 3) that is required to inventory. Prior to the commencement of the inventory, the requestor will identify the inventory levels to be included in the inventory.

The following are the five ICS Architecture tiers:

• Tier 5: The point of external connection and Platform IT (PIT) management. This tier represents the highest level (and typically least documented and understood component by ICS personnel) of a site’s ICS. Each successive tier will drill deeper and provide more detail. There are also many more devices at each successive tier. Examples of Tier 5 ICS are Energy Monitoring and Control System (EMCS) and Utility Monitoring and Control System (UMCS). This tier also includes firewalls, routers, and any other physical or logical device designed to provide a boundary around the Tier 5 ICS. Every site-specific ICS Inventory activity will include the devices at this tier.

• Tier 4: The subnet(s) associated with a specific ICS and the ICS front end and/or operations center. This tier typically resides at the top of a dedicated VLAN, and contains the highest level device(s) associated with an ICS. SCADA systems typically sit at this tier. Unless specifically excluded from an ICS Inventory activity, every Tier 4 device will be included in an ICS Inventory.

• Tier 3: Field Point(s) of Connection (FPOC). This tier is the interface between the operations center and the Field Control System(s). This is the switch, proxy device, or firewall through which ICS front ends and Field Control Systems communicate. Typically, these devices are included in an ICS Inventory, primarily because these devices communicate directly with the operations center or front end.

• Tier 2: IP-enabled Field Control Systems. This tier can include programmable logic controllers (PLCs), other IP-based controllers, workstations, and switches. The devices in this tier can send/receive data and instructions to/from Tiers 4, 3, 1, and 0. These devices typically serve as a translator between Tier 1 and higher tier devices. Tier 1 (Stage 4): Non-IP Field Control Systems. This tier includes devices that communicate via non-IP protocols. These are non-IP PLCs. By definition, these devices will not show up on an IP network scan. They will, however, show up on an “All Ports, All Protocols” scan. Use the aggregated data from procurement, IT, DPW, and IA to derive an estimate for these devices.

8

• Tier 0: Sensors and Actuators. These are irrelevant to an ICS Inventory activity. Associating the ICS tiers with Inventory stages provides flexibility when planning and executing an ICS Inventory activity. A site may ask for a Stage 1 Inventory for the site with a Stage 3 Inventory on a particular system. Initial inventories may be limited to identify facility or installation ICS by system name, mission, operating systems, interfaces to other system boundaries, and sustainment roles and responsibilities to facilitate the initial inventory execution order, HQDA Execute Order 002-13; Army-wide Inventory of Industrial Control Systems and Supervisory Control and Data Acquisition Systems, found in Appendix 1. This will provide a baseline from which inventories of devices, software, and firmware can be developed in a systematic way.

Conducting an ICS Inventory Conducting an ICS inventory requires planning and coordination with the site being inventoried. The following activities should be performed as early as possible:

• Identify primary and secondary POCs/SMEs for the ICS. o Facilities/Operations management. o Department of Public Works (DPW). o IAM/IAO. o System Owner/Program Sponsor. o Technical staff.

9

o Control System Operators • Define the scope of the inventory activity.

o Inventory activity is limited to specific set of ICS components. o Inventory activity to account for components on Tiers 2 – 5.

• Request documentation. o Procurement, installation, and configuration documentation. o Bill of materials. o As-built drawings. o System manuals. o Accreditation package, if applicable.

• Schedule the inventory activity. o Request access to facilities. o Request access to relevant personnel.

The inventory activity is potentially comprised of two parts – a logical inventory and a physical inventory. There will always be a logical inventory activity. For some critical systems, a physical inventory sampling may be required. If a physical inventory is required, the logical and physical inventories should match. If there is a mismatch, it should be noted and brought to the attention of the primary POC.

CAUTION: It should be noted that when using network discovery or vulnerability testing tools to aide in ICS component identification, using aggressive scan techniques can potentially disable/stop devices and even port scanning should be done in a manner that allows for quick recovery. Plan such events around outages or complete port scans in a methodical manner to ensure minimum impact.

Logical Inventory • Determine if the ICS management station or front-end have the capability to show

an inventory of all connected devices. If possible, obtain an export of that inventory to aide in the completion of the data collection.

• Perform Network Discovery scan on the stated IP ranges for the ICS. This will require coordination with a system or network administrator, and may have to be run from multiple front end servers. Work with the system or network administrator to ensure adequate permissions are granted to the scanning tool.

• Identify IP-enabled & networked ICS components. The discovery scan will generate varying levels of information, depending on the configuration of the network hosts. Verify and validate the scan results with existing hardware/software lists. Also, determine if some networked components are not always on.

• Identify IP-enabled & non-networked ICS components. These components will not show up on discovery scans. The hardware/software list should be comprehensive enough to enumerate these components.

10

• Identify isolated and/or private subnets. Within IP ranges, there can be isolated or private subnets. Work directly with a network administrator to determine if any such subnets exist, and perform a discovery scan for each subnet.

• Enumerate all hosts (fill in the spreadsheet) to the extent possible from the Discovery Scan. Given that discovery scans do not provide detailed information, hardware/software lists and other system documentation will be necessary to obtain the requisite information.

Physical inventory • Identify all buildings/locations of equipment. Facilities/Operations Management

should have a comprehensive list of locations for ICS devices. • Coordinate the logistics of access (badges, ladders, flashlights, personal protective

equipment (PPE), special training for access). Make sure to inquire about escort availability and find out who has keys to locked spaces.

• Identify and schedule required assistance from the site (SME, Technician) to assist, if needed.

• Review existing inventory lists, wiring diagrams, and any other pertinent documentation to ensure all defined ICS components are included.

• In most cases, Tier 0 sensors and actuators will not be physically counted. These devices are not connected to IP networks. Similarly, Tier 1 non-IP Field Controllers are not connected to IP networks. Thus, they do not meet the criteria stated – “fixed installation networked control systems.”

• Conduct the agreed-upon physical observation of components.

All of the logically and physically collected information will be recorded in the ICS Inventory Template. Instructions on how to use the inventory template can be found under the ‘Read Me First’ tab in the inventory template document.

Tools required to conduct an ICS inventory activity • Current documentation.

o Existing inventory list. o Procurement, installation, and configuration documentation.

• Network scanning software. • Flashlight. • Ladder. • Multi-purpose tool with different screwdriver heads and hex keys. • ICS Inventory Template.

11

Appendix 1- HQDA EXECUTE ORDER 002-13

HQDA EXECUTE ORDER 002-13; ARMY-WIDE INVENTORY OF INDUSTRIAL CONTROL SYSTEMS AND SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEMS

ALARACT 279/2012 DTG: P 041909Z OCT 12 THIS MESSAGE HAS BEEN SENT BY THE PENTAGON TELECOMMUNICATIONS CENTER ON BEHALF OF DA WASHINGTON DC//DCS/G-3/5/7// SUBJECT: HQDA EXORD 002-13; ARMY-WIDE INVENTORY OF INDUSTRIAL CONTROL SYSTEMS AND SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEMS (U) REFERENCES: REF A. FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002, 44 U.S.C. SECTION 3541 ET SEQ. (2011). REF B. CLINGER-COHEN ACT OF 1996, 40 U.S.C. 1401 ET SEQ. (2011). REF C. DOD INSTRUCTION 8500.2, INFORMATION ASSURANCE IMPLEMENTATION, 06 FEBRUARY 2003. REF D. DOD INSTRUCTION, 8510.01, DOD INFORMATION ASSURANCE CERTIFICATION AND ACCREDITATION PROCESS, 28 NOVEMBER 2007. REF E. DOD MANUAL, 8570.01-M, DOD INFORMATION ASSURANCE WORKFORCE IMPROVEMENT PROGRAM, 19 DECEMBER 2005. REF F. ARMY REGULATION 25-2, INFORMATION ASSURANCE, 24 OCTOBER 2001/RAR 23 MARCH 2007. REF G. HQDA, GENERAL ORDER 2010-26, ESTABLISHMENT OF THE UNITED STATES ARMY CYBER COMMAND, 1 OCTOBER 2010 REF H. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY SPECIAL PUBLICATION 800-82, GUIDE TO INDUSTRIAL CONTROL SYSTEMS SECURITY, JUNE 2011. 1. (U) SITUATION. 1.A. (U) PURPOSE. EMERGING CYBERSPACE THREAT CAPABILITIES REQUIRE THE ARMY TO QUICKLY AND ACCURATELY IDENTIFY ARMY-OWNED INDUSTRIAL CONTROL SYSTEMS AND SUPERVISORY CONTROL AND DATA ACQUISITION SYSTEMS (ICS/SCADA) IN ORDER TO ASSESS THEIR SECURITY AND IMPLEMENT MEASURES TO LIMIT SYSTEM DEGRADATION OR DISRUPTION. THIS ORDER IS CONSISTENT WITH DEPARTMENT OF DEFENSE (DOD) REGULATIONS AND FEDERAL LAW PERTAINING TO ALL UNITED STATES ARMY NETWORKS AND SYSTEMS. 1.B. (U) BACKGROUND. MUCH OF THE ARMY'S ABILITY TO EXERCISE MISSION COMMAND, OPERATE CIVIL WORKS PROGRAMS, AND ASSIST IN THE PROTECTION OF NATIONAL CRITICAL INFRASTRUCTURE RELIES UPON THE OPERATION OF ICS/SCADA SYSTEMS. GIVEN THE UNIQUE CONFIGURATION AND PURPOSE OF THESE ICS/SCADA SYSTEMS, CURRENT VISIBILITY OF THESE SYSTEMS IS INCOMPLETE AND MANY ARMY-OWNED SYSTEMS ARE NOT IN COMPLIANCE WITH CURRENT CERTIFICATION AND ACCREDITATION STANDARDS. THIS SITUATION, COMBINED WITH INCREASING NETWORK CONNECTIVITY AND REMOTE ACCESS OF ICS/SCADA SYSTEMS, EXPOSES POTENTIAL VULNERABILITIES TO INCREASINGLY SOPHISTICATED CYBER ADVERSARIES. 1.B.1. (U) FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002 (FISMA), REF A, REQUIRES FORMAL CERTIFICATION AND ACCREDITATION FOR ALL COMPUTER SYSTEMS AND DATA NETWORKS INCLUDING ICS AND SCADA SYSTEMS

12

TO INCLUDE STAND-ALONE (NOT NETWORKED) SYSTEMS. 2. (U) MISSION. NOT LATER THAN (NLT) 15 JAN 2013 ARMY COMMANDS (ACOM), ARMY SERVICE COMPONENT COMMANDS (ASCC), AND DIRECT REPORTING UNITS (DRU) IDENTIFY AND INVENTORY ALL ARMY-OWNED ICS/SCADA SYSTEMS WITHIN THEIR ORGANIZATIONS AND REPORT THE RESULTS TO ARMY CYBER COMMAND VIA THEIR RESPECTIVE THEATER SIGNAL COMMANDS IN ORDER TO ESTABLISH SYSTEM VISIBILITY, IDENTIFY RISKS, AND IMPLEMENT STEPS THAT REDUCE VULNERABILITIES FROM CYBER THREATS. 3. (U) EXECUTION. 3.A. (U) INTENT. IDENTIFY AND INVENTORY ALL ARMY ICS/SCADA SYSTEMS AND REDUCE CYBER VULNERABILITIES TO ICS/SCADA SYSTEMS IN THE ARMY. ALSO, INCREASE AWARENESS OF NON ARMY-OWNED ICS/SCADA SYSTEMS UPON WHICH THE ARMY DEPENDS. AT ENDSTATE, THIS ORDER ESTABLISHES THE NECESSARY SYSTEM VISIBILITY TO ENABLE ICS/SCADA-DEPENDENT MISSION OWNERS, WITH THE ASSISTANCE OF ARMY CYBER COMMAND, TO ENHANCE THE CYBERSPACE DEFENSIVE POSTURE OF THEIR ICS/SCADA SYSTEMS, AND IDENTIFY POTENTIAL COORDINATION REQUIREMENTS FOR NON ARMY-OWNED SYSTEMS UPON WHICH THE ARMY DEPENDS. 3.B. (U) CONCEPT OF THE OPERATION. ALL ACOM, ASCC, AND DRUS WILL IDENTIFY AND INVENTORY ALL ICS/SCADA SYSTEMS THAT THEY OWN OR OPERATE WITHIN THEIR ORGANIZATIONS, ENSURING ALL SYSTEMS ARE FULLY DOCUMENTED AND SYSTEM OWNERS IDENTIFIED. ONCE THE INVENTORY IS COLLECTED, ARMY CYBER COMMAND WILL CONSOLIDATE THE ICS/SCADA INVENTORY TO ESTABLISH IMPROVED SITUATIONAL AWARENESS AND ASSIST ASSET OWNERS WITH IMPROVING CYBERSPACE DEFENSE OF THESE SYSTEMS. ORGANIZATIONS WILL ALSO IDENTIFY MISSIONS AND FUNCTIONS THAT ARE SUPPORTED BY NON ARMY-OWNED ICS/SCADA SYSTEMS THAT SIGNIFICANTLY AFFECT ACOM, ASCC, AND DRUS. THESE SYSTEMS INCLUDE THOSE OWNED AND CONTROLLED BY COMMERCIAL OR PUBLIC PROVIDERS. 3.B.1. (U) THE IDENTIFICATION AND INVENTORY OF ALL ARMY-OWNED ICS/SCADA SYSTEMS INCLUDES ALL TYPES OF CONTROL SYSTEMS USED FOR DATA COLLECTION AND MONITORING, AS WELL AS MANAGEMENT CONTROL SYSTEMS. WHILE MANY OF THESE SYSTEMS USE ROUTABLE PROTOCOLS FOR COMMUNICATIONS, INCLUDING TRANSMISSION CONTROL PROTOCOL/INTERNET PROTOCOL (TCP/IP), TELEPHONE AND SERIAL CONNECTIONS, OTHER SYSTEMS MAY ONLY HAVE USB, CD, OR KEYBOARD ACCESS. THE FUNCTIONS, LOCATIONS, HARDWARE, SOFTWARE, AND APPLICATIONS MUST BE INCLUDED IN THE INVENTORY. ALSO, ALL NETWORK CONNECTIONS MUST BE DESCRIBED. ORGANIZATIONS WILL PROVIDE THE REQUIRED INFORMATION VIA THE SYSTEM IDENTIFICATION PROFILE IN ANNEX A. DUE TO CURRENT CYBER THREATS, THIS SENSITIVE LISTING, WHILE STILL UNCLASSIFIED, WILL BE SENT VIA SECRET INTERNET PROTOCOL ROUTER NETWORK (SIPRNET). 3.B.2. (U) FOR ICS/SCADA SYSTEMS THAT AN ACOM, ASCC OR DRU DEPEND UPON THAT ARE NOT ARMY-OWNED, THE ORGANIZATION WILL COLLECT AND REPORT DATA ON THE MISSIONS AND FUNCTIONS THAT THE SYSTEM SUPPORTS, THE PUBLIC OR COMMERCIAL OWNER OF THE SYSTEM, AND ANY EXISTING MEMORANDUMS OF UNDERSTANDING (MOU) OR MEMORANDUMS OF AGREEMENT (MOA) BETWEEN THE ARMY AND THE OWNER. ORGANIZATIONS WILL PROVIDE THE REQUESTED INFORMATION CONTAINED IN THE MISSION INFORMATION SPREADSHEET IN ANNEX C. WHILE THIS INFORMATION IS UNCLASSIFIED, IT IS SENSITIVE DUE TO CURRENT CYBER THREATS. THE INFORMATION IN ANNEX C WILL BE SENT VIA SECRET INTERNET PROTOCOL ROUTER NETWORK (SIPRNET) TO THE ARMY CYBER COMMAND POCS LISTED IN COMMAND AND SIGNAL. ORGANIZATIONS WILL NOT ATTEMPT TO

13

COMPLETE SYSTEM IDENTIFICATION PROFILES (ANNEX A) FOR ICS/SCADA SYSTEMS THEY DO NOT OWN OR OPERATE. 3.B.3. (U) ORGANIZATIONS WILL COMPLETE AND SUBMIT THE ICS/SCADA INVENTORY REQUIREMENTS IN ANNEX A AND C WITHIN 90 DAYS OF RECEIPT OF THE EXORD. ORGANIZATIONS MUST SEND THE INFORMATION VIA SIPRNET TO THE ARMY CYBER COMMAND POCS (ARMY CYBER COMMAND ACOIC COMMAND DUTY OFFICER (ACOIC.CDO@MI.ARMY.SMIL.MIL) AND THE ICS/SCADA ACTION OFFICER (ERIC.BJORKLUND.MIL@MI.ARMY.SMIL.MIL)) IAW THE FORMATS IN ANNEX A AND/OR C. 3.C. (U) TASKS TO SUBORDINATE UNITS. 3.C.1. (U) ALL ACOM, ASCC AND DRU. 3.C.1.A. (U) SUBMIT A SYSTEM IDENTIFICATION PROFILE FOR EACH ARMYOWNED ICS/SCADA SYSTEM WITHIN 90 DAYS OF THE DATE OF THIS EXORD. ORGANIZATIONS WILL SUBMIT SYSTEM PROFILES TO THE ARMY CYBER COMMAND POC IAW PARAGRAPH 3.B.3. 3.C.1.B. (U) SUBMIT MISSION INFORMATION REGARDING NON ARMY-OWNED ICS/SCADA SYSTEMS UPON WHICH THE COMMAND DEPENDS IAW ANNEX C WITHIN 90 DAYS OF THE DATE OF THIS EXORD. ORGANIZATIONS WILL SUBMIT THIS INFORMATION TO THE ARMY CYBER COMMAND POCS AS LISTED IN PARAGRAPH 3.B.3. 3.C.1.C. (U) REPORT ANY NEW OR MODIFIED ICS/SCADA SYSTEMS WITHIN THIRTY (30) DAYS OF ACQUISITION OR MODIFICATION TO THE ARMY CYBER COMMAND POCS LISTED IN COMMAND & SIGNAL AND PARAGRAPH 3.B.3. 3.C.1.D. (U) REPORT UPDATED OR NEW INFORMATION REGARDING NON ARMYOWNED ICS/SCADA SYSTEMS UPON WHICH THE ORGANIZATION DEPENDS WITHIN THIRTY (30) DAYS TO THE ARMY CYBER COMMAND POCS LISTED IN COMMAND & SIGNAL AND PARAGRAPH 3.B.3. 3.C.1.E. (U) APPOINT A POC FOR COMPLIANCE WITH THIS EXORD. PROVIDE POC INFORMATION TO THE ARMY CYBER COMMAND ICS/SCADA ACTION OFFICER AND COMMAND DUTY OFFICER REFERENCED IN COMMAND AND SIGNAL NLT 45 DAYS AFTER PUBLICATION OF THIS EXORD. 3.C.2. (U) ARMY CYBER COMMAND/2ND U.S. ARMY. 3.C.2.A. (U) CONSOLIDATE THE INVENTORY OF ALL ARMY-OWNED ICS/SCADA SYSTEMS AND THE INFORMATION REQUESTED FOR ORGANIZATIONS AFFECTED BY NON ARMY-OWNED ICS/SCADA SYSTEMS. 3.C.3 (U) INSTALLATION MANAGEMENT COMMAND (IMCOM). 3.C.3.A (U) ASSIST INSTALLATION TENANTS/SYSTEM OWNERS IN IDENTIFYING ICS/SCADA SYSTEMS SUPPORTING POST/CAMP/STATION SYSTEMS. 3.D. (U) COORDINATING INSTRUCTIONS. 3.D.1. (U) DEFINITIONS (REF H, NIST 800-82). 3.D.1.A. (U) CONTROL SYSTEM: A SYSTEM IN WHICH DELIBERATE GUIDANCE OR MANIPULATION IS USED TO ACHIEVE A PRESCRIBED VALUE FOR A VARIABLE. CONTROL SYSTEMS INCLUDE SCADA, DCS, PLCS AND OTHER TYPES OF INDUSTRIAL MEASUREMENT AND CONTROL SYSTEMS. 3.D.1.B. (U) SCADA: A GENERIC NAME FOR A COMPUTERIZED SYSTEM THAT IS CAPABLE OF GATHERING AND PROCESSING DATA AND APPLYING OPERATIONAL CONTROLS OVER LONG DISTANCES. TYPICAL USES INCLUDE POWER TRANSMISSION AND DISTRIBUTION AND PIPELINE SYSTEMS. 3.D.2. (U) SEND COMPLETED INVENTORY INFORMATION IAW ANNEX A AND C NLT 15 JAN 2013 (90 DAYS AFTER PUBLICATION OF EXORD. 3.D.3. (U) ASSISTANCE FROM PERSONNEL WITH INFORMATION ASSURANCE (IA) TRAINING IS RECOMMENDED FOR COMPLETING THE INVENTORY, CERTIFICATION,

14

AND ACCREDITATION IN ANNEX A. DIRECT ASSISTANCE WITHIN THE ACOM, ASCC, OR DRU IS THE BEST METHOD FOR ACCURATELY COMPLETING THE INVENTORY. REFER TO THE FOLLOWING SOURCES FOR NECESSARY SUPPORT: 3.D.3.A. (U) LINKS TO IA POCS WITHIN EACH ACOM, ASCC, DRUS AND SIP COMPLETION INSTRUCTIONS ARE LOCATED AT (HTTPS://WWW.MILSUITE.MIL/WIKI/PORTAL:ARMY_INFORMATION_ASSURANCE) UNDER THE COLLABORATION TAB. 3.D.3.B. (U) REF D, DODI 8510.01, ENCLOSURE 3, ATTACHMENT 1 CONTAINS DETAILED INSTRUCTIONS FOR THE SYSTEM IDENTIFICATION PROFILE AND THE EXAMPLE PROFILE IN ANNEX B. 3.D.3.C. (U) DIRECT UNRESOLVED QUESTIONS OR CONCERNS TO THE ARMY CYBER COMMAND POCS LISTED IN COMMAND AND SIGNAL. 4. (U) SUSTAINMENT. 4.A. (U) ORGANIZATIONS THAT ACQUIRE NEW OR UPDATED ICS/SCADA SYSTEMS AFTER THE DEADLINE OF THIS ORDER MUST SUBMIT SYSTEM PROFILES (IAW ANNEX A) WITHIN THIRTY (30) DAYS OF ACQUIRING OR UPDATING THE SYSTEM. ALSO, REPORT UPDATED OR NEW INFORMATION REGARDING NON ARMY-OWNED ICS/SCADA SYSTEMS UPON WHICH THE ORGANIZATION DEPENDS(IAW ANNEX C) WITHIN THIRTY (30) DAYS. 5. (U) COMMAND AND SIGNAL. 5.A. (U) ARMY CYBER COMMAND IS THE OPR; ALL OTHER ORGANIZATIONS, UNITS, AND STAFFS REFERENCED IN THIS ORDER ARE IN SUPPORT OF ARMY CYBER COMMAND FOR THE PURPOSE OF COMPLETING THE ICS INVENTORY. 5.B. (U) ARMY CYBER COMMAND ICS/SCADA ACTION OFFICER: MAJ ERIC R. BJORKLUND; 703-428-4766 (DSN 328-4766); ERIC.R.BJORKLUND.MIL@MAIL.MIL / ERIC.BJORKLUND.MIL@MI.ARMY.SMIL.MIL 5.C. (U) INVENTORY REPORTING ASSISTANCE AND SIP SUBMISSION: ARMY CYBER COMMAND ACOIC COMMAND DUTY OFFICER (CDO); 703-706-1384 (DSN 235-1384); USARMY.BELVOIR.ARCYBER.MBX.ACOIC-CDO / ACOIC.CDO@MI.ARMY.SMIL.MIL 5.D. (U) DAMO-ODCI CYBER BRANCH CHIEF: LTC MICHAEL "LARRY" PARR; 703- 695-1467 (DSN 225-1467); MICHAEL.PARR@US.ARMY.MIL / MICHAEL.PARR.MIL@HQDA.ARMY.SMIL.MIL 5.E. (U) HQDA G-34 CIRM BRANCH CHIEF: MR. JOE BURKE; 703-614-6597 (DSN 224-6597); JOSEPH.BURKE2@US.ARMY.MIL / JOSEPH.BURKE@HQDA.ARMY.SMIL.MIL 6. (U) EXPIRATION DATE CANNOT BE DETERMINED. ANNEXES: A - SYSTEM IDENTIFICATION PROFILE B - SYSTEM IDENTIFICATION PROFILE EXAMPLE C - NON ARMY-OWNED SYSTEM INFORMATION

15

Appendix 2 - ICS Components Subject to Inventory

Any Ethernet or TCP/IP device, regardless if it is currently using this capability should be included on the inventory. An accurate inventory of this equipment is important for the ICS owner for awareness of what the configuration and capabilities of the ICS are as presently deployed and what impacts to future configuration changes will be prior to the implementation of change.

• Personnel performing the inventory must start from the centralized ICS control point, such as a UMCS frontend server, and work their way down to the components contained in the field control system.

• If a logical inventory is obtained from the ICS control point (or front end), a subset of the devices contained in the logical inventory should be verified by others means to obtain a degree of confidence in the logical inventory maintained by the ICS.

(Figure 1)

Examples of ICS Components and Associated Tiers

Not every implementation of an ICS will make use of every tier.

16

• The same device may reside in different tiers, depending on its configuration. • In some cases, a single device may simultaneously fit into two principal tiers. • In many cases, a device will fit multiple sub-tiers within the same principal tier,

usually within Tier 2.

Tier 5 – External Connection and Platform IT Management (See Figure 1, Examples of ICS Components and Associated Tiers) Tier 5 network devices are used to connect to systems external to the boundary. Most, if not all, of the devices in this tier will be IP based and either directly or indirectly communicate with servers or other traditional IT networks in the organization. Both hardware and software (including firmware and operating systems) must be inventoried at this level. Given that a hardware platform is capable of running different versions of software, that data must be captured in order to obtain an accurate representation of the hardware device. Examples of equipment found within this Tier include:

a. Firewalls, Gateways, Switches – The equipment provides the transport mechanism between the boundary and external network using a traditional cable plant or using Radio Frequency (RF) technology.

b. DMZ, Proxies, Domain Controllers, Servers, Control Stations – Typically these systems will contain traditional PC based Information Technology systems that are used to provide situational awareness, command and control, remote data analytics and ICS alerting capability to systems that are external to the boundary. Interfaces to external facility control or automation solutions. In most instances, systems within this tier may have multiple software applications running within the operating environment to accomplish its intended function. As such all hardware and software must be inventoried.

Tier 4 – Tier 4N Network (See Figure 1, Examples of ICS Components and Associated Tiers) The Tier 4 Network is also considered the ICS control network. Within the control network resides:

a. 4N – Network Transport: Traditionally an IP based network comprising of switches, routers, virtual networks (VLANS). May include non-traditional network devices including serial, RF, or terminal servers.

b. 4A –Servers: data historians, server facing applications, alert management, scheduling, building management system.

c. 4B – Workstations: operator control or situational awareness stations, Human Machine Interface (HMI) displays, web-based consoles.

Examples of Tier 4 Devices that would be part of an inventory

17

Ethernet Based HMI

(Figure 2)

Omron NB7W HMI

(Figure 3)

Maple Systems 12.1" Color TFT LCD Touchscreen Open HMI with Embedded Windows CE 6.0 Operating System - OMI5121A-CE

18

ICS Control Station

(Figure 4)

Example control station

19

Ethernet Switches

(Figure 5)

Moxa modular managed Ethernet switch

(Figure 6)

Phoenix Contact managed Ethernet switches

20

Tier 3 – Facility Points of Connection (FPOCs, also known as BPOCs) (See Figure 1, Examples of ICS Components and Associated Tiers) a. Single point of demarcation between the front end system and the field control system.

Depending on the number of field control systems or their complexity, there may be more than one FPOC.

b. A wide variety of devices can reside at this tier. 1. Ethernet switch or IP Router. 2. Local Operation Network (LON) to LON/IP Router. 3. Dedicated hardware gateway between LON and BACnet/IP. 4. Application proxy providing enclave boundary defense between non-critical LON/IP

network and critical LON field control network. 5. Tier 2D stand-alone front end for a local field control system (A Tier 2D Field Control

System local computer can exist as an FPOC).

Examples of Tier 3 Devices that would be part of an inventory

Modbus TCP Gateway

(Figure 7)

Moxa MGate MB3180/MGate MB3280/MGate MB3480

21

(Figure 8)

Xpress DR IAP, Modbus TCP Ethernet to RTU/ASCII Serial Controller

22

EtherNet/IP Gateways

(Figure 9)

Moxa 1-port Modbus RTU/ASCII/TCP-to-EtherNet/IP gateways (left) and Moxa1 and 2-port DF1 to EtherNet/IP gateways (right)

Tier 2 – IP Field Control System(See Figure 1, Examples of ICS Components and Associated Tiers) a. Control logic resides at this tier. Conversion point to/from electrical signals. Can have initial

IP connections. This tier is effectively a standalone segment of a larger ICS system. In most instances, there is sufficient logic that allows for the control segment to function autonomously without the higher tiers.

1. 2N – IP Field Control Network: Provides core routing and network switching between the critical services and network segments within the field control system.

2. 2A – IP-based Networked Controllers: Such as IP based access controllers and interfaces including HID readers, thermostats, lighting control, fire detection. Essentially any IP or Ethernet based controller or sensor.

3. 2B – Switches: Local field control network Ethernet switches that provide connectivity between the various devices within the field control system. This could be considered edge networking equipment.

4. 2C – IP to non-IP Control Protocol Routers or Control Protocol Gateways: Devices contained within this tier are also known as gateways and protocol converters. They may convert protocols such as LonWorks, BACnet, Modbus, Ethernet/IP, or FINS to another protocol such as TCP. These devices may also reside in Tier 3 as well.

5. 2D – Field Control System local computers: Servers, operator consoles, local HMI, engineering workstations that are used to configure and monitor the local segment of the ICS.

Examples of Tier 2 Devices that would be part of an inventory

23

Modbus TCP Gateway

(Figure 10) Moxa MGate MB3180/MGate MB3280/MGate MB3480

(Figure 11) Xpress DR IAP, Modbus TCP Ethernet to RTU/ASCII Serial Controller Modbus TCP Modules

24

(Figure 12) Advantech 1 ADAM-6050 8-ch Isolated Digital I/O Modbus TCP Module

(Figure 13) Lantronix UDS1100 with Modbus

25

(Figure 14) Gridconnect NET232 Modbus RS232 Adapter (RTU / ASCII / TCP)

(Figure 15) Gridconnect WiPort Wireless Modbus Module(RTU / ASCII / TCP)

26

Fieldbus Gateways

(Figure 16) Moxa 1-port Modbus RTU/ASCII/TCP-to-EtherNet/IP gateways (left) and Moxa1 and 2-port DF1 to EtherNet/IP gateways (right)

27

Modbus to Serial Gateways

(Figure 17) Banner Engineering DX80 Gateway 900 MHz radio Modbus RS-485, 10-30Vdc std antenna 4 in 8 out PNP I/O

28

Tier 1 – Non-IP Field Control System (See Figure 1, Examples of ICS Components and Associated Tiers) a. Control logic converted to/from analog electrical signals

1. Tier 1N – Network media and hardware dedicated to specific control protocol. Layer 2 & 3 network devices.

2. Tier 1A – Firmware-based dedicated digital processors.

Examples of Tier 1 Devices

Controllers (Non-IP)

(Figure 18)

Circon Configurable VAV Terminal Unit Controller

29

(Figure 19)

Circon SMC-300 Site Management Controller

(Figure 20)

SCC-310-AHC Air Handler Terminal Unit Controller

30

(Figure 21)

Omron Programmable Relay Controller ZEN-10C

31

Tier 0 – Sensors and Actuators(See Figure 1, Examples of ICS Components and Associated Tiers) a. The interface between the system and the equipment/process being controlled.

1. Logical IA controls typically do not apply to this tier. Examples of Tier 0 Devices Sensors

(Figure 22) Turck Stainless Steel Self Contained Insertion Probe Flow Sensor, DC-PNP (Sourcing) (M6871004)

(Figure 23) Turck Miniature Temperature Transmitter with 100mm probe length

32

(Figure 24) Turck Submersible Pressure Transmitters

(Figure 25) Baumer Laser Distance Sensor

Executive SummaryWhy is an ICS inventory necessaryWho should perform this inventory activityWhen is an inventory necessaryInventory Results – Storage and ProtectionConducting an ICS InventoryLogical InventoryPhysical inventory

Tools required to conduct an ICS inventory activityAppendix 1- HQDA EXECUTE ORDER 002-13Appendix 2 - ICS Components Subject to Inventory