Manual De Security Industrial DonaldsonvilleOversee and assist the defense industrial base;. DSS administers and implements the defense portion of the National Industrial Security Program (NISP). Manual De Security Industrial InsuranceNIST Special Publication 800-82 Revision 2 Final Public Draft Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC) Keith Stouffer Suzanne Lightman Victoria Pillitteri Marshall Abrams Adam Hahn NIST Special Publication 800-82 Revision 2 Final Public Draft Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) Keith Stouffer Intelligent Systems Division Engineering Laboratory Suzanne Lightman Victoria Pillitteri Computer Security Division Information Technology Laboratory Marshall Abrams The MITRE Corporation Adam Hahn Washington State University February 2015 U.S. Department of Commerce Penny Pritzker, Secretary National Institute of Standards and Technology Willie May, Acting Under Secretary of Commerce for Standards and Technology and Acting Director SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Authority This publication has been developed by NIST to further its statutory responsibilities under the federal Information Security Management Act (FISMA), Public Law (P.L.) 107-347. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in Circular A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in Circular A-130, Appendix III, Security of Federal Automated Information Resources. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Technology Special Publication 800-82, Revision 2 Natl. Inst. Stand. Technol. Spec. Publ. 800-82, Rev. 2, 247 pages (February 2015) CODEN: NSPUE2 Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST. All NIST Computer Security Division publications, other than the ones noted above, are available at http://csrc.nist.gov/publications. Public comment period: February 9 through March 9, 2015 Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Electronic Mail: [email protected] ii SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations. Abstract This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements. The document provides an overview of ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Keywords Computer security; distributed control systems (DCS); industrial control systems (ICS); information security; network security; programmable logic controllers (PLC); risk management; security controls; supervisory control and data acquisition (SCADA) systems iii SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Acknowledgments for Revision 2 The authors gratefully acknowledge and appreciate the significant contributions from individuals and organizations in the public and private sectors, whose thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness of this publication. A special acknowledgement to Lisa Kaiser, Department of Homeland Security, the Department of Homeland Security Industrial Control System Joint Working Group (ICSJWG), and Office of the Deputy Undersecretary of Defense for Installations and Environment, Business Enterprise Integration Directorate staff, Daryl Haegley and Michael Chipley, for their exceptional contributions to this publication. Acknowledgments for Previous Versions The original authors, Keith Stouffer, Joe Falco, and Karen Scarfone of NIST, wish to thank their colleagues who reviewed drafts of the original version of the document and contributed to its technical content. The authors would particularly like to acknowledge Tim Grance, Ron Ross, Stu Katzke, and Freemon Johnson of NIST for their keen and insightful assistance throughout the development of the document. The authors also gratefully acknowledge and appreciate the many contributions from the public and private sectors whose thoughtful and constructive comments improved the quality and usefulness of the publication. The authors would particularly like to thank the members of ISA99. The authors would also like to thank the UK National Centre for the Protection of National Infrastructure (CPNI)) for allowing portions of the Good Practice Guide on Firewall Deployment for SCADA and Process Control Network to be used in the document as well as ISA for allowing portions of the ISA62443 Standards to be used in the document. Note to Readers This document is the second revision to NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security. Updates in this revision include: Updates to ICS threats and vulnerabilities. Updates to ICS risk management, recommended practices, and architectures. Updates to current activities in ICS security. Updates to security capabilities and tools for ICS. Additional alignment with other ICS security standards and guidelines. New tailoring guidance for NIST SP 800-53, Revision 4 security controls including the introduction of overlays. An ICS overlay for NIST SP 800-53, Revision 4 security controls that provides tailored security control baselines for Low, Moderate, and High impact ICS. iv SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Table of Contents Executive Summary ...................................................................................................... 1 1. Introduction ......................................................................................................... 1-1 1.1 1.2 1.3 Purpose and Scope ................................................................................................1-1 Audience ................................................................................................................1-1 Document Structure ...............................................................................................1-2 2. Overview of Industrial Control Systems ........................................................... 2-1 2.1 2.2 Evolution of Industrial Control Systems ..................................................................2-1 ICS Industrial Sectors and Their Interdependencies ...............................................2-1 2.2.1 Manufacturing Industries ............................................................................ 2-2 2.2.2 Distribution Industries ................................................................................. 2-2 2.2.3 Differences between Manufacturing and Distribution ICS ........................... 2-2 2.2.4 ICS and Critical Infrastructure Interdependencies ...................................... 2-2 ICS Operation and Components .............................................................................2-3 2.3.1 ICS System Design Considerations............................................................ 2-4 2.3.2 SCADA Systems ........................................................................................ 2-5 2.3.3 Distributed Control Systems ..................................................................... 2-10 2.3.4 Programmable Logic Controller Based Topologies ................................... 2-12 Comparing ICS and IT Systems Security..............................................................2-14 Other Types of Control Systems ...........................................................................2-17 2.3 2.4 2.5 3. ICS Risk Management and Assessment ........................................................... 3-1 3.1 3.2 3.3 Risk Management ..................................................................................................3-1 Introduction to the Risk Management Process .......................................................3-1 Special Considerations for Doing an ICS Risk Assessment ....................................3-4 3.3.1 Safety within an ICS Information Security Risk Assessment....................... 3-4 3.3.2 Potential Physical Impacts of an ICS Incident ............................................ 3-5 3.3.3 Impact of Physical Disruption of an ICS Process ........................................ 3-5 3.3.4 Incorporating Non-digital Aspects of ICS into Impact Evaluations .............. 3-6 3.3.5 Incorporating the Impact of Safety Systems ............................................... 3-7 3.3.6 Considering the Propagation of Impact to Connected Systems .................. 3-7 4. ICS Security Program Development and Deployment ..................................... 4-1 4.1 Business Case for Security ....................................................................................4-2 4.1.1 Benefits ...................................................................................................... 4-2 4.1.2 Potential Consequences ............................................................................ 4-3 4.1.3 Resources for Building Business Case....................................................... 4-4 4.1.4 Presenting the Business Case to Leadership ............................................. 4-4 Build and Train a Cross-Functional Team...............................................................4-5 Define Charter and Scope ......................................................................................4-5 Define ICS-specific Security Policies and Procedures ............................................4-6 Implement an ICS Security Risk Management Framework .....................................4-6 4.5.1 Categorize ICS Systems and Networks Assets .......................................... 4-7 4.5.2 Select ICS Security Controls ...................................................................... 4-7 4.5.3 Perform Risk Assessment .......................................................................... 4-8 4.5.4 Implement the Security Controls ................................................................ 4-8 4.2 4.3 4.4 4.5 v SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 5. ICS Security Architecture ................................................................................... 5-1 5.1 5.2 5.3 5.4 5.5 Network Segmentation and Segregation ................................................................5-1 Boundary Protection ...............................................................................................5-3 Firewalls .................................................................................................................5-4 Logically Separated Control Network ......................................................................5-6 Network Segregation ..............................................................................................5-6 5.5.1 Dual-Homed Computer/Dual Network Interface Cards (NIC) ...................... 5-7 5.5.2 Firewall between Corporate Network and Control Network ........................ 5-7 5.5.3 Firewall and Router between Corporate Network and Control Network ...... 5-9 5.5.4 Firewall with DMZ between Corporate Network and Control Network ....... 5-10 5.5.5 Paired Firewalls between Corporate Network and Control Network.......... 5-12 5.5.6 Network Segregation Summary................................................................ 5-13 Recommended Defense-in-Depth Architecture.....................................................5-13 General Firewall Policies for ICS ..........................................................................5-14 Recommended Firewall Rules for Specific Services .............................................5-16 5.8.1 Domain Name System (DNS)................................................................... 5-17 5.8.2 Hypertext Transfer Protocol (HTTP) ......................................................... 5-17 5.8.3 FTP and Trivial File Transfer Protocol (TFTP) .......................................... 5-17 5.8.4 Telnet ....................................................................................................... 5-17 5.8.5 Dynamic Host Configuration Protocol (DHCP) ......................................... 5-18 5.8.6 Secure Shell (SSH) .................................................................................. 5-18 5.8.7 Simple Object Access Protocol (SOAP) ................................................... 5-18 5.8.8 Simple Mail Transfer Protocol (SMTP) ..................................................... 5-18 5.8.9 Simple Network Management Protocol (SNMP) ....................................... 5-18 5.8.10 Distributed Component Object Model (DCOM) ......................................... 5-18 5.8.11 SCADA and Industrial Protocols............................................................... 5-19 Network Address Translation (NAT) .....................................................................5-19 Specific ICS Firewall Issues .................................................................................5-20 5.10.1 Data Historians ........................................................................................ 5-20 5.10.2 Remote Support Access........................................................................... 5-20 5.10.3 Multicast Traffic ........................................................................................ 5-20 Unidirectional Gateways .......................................................................................5-21 Single Points of Failure.........................................................................................5-21 Redundancy and Fault Tolerance .........................................................................5-22 Preventing Man-in-the-Middle Attacks ..................................................................5-22 Authentication and Authorization ..........................................................................5-24 5.15.1 ICS Implementation Considerations ......................................................... 5-25 Monitoring, Logging, and Auditing ........................................................................5-25 Incident Response and System Recovery ............................................................5-25 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 6. Applying Security Controls to ICS..................................................................... 6-1 6.1 Industrial Control Systems in the FISMA Paradigm ................................................6-1 6.1.1 Step 1: Categorize Information System ...................................................... 6-4 6.1.2 Step 2: Select Security Controls ................................................................. 6-6 6.1.3 Step 3: Implement Security Controls .......................................................... 6-7 6.1.4 Step 4: Assess Security Controls ............................................................... 6-8 6.1.5 Step 5: Authorize Information System ........................................................ 6-9 6.1.6 Step 6: Monitor Security Controls ............................................................... 6-9 Guidance on the Application of Security Controls to ICS Using Overlays ...............6-9 6.2.1 Access Control ......................................................................................... 6-12 6.2 vi SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 6.2.2 6.2.3 6.2.4 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11 6.2.12 6.2.13 6.2.14 6.2.15 6.2.16 6.2.17 6.2.18 6.2.19 Awareness and Training........................................................................... 6-17 Audit and Accountability ........................................................................... 6-17 Security Assessment and Authorization ................................................... 6-19 Configuration Management ...................................................................... 6-19 Contingency Planning .............................................................................. 6-20 Identification and Authentication............................................................... 6-23 Incident Response ................................................................................... 6-29 Maintenance ............................................................................................ 6-30 Media Protection ...................................................................................... 6-31 Physical and Environmental Protection .................................................... 6-31 Planning ................................................................................................... 6-35 Personnel Security ................................................................................... 6-36 Risk Assessment...................................................................................... 6-37 System and Services Acquisition ............................................................. 6-39 System and Communications Protection .................................................. 6-40 System and Information Integrity .............................................................. 6-43 Program Management.............................................................................. 6-46 Privacy Controls ....................................................................................... 6-46 List of Appendices Appendix A— Acronyms and Abbreviations ............................................................................ A-1 Appendix B— Glossary of Terms ............................................................................................ B-1 Appendix C— Threat Sources, Vulnerabilities, and Incidents .................................................. C-1 Appendix D— Current Activities in Industrial Control System Security .................................... D-1 Appendix E— ICS Security Capabilities and Tools.................................................................. E-1 Appendix F— References ....................................................................................................... F-1 Appendix G— ICS Overlay ..................................................................................................... G-1 List of Figures Figure 2-1. ICS Operation ....................................................................................................... 2-4 Figure 2-2. SCADA System General Layout ........................................................................... 2-6 Figure 2-3. Basic SCADA Communication Topologies ............................................................ 2-7 Figure 2-4. Large SCADA Communication Topology .............................................................. 2-8 Figure 2-5. SCADA System Implementation Example (Distribution Monitoring and Control) ... 2-9 Figure 2-6. SCADA System Implementation Example (Rail Monitoring and Control) ............. 2-10 Figure 2-7. DCS Implementation Example ............................................................................ 2-12 Figure 2-8. PLC Control System Implementation Example .................................................... 2-13 Figure 3-1. Risk Management Process Applied Across the Tiers ............................................ 3-2 vii SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 5-1. Firewall between Corporate Network and Control Network ................................... 5-7 Figure 5-2. Firewall and Router between Corporate Network and Control Network ................. 5-9 Figure 5-3. Firewall with DMZ between Corporate Network and Control Network ................. 5-10 Figure 5-4. Paired Firewalls between Corporate Network and Control Network .................... 5-12 Figure 5-5. CSSP Recommended Defense-In-Depth Architecture ........................................ 5-14 Figure 6-1. Risk Management Framework .............................................................................. 6-4 Figure C-1. ICS-CERT Reported Incidents by Year .............................................................. C-11 Table G-1 Security Control Baselines .....................................................................................G-3 Figure G-1 Detailed Overlay Control Specifications Illustrated ..............................................G-13 List of Tables Table 2-1. Summary of IT System and ICS Differences ........................................................ 2-16 Table 3-1. Categories of Non-Digital ICS Control Components ............................................... 3-6 Table 6-1. Possible Definitions for ICS Impact Levels Based on ISA99 ................................... 6-6 Table 6-2. Possible Definitions for ICS Impact Levels Based on Product Produced, Industry and Security Concerns ........................................................................................................... 6-6 Table C-1. Threats to ICS ....................................................................................................... C-1 Table C-2. Policy and Procedure Vulnerabilities and Predisposing Conditions ........................ C-4 Table C-3. Architecture and Design Vulnerabilities and Predisposing Conditions.................... C-6 Table C-4. Configuration and Maintenance Vulnerabilities and Predisposing Conditions ........ C-6 Table C-5. Physical Vulnerabilities and Predisposing Conditions ............................................ C-8 Table C-6. Software Development Vulnerabilities and Predisposing Conditions...................... C-8 Table C-7. Communication and Network Configuration Vulnerabilities and Predisposing Conditions ....................................................................................................................... C-9 Table C-8. Example Adversarial Incidents............................................................................. C-10 viii SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Executive Summary This document provides guidance for establishing secure industrial control systems (ICS). These ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) are often found in the industrial control sectors. ICS are typically used in industries such as electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCS are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLCs are generally used for discrete control for specific applications and generally provide regulatory control. These control systems are vital to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90 percent of the nation's critical infrastructures are privately owned and operated. Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control and materials handling (e.g., Postal Service mail handling.) This document provides an overview of these ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Widely available, low-cost Internet Protocol (IP) devices are now replacing proprietary solutions, which increases the possibility of cybersecurity vulnerabilities and incidents. As ICS are adopting IT solutions to promote corporate business systems connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. Although some characteristics are similar, ICS also have characteristics that differ from traditional information processing systems. Many of these differences stem from the fact that logic executing in ICS has a direct effect on the physical world. Some of these characteristics include significant risk to the health and safety of human lives and serious damage to the environment, as well as serious financial issues such as production losses, negative impact to a nation’s economy, and compromise of proprietary information. ICS have unique performance and reliability requirements and often use operating systems and applications that may be considered unconventional to typical IT personnel. Furthermore, the goals of safety and efficiency sometimes conflict with security in the design and operation of control systems. Originally, ICS implementations were susceptible primarily to local threats because many of their components were in physically secured areas and the components were not connected to IT networks or systems. However, the trend toward integrating ICS systems with IT networks provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems from remote, external threats. Also, the increasing use of wireless networking places ICS implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment. ICS cyber security programs should always be part of broader ICS safety and reliability programs at industrial sites, because cyber security is essential to the safe and reliable operation of modern industrial processes. Threats to control systems can come from numerous sources, including hostile governments, terrorist groups, disgruntled employees, malicious intruders, complexities, accidents, and natural disasters as well as malicious or accidental actions by 1 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY insiders. ICS security objectives typically follow the priority of availability and integrity, followed by confidentiality. Possible incidents an ICS may face include the following: < Blocked or delayed flow of information through ICS networks, which could disrupt ICS operation. < Unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life. < Inaccurate information sent to system operators, either to disguise unauthorized changes, or to cause the operators to initiate inappropriate actions, which could have various negative effects. < ICS software or configuration settings modified, or ICS software infected with malware, which could have various negative effects. < Interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment. < Interference with the operation of safety systems, which could endanger human life. Major security objectives for an ICS implementation should include the following: < Restricting logical access to the ICS network and network activity. This may include using unidirectional gateways, a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. < Restricting physical access to the ICS network and devices. Unauthorized physical access to components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards. < Protecting individual ICS components from exploitation. This includes deploying security patches in as expeditious a manner as possible, after testing them under field conditions; disabling all unused ports and services and assuring that they remain disabled; restricting ICS user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware. < Restricting unauthorized modification of data. This includes data that is in transit (at least across the network boundaries) and at rest. < Detecting security incidents. This includes the capability to detect failed ICS components, unavailable services, and exhausted resources that are important to provide proper and safe functioning of the ICS. < Maintaining functionality during adverse conditions. This involves designing the ICS so that each critical component has a redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the ICS or other networks, or does not cause another problem elsewhere, such as a cascading event. The ICS should also allow for graceful degradation such as moving from "normal operation" with full automation to "emergency operation" with operators more involved and less automation to "manual operation" with no automation. 2 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY < Restoring system after an incident. Incidents are inevitable and an incident response plan is essential. A major characteristic of a good security program is how quickly a system can be recovered after an incident has occurred. To properly address security in an ICS, it is essential for a cross-functional cybersecurity team to share their varied domain knowledge and experience to evaluate and mitigate risk to the ICS. The cybersecurity team should consist of a member of the organization’s IT staff, control engineer, control system operator, network and system security expert, a member of the management staff, and a member of the physical security department at a minimum. For continuity and completeness, the cybersecurity team should consult with the control system vendor and/or system integrator as well. The cybersecurity team should report directly to site management (e.g., facility superintendent) or the company’s CIO/CSO, who in turn, accepts complete responsibility and accountability for the cybersecurity of the ICS, and for any safety incidents, reliability incidents, or equipment damage caused directly or indirectly by cyber incidents. An effective cybersecurity program for an ICS should apply a strategy known as “defense-in-depth”, layering security mechanisms such that the impact of a failure in any one mechanism is minimized. Organizations should not rely on “security by obscurity.” In a typical ICS this means a defense-in-depth strategy that includes: < Developing security policies, procedures, training and educational material that applies specifically to the ICS. < Considering ICS security policies and procedures based on the Homeland Security Advisory System Threat Level, deploying increasingly heightened security postures as the Threat Level increases. < Addressing security throughout the lifecycle of the ICS from architecture design to procurement to installation to maintenance to decommissioning. < Implementing a network topology for the ICS that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. < Providing logical separation between the corporate and ICS networks (e.g., stateful inspection firewall(s) between the networks, unidirectional gateways). < Employing a DMZ network architecture (i.e., prevent direct traffic between the corporate and ICS networks). < Ensuring that critical components are redundant and are on redundant networks. < Designing critical systems for graceful degradation (fault tolerant) to prevent catastrophic cascading events. < Disabling unused ports and services on ICS devices after testing to assure this will not impact ICS operation. < Restricting physical access to the ICS network and devices. < Restricting ICS user privileges to only those that are required to perform each person’s job (i.e., establishing role-based access control and configuring each role based on the principle of least privilege). 3 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY < Considering the use of separate authentication mechanisms and credentials for users of the ICS network and the corporate network (i.e., ICS network accounts do not use corporate network user accounts). < Using modern technology, such as smart cards for Personal Identity Verification (PIV). < Implementing security controls such as intrusion detection software, antivirus software and file integrity checking software, where technically feasible, to prevent, deter, detect, and mitigate the introduction, exposure, and propagation of malicious software to, within, and from the ICS. < Applying security techniques such as encryption and/or cryptographic hashes to ICS data storage and communications where determined appropriate. < Expeditiously deploying security patches after testing all patches under field conditions on a test system if possible, before installation on the ICS. < Tracking and monitoring audit trails on critical areas of the ICS. < Employ reliable and secure network protocols and services where feasible. NIST, in cooperation with the public and private sector ICS community, developed specific guidance on the application of the security controls in NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations to ICS. While many of controls in Appendix F of NIST SP 800-53 are applicable to ICS as written, many controls did require ICS-specific interpretation and/or augmentation by adding one or more of the following to the control: § ICS Supplemental Guidance provides organizations with additional information on the application of the security controls and control enhancements in Appendix F of NIST SP 80053 to ICS and the environments in which these specialized systems operate. The Supplemental Guidance also provides information as to why a particular security control or control enhancement may not be applicable in some ICS environments and may be a candidate for tailoring (i.e., the application of scoping guidance and/or compensating controls). ICS Supplemental Guidance does not replace the original Supplemental Guidance in Appendix F of NIST SP 800-53. ICS Enhancements (one or more) that provide enhancement augmentations to the original control that may be required for some ICS. ICS Enhancement Supplemental Guidance that provides guidance on how the control enhancement applies, or does not apply, in ICS environments. § § An ICS overlay, which includes this ICS-specific guidance, is included in Appendix G of this document. Section 6 of this document also provides initial guidance on how 800-53 security controls apply to ICS. Initial recommendations and guidance, if available, are provided in an outlined box for each section. 4 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Appendix D of this document provides an overview of the many activities ongoing among federal organizations, standards organizations, industry groups, and automation system vendors to make available recommended practices in the area of ICS security. The most successful method for securing an ICS is to gather industry recommended practices and engage in a proactive, collaborative effort between management, the controls engineer and operator, the IT organization, and a trusted automation advisor. This team should draw upon the wealth of information available from ongoing federal government, industry groups, vendor and standards organizational activities listed in Appendix D. 5 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 1. 1.1 Introduction Purpose and Scope Relationship to Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” Recognizing that the national and economic security of the United States depends on the reliable functionality of critical infrastructure, the President under the Executive Order “Improving Critical Infrastructure Cybersecurity” directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Cybersecurity Framework (CSF) consists of standards, guidelines, and best practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and costeffective approach of the Framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties. The initial CSF, published in February 2014, resulted in a national-level framework that is flexible enough to apply across multiple sectors and for different operational environments. The CSF was developed based on stakeholder input to help ensure that existing work within the various sectors can be utilized within the Framework. Industrial control system cybersecurity standards, guidelines, and practices can be leveraged to address the CSF functions in the context of an organization’s risk management program. The purpose of this document is to provide guidance for securing industrial control systems (ICS), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other systems performing control functions. The document provides a notional overview of ICS, reviews typical system topologies and architectures, identifies known threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Additionally, it presents an ICS-tailored security control overlay, based on SP 800-53 rev 4, to provide a customization of controls as they apply to the unique characteristics of the ICS domain. The body of the document provides context for the overlay, but the overlay is intended to stand alone. ICS are found in many industries such as electric, water and wastewater, oil and natural gas, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods). Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS. The document should not be used purely as a checklist to secure a specific system. Readers are encouraged to perform a risk-based assessment on their systems and to tailor the recommended guidelines and solutions to meet their specific security, business and operational requirements. The range of applicability of the basic concepts for protecting the security of control systems presented in this document continues to expand. 1.2 Audience This document covers details specific to ICS. Readers of this document are assumed to be acquainted with general computer security concepts, and communication protocols such as those used in networking. The document is technical in nature; however, it provides the necessary background to understand the topics that are discussed. 1-1 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The intended audience is varied and includes the following: < Control engineers, integrators, and architects who design or implement secure ICS. < System administrators, engineers, and other information technology (IT) professionals who administer, patch, or secure ICS. < Security consultants who perform security assessments and penetration testing of ICS. < Managers who are responsible for ICS. < Senior management who are trying to understand implications and consequences as they justify and apply an ICS cybersecurity program to help mitigate impacts to business functionality. < Researchers and analysts who are trying to understand the unique security needs of ICS. < Vendors that are developing products that will be deployed as part of an ICS. 1.3 Document Structure The remainder of this guide is divided into the following major sections: < Section 2 provides an overview of ICS including a comparison between ICS and IT systems. < Section 3 provides a discussion of ICS risk management and assessment. < Section 4 provides an overview of the development and deployment of an ICS security program to mitigate the risk of the vulnerabilities identified in Appendix C. < Section 5 provides recommendations for integrating security into network architectures typically found in ICS, with an emphasis on network segregation practices. < Section 6 provides a summary of the management, operational, and technical controls identified in NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and provides initial guidance on how these security controls apply to ICS. The guide also contains several appendices with supporting material, as follows: < Appendix A provides a list of acronyms and abbreviations used in this document. < Appendix B provides a glossary of terms used in this document. < Appendix C provides a list of ICS threats, vulnerabilities and incidents. < Appendix D provides a list of ICS security activities. < Appendix E provides a list of ICS security capabilities and tools < Appendix F provides a list of references used in the development of this document. < Appendix G provides an ICS overlay, listing security controls, enhancements, and supplemental guidance that apply specifically to ICS. 1-2 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 2. Overview of Industrial Control Systems Industrial control system (ICS) is a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy). The part of the system primarily concerned with producing the output is referred to as the process. The control part of the system includes the specification of the desired output or performance. Control can be fully automated or may include a human in the loop. Systems can be configured to operate open-loop, closed-loop, and manual mode. In open-loop control systems the output is controlled by established settings. In closed-loop control systems, the output has an effect on the input in such a way as to maintain the desired objective. In manual mode the system is controlled completely by humans. The part of the system primarily concerned with maintaining conformance with specifications is referred to as the controller (or control). A typical ICS may contain numerous control loops, Human Machine Interfaces (HMIs), and remote diagnostics and maintenance tools built using an array of network protocols. ICS control industrial processes are typically used in electrical, water and wastewater, oil and natural gas, chemical, transportation, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods) industries. ICS are critical to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90 percent of the nation's critical infrastructures are privately owned and operated. Federal agencies also operate many of the industrial processes mentioned above as well as air traffic control. This section provides an overview of SCADA, DCS, and PLC systems, including typical topologies and components. Several diagrams are presented to depict the network topology, connections, components, and protocols typically found on each system to facilitate the understanding of these systems. These examples only attempt to identify notional topology concepts. Actual implementations of ICS may be hybrids that blur the line between DCS and SCADA systems. Note that the diagrams in this section do not focus on securing ICS. Security architecture and security controls are discussed in Section 5 and Section 6 of this document respectively. 2.1 Evolution of Industrial Control Systems Many of today’s ICS evolved from the insertion of IT capabilities into existing physical systems, often replacing or supplementing physical control mechanisms. For example, embedded digital controls replaced analog mechanical controls in rotating machines and engines. Improvements in cost-performance have encouraged this evolution, resulting in many of today’s “smart” technologies such as the smart electric grid, smart transportation, smart buildings, and smart manufacturing. While this increases the connectivity and criticality of these systems, it also creates a greater need for their adaptability, resiliency, safety, and security. Engineering of ICS continues to evolve to provide new capabilities while maintaining the typical long lifecycles of these systems. The introduction of IT capabilities into physical systems presents emergent behavior that has security implications. Engineering models and analysis are evolving to address these emergent properties including safety, security, privacy, and environmental impact interdependencies. 2.2 ICS Industrial Sectors and Their Interdependencies Control systems are used in many different industrial sectors and critical infrastructures, including manufacturing, distribution, and transportations. 2-1 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 2.2.1 Manufacturing Industries Manufacturing presents a large and diverse industrial sector with many different processes, which can be categorized into process-based and discrete-based manufacturing. The process-based manufacturing industries typically utilize two main processes [1]: < Continuous Manufacturing Processes. These processes run continuously, often with transitions to make different grades of a product. Typical continuous manufacturing processes include fuel or steam flow in a power plant, petroleum in a refinery, and distillation in a chemical plant. < Batch Manufacturing Processes. These processes have distinct processing steps, conducted on a quantity of material. There is a distinct start and end step to a batch process with the possibility of brief steady state operations during intermediate steps. Typical batch manufacturing processes include food manufacturing. The discrete-based manufacturing industries typically conduct a series of steps on a single device to create the end product. Electronic and mechanical parts assembly and parts machining are typical examples of this type of industry. Both process-based and discrete-based industries utilize the same types of control systems, sensors, and networks. Some facilities are a hybrid of discrete and process-based manufacturing. 2.2.2 Distribution Industries ICS are used to control geographically dispersed assets, often scattered over thousands of square kilometers, including distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines, electrical power grids, and railway transportation systems. 2.2.3 Differences between Manufacturing and Distribution ICS While control systems used in manufacturing and distribution industries are very similar in operation, they are different in some aspects. Manufacturing industries are usually located within a confined factory or plant-centric area, when compared to geographically dispersed distribution industries. Communications in manufacturing industries are usually performed using local area network (LAN) technologies that are typically more reliable and high speed as compared to the long-distance communication wide-area networks (WAN) and wireless/RF technologies used by distribution industries. The ICS used in distribution industries are designed to handle long-distance communication challenges such as delays and data loss posed by the various communication media used. The security controls may differ among network types. 2.2.4 ICS and Critical Infrastructure Interdependencies The U.S. critical infrastructure is often referred to as a “system of systems” because of the interdependencies that exist between its various industrial sectors as well as interconnections between business partners [8] [9]. Critical infrastructures are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies. An incident in one infrastructure can directly and indirectly affect other infrastructures through cascading and escalating failures. Both the electrical power transmission and distribution grid industries use geographically distributed SCADA control technology to operate highly interconnected and dynamic systems consisting of 2-2 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY thousands of public and private utilities and rural cooperatives for supplying electricity to end users. SCADA systems monitor and control electricity distribution by collecting data from and issuing commands to geographically remote field control stations from a centralized location. SCADA systems are also used to monitor and control water, oil and natural gas distribution, including pipelines, ships, trucks, and rail systems, as well as wastewater collection systems. SCADA systems and DCS are often networked together. This is the case for electric power control centers and electric power generation facilities. Although the electric power generation facility operation is controlled by a DCS, the DCS must communicate with the SCADA system to coordinate production output with transmission and distribution demands. Electric power is often thought to be one of the most prevalent sources of disruptions of interdependent critical infrastructures. As an example, a cascading failure can be initiated by a disruption of the microwave communications network used for an electric power transmission SCADA system. The lack of monitoring and control capabilities could cause a large generating unit to be taken offline, an event that would lead to loss of power at a transmission substation. This loss could cause a major imbalance, triggering a cascading failure across the power grid. This could result in large area blackouts that could potentially affect oil and natural gas production, refinery operations, water treatment systems, wastewater collection systems, and pipeline transport systems that rely on the grid for electric power. 2.3 ICS Operation and Components The basic operation of an ICS is shown in Figure 2-1 [2]. Key components include the following: A typical ICS contains numerous control loops, human interfaces, and remote diagnostics and maintenance tools built using an array of network protocols on layered network architectures. A control loop utilizes sensors, actuators, and controllers (e.g., PLCs) to manipulate some controlled process. A sensor is a device that produces some measurement of some physical property and then sends this information as controlled variables to the controller. The controller interprets the signals and generates corresponding manipulated variables, based on a control algorithm and target set points, which it transmits to the actuators. Actuators such as control valves, breakers, switches, and motors are used to directly manipulate the controlled process based on commands from the controller. Operators and engineers use human interfaces to monitor and configure set points, control algorithms, and to adjust and establish parameters in the controller. The human interface also displays process status information and historical information. Diagnostics and maintenance utilities are used to prevent, identify, and recover from abnormal operation or failures. Sometimes these control loops are nested and/or cascading –whereby the set point for one loop is based on the process variable determined by another loop. Supervisory-level loops and lower-level loops operate continuously over the duration of a process with cycle times ranging on the order of milliseconds to minutes. 2-3 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-1. ICS Operation To support subsequent discussions, this section defines key ICS components that are used in control and networking. Some of these components can be described generically for use in SCADA systems, DCS and PLCs, while others are unique to one. The Glossary of Terms in Appendix B contains a more detailed listing of control and networking components. Additionally, Figure 2-5 and Figure 2-6 in Section 2.3.2 show SCADA implementation examples; Figure 2-7 in Section 2.3.3 shows a DCS implementation example; and Figure 2-8 in Section 2.3.4 shows a PLC system implementation example that incorporates these components. 2.3.1 ICS System Design Considerations While Section 2.3 introduced the basic components of an ICS, the design of an ICS, including whether a SCADA, DCS, or PLC-based topologies are used depends on many factors. This section identifies key factors that drive design decisions regarding the control, communication, reliability, and redundancy properties of the ICS. Because these factors heavily influence the design of the ICS, they will also help determine the security needs of the system. < Control Timing Requirements. ICS processes have a wide range of time-related requirements, including very high speed, consistency, regularity, and synchronization. Humans may not be able to reliably and consistently meet these requirements; automated controllers may be necessary. Some systems may require the computation to be performed as close to the sensor and actuators as possible to reduce communication latency and perform necessary control actions on time. 2-4 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY < Geographic Distribution. Systems have varying degrees of distribution, ranging from a small system (e.g., local PLC-controlled process) to large, distributed systems (e.g., oil pipelines, electric power grid). Greater distribution typically implies a need for wide area (e.g., leased lines, circuit switching, and packet switching) and mobile communication. < Hierarchy. Supervisory control is used to provide a central location that can aggregate data from multiple locations to support control decisions based on the current state of the system. Often a hierarchical/centralized control is used to provide human operators with a comprehensive view of the entire system. < Control Complexity. Often control functions can be performed by simple controllers and preset algorithms. However, more complex systems (e.g., air traffic control) require human operators to ensure that all control actions are appropriate to meet the larger objectives of the system. < Availability. The system’s availability (i.e., reliability) requirements are also an important factor in design. Systems with strong availability/up-time requirements may require more redundancy or alternate implementations across all communication and control. < Impact of Failures. The failure of a control function could incur substantially different impacts across domains. Systems with greater impacts often require the ability to continue operations through redundant controls, or the ability to operate in a degraded state. The design needs to address these requirements. < Safety. The system’s safety requirements area also an important factor in design. Systems must be able to detect unsafe conditions and trigger actions to reduce unsafe conditions to safe ones. In most safety-critical operations, human oversight and control of a potentially dangerous process is an essential part of the safety system. 2.3.2 SCADA Systems SCADA systems are used to control dispersed assets where centralized data acquisition is as important as control [3] [4]. These systems are used in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines, electrical utility transmission and distribution systems, and rail and other public transportation systems. SCADA systems integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information, transfer it to a central computer facility, and display the information to the operator graphically or textually, thereby allowing the operator to monitor or control an entire system from a central location in near real time. Based on the sophistication and setup of the individual system, control of any individual system, operation, or task can be automatic, or it can be performed by operator commands. Typical hardware includes a control server placed at a control center, communications equipment (e.g., radio, telephone line, cable, or satellite), and one or more geographically distributed field sites consisting of Remote Terminal Units (RTUs) and/or PLCs, which controls actuators and/or monitors sensors. The control server stores and processes the information from RTU inputs and outputs, while the RTU or PLC controls the local process. The communications hardware allows the transfer of information and data back and forth between the control server and the RTUs or PLCs. The software is programmed to tell the system what and when to monitor, what parameter ranges are acceptable, and what response to initiate when parameters change outside acceptable values. An Intelligent Electronic Device (IED), such as a protective relay, may communicate directly to the control server, or a local RTU may poll the IEDs to collect the data and pass it to the control server. IEDs provide a direct interface to control and monitor equipment and sensors. IEDs may be directly polled and controlled by the control server and in most 2-5 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY cases have local programming that allows for the IED to act without direct instructions from the control center. SCADA systems are usually designed to be fault-tolerant systems with significant redundancy built into the system. Redundancy may not be a sufficient countermeasure in the face of malicious attack. Figure 2-2 shows the components and general configuration of a SCADA system. The control center houses a control server and the communications routers. Other control center components include the HMI, engineering workstations, and the data historian, which are all connected by a LAN. The control center collects and logs information gathered by the field sites, displays information to the HMI, and may generate actions based upon detected events. The control center is also responsible for centralized alarming, trend analyses, and reporting. The field site performs local control of actuators and monitors sensors (Note that sensors and actuators are only shown in Figure 2-5). Field sites are often equipped with a remote access capability to allow operators to perform remote diagnostics and repairs usually over a separate dial up modem or WAN connection. Standard and proprietary communication protocols running over serial and network communications are used to transport information between the control center and field sites using telemetry techniques such as telephone line, cable, fiber, and radio frequency such as broadcast, microwave and satellite. SCADA communication topologies vary among implementations. The various topologies used, including point-to-point, series, series-star, and multi-drop [5], are shown in Figure 2-3. Point-to-point is functionally the simplest type; however, it is expensive because of the individual channels needed for each connection. In a series configuration, the number of channels used is reduced; however, channel sharing has an impact on the efficiency and complexity of SCADA operations. Similarly, the series-star and multi-drop configurations’ use of one channel per device results in decreased effici ency and increased system complexity. Figure 2-2. SCADA System General Layout 2-6 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY The four basic topologies shown in Figure 2-3 can be further augmented using dedicated communication devices to manage communication exchange as well as message switching and buffering. Large SCADA systems, containing hundreds of RTUs, often employ a sub-control server to alleviate the burden on the primary control server. This type of topology is shown in Figure 2-4. Figure 2-5 shows an example of a SCADA system implementation. This particular SCADA system consists of a primary control center and three field sites. A second backup control center provides redundancy in the event of a primary control center malfunction. Point-to-point connections are used for all control center to field site communications, with two connections using radio telemetry. The third field site is local to the control center and uses the WAN for communications. A regional control center resides above the primary control center for a higher level of supervisory control. The corporate network has access to all control centers through the WAN, and field sites can be accessed remotely for troubleshooting and maintenance operations. The primary control center polls field devices for data at defined intervals (e.g., 5 seconds, 60 seconds) and can send new set points to a field device as required. In addition to polling and issuing high-level commands, the control server also watches for priority interrupts coming from field site alarm systems. Figure 2-3. Basic SCADA Communication Topologies 2-7 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-4. Large SCADA Communication Topology 2-8 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-5. SCADA System Implementation Example (Distribution Monitoring and Control) Figure 2-6 shows an example implementation for rail monitoring and control. This example includes a rail control center that houses the SCADA system and three sections of a rail system. The SCADA system polls the rail sections for information such as the status of the trains, signal systems, traction electrification systems, and ticket vending machines. This information is also fed to operator consoles at the HMI station within the rail control center. The SCADA system also monitors operator inputs at the rail control center and disperses high-level operator commands to the rail section components. In addition, the SCADA system monitors conditions at the individual rail sections and issues commands based on these conditions (e.g., stopping a train to prevent it from entering an area that has been determined to be flooded or occupied by another train based on condition monitoring). 2-9 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-6. SCADA System Implementation Example (Rail Monitoring and Control) 2.3.3 Distributed Control Systems DCS are used to control production systems within the same geographic location for industries such as oil refineries, water and wastewater treatment, electric power generation plants, chemical manufacturing plants, automotive production, and pharmaceutical processing facilities. These systems are usually process control or discrete part control systems. DCS are integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated sub-systems that are responsible for controlling the details of a localized process. A DCS uses a centralized supervisory control loop to mediate a group of localized controllers that share the overall tasks of carrying out an entire production process [6]. Product and process control are usually achieved by deploying feedback or feedforward control loops whereby key product and/or process conditions are automatically maintained around a desired set point. To accomplish the desired product and/or process tolerance around a specified set point, specific process controllers, or more capable PLCs, are employed in the field and are tuned to provide the desired tolerance as well as the rate of self-correction during process upsets. By modularizing the production system, a DCS reduces the impact of a single fault on the overall system. In many modern systems, the DCS is interfaced with the corporate network to give business operations a view of production. 2-10 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY An example implementation showing the components and general configuration of a DCS is depicted in Figure 2-7. This DCS encompasses an entire facility from the bottom-level production processes up to the corporate or enterprise layer. In this example, a supervisory controller (control server) communicates to its subordinates via a control network. The supervisor sends set points to and requests data from the distributed field controllers. The distributed controllers control their process actuators based on control server commands and sensor feedback from process sensors. Figure 2-7 gives examples of low-level controllers found on a DCS system. The field control devices shown include a PLC, a process controller, a single loop controller, and a machine controller. The single loop controller interfaces sensors and actuators using point-to-point wiring, while the other three field devices incorporate fieldbus networks to interface with process sensors and actuators. Fieldbus networks eliminate the need for point-to-point wiring between a controller and individual field sensors and actuators. Additionally, a fieldbus allows greater functionality beyond control, including field device diagnostics, and can accomplish control algorithms within the fieldbus, thereby avoiding signal routing back to the PLC for every control operation. Standard industrial communication protocols designed by industry groups such as Modbus and Fieldbus [7] are often used on control networks and fieldbus networks. In addition to the supervisory-level and field-level control loops, intermediate levels of control may also exist. For example, in the case of a DCS controlling a discrete part manufacturing facility, there could be an intermediate level supervisor for each cell within the plant. This supervisor would encompass a manufacturing cell containing a machine controller that processes a part and a robot controller that handles raw stock and final products. There could be several of these cells that manage field-level controllers under the main DCS supervisory control loop. 2-11 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-7. DCS Implementation Example 2.3.4 Programmable Logic Controller Based Topologies PLCs are used in both SCADA and DCS systems as the control components of an overall hierarchical system to provide local management of processes through feedback control as described in the sections above. In the case of SCADA systems, they may provide the same functionality of RTUs. When used in DCS, PLCs are implemented as local controllers within a supervisory control scheme. In addition to PLC usage in SCADA and DCS, PLCs are also implemented as the primary controller in smaller control system configurations to provide operational control of discrete processes such as automobile assembly lines and power plant soot blower controls These topologies differ from SCADA and DCS in that they generally lack a central control server and HMI and, therefore, primarily provide closed-loop control without direct human involvement. PLCs have a user-programmable memory for storing instructions for the purpose of implementing specific functions such as I/O control, logic, timing, counting, three mode proportional-integral-derivative (PID) control, communication, arithmetic, and data and file processing. Figure 2-8 shows control of a manufacturing process being performed by a PLC over a fieldbus network. The PLC is accessible via a programming interface located on an engineering workstation, and data is stored in a data historian, all connected on a LAN. 2-12 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Figure 2-8. PLC Control System Implementation Example 2-13 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 2.4 Comparing ICS and IT Systems Security ICS control the physical world and IT systems manage data. ICS have many characteristics that differ from traditional IT systems, including different risks and priorities. Some of these include significant risk to the health and safety of human lives, serious damage to the environment, and financial issues such as production losses, and negative impact to a nation’s economy. ICS have different performance and reliability requirements, and also use operating systems and applications that may be considered unconventional in a typical IT network environment. Security protections must be implemented in a way that maintains system integrity during normal operations as well as during times of cyber attack [17]. Initially, ICS had little resemblance to IT systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software. Widely available, low-cost Ethernet and Internet Protocol (IP) devices are now replacing the older proprietary technologies, which increases the possibility of cybersecurity vulnerabilities and incidents. As ICS are adopting IT solutions to promote corporate connectivity and remote access capabilities, and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for ICS from the outside world than predecessor systems, creating a greater need to secure these systems. While security solutions have been designed to deal with these security issues in typical IT systems, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. The environments in which ICS and IT systems operate are constantly changing. The environments of operation include, but are not limited to: the threat space; vulnerabilities; missions/business functions; mission/business processes; enterprise and information security architectures; information technologies; personnel; facilities; supply chain relationships; organizational governance/culture; procurement/acquisition processes; organizational policies/procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs). The following lists some special considerations when considering security for ICS: < Timeliness and Performance Requirements. ICS are generally time-critical, with the criterion for acceptable levels of delay and jitter dictated by the individual installation. Some systems require deterministic responses. High throughput is typically not essential to ICS. In contrast, IT systems typically require high throughput, and they can typically withstand some level of delay and jitter. IT systems incorporating time-value considerations exist (e.g., financial market trading systems), but many IT systems do not. These systems, that model a problem space in which time is not a factor, are strictly combinatorial. ICS and IT systems that incorporate time as a variable are sequential. Sequential systems often have requirements involving time. For some ICS, automated response time or system response to human interaction is very critical. Some ICS are built on real-time operating systems (RTOS), where real-time refers to timeliness requirements. The units of real-time are very application dependent and must be explicitly stated. < Availability Requirements. Many ICS processes are continuous in nature. Unexpected outages of systems that control industrial processes are not acceptable. Outages often must be planned and scheduled days or weeks in advance. Exhaustive pre-deployment testing is essential to ensure high availability (i.e., reliability) for the ICS. Control systems often cannot be easily stopped and started without affecting production. In some cases, the products being produced or equipment being used is more important than the information being relayed. Therefore, the use of typical IT strategies such as rebooting a component, are usually not acceptable solutions due to the adverse impact on the requirements for high availability, reliability and maintainability of the ICS. Some ICS employ 2-14 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY redundant components, often running in parallel, to provide continuity when primary components are unavailable. < Risk Management Requirements. In a typical IT system, data confidentiality and integrity are typically the primary concerns. For an ICS, human safety and fault tolerance to prevent loss of life or endangerment of public health or confidence, regulatory compliance, loss of equipment, loss of intellectual property, or lost or damaged products are the primary concerns. The personnel responsible for operating, securing, and maintaining ICS must understand the important link between safety and security. Any security measure which impairs safety is unacceptable. < Physical Effects. ICS field devices (e.g., PLC, operator station, DCS controller) are directly responsible for controlling physical processes. ICS can have very complex interactions with physical processes and consequences in the ICS domain that can manifest in physical events. Understanding these potential physical effects often requires communication between experts in control systems and in the particular physical domain. < System Operation. ICS operating systems (OS) and control networks are often quite different from IT counterparts, requiring different skill sets, experience, and levels of expertise. Control networks are typically managed by control engineers, not IT personnel. Naïve assumptions that differences are not significant can have disastrous consequences. < Resource Constraints. ICS and their real time OSs are often resource-constrained systems that do not include typical contemporary IT security capabilities. Legacy systems are often lacking resources common on modern IT systems. Many systems may not have desired features including encryption capabilities, error logging, and password protection. These ICS s may not tolerate typical IT security practices. Indiscriminate use of which may cause unavailability and timing disruptions. There may not be computing resources available on ICS components to retrofit these systems with current security capabilities. Adding resources or features may not be possible. < Communications. Communication protocols and media used by ICS environments for field device control and intra-processor communication are typically different from most IT environments, and may be proprietary. < Change Management. Change management is paramount to maintaining the integrity of both IT and control systems. Unpatched software represents one of the greatest vulnerabilities to a system. Software updates on IT systems, including security patches, are typically applied in a timely fashion based on appropriate security policy and procedures. In addition, these procedures are often automated using server-based tools. Software updates on ICS cannot always be implemented on a timely basis because these updates need to be thoroughly tested by the vendor of the industrial control application and the end user of the application before being implemented and ICS outages often must be planned and scheduled days/weeks in advance. The ICS may also require revalidation as part of the update process. Another issue is that many ICS utilize older versions of operating systems that are no longer supported by the vendor. Consequently, available patches may not be applicable. Change management is also applicable to hardware and firmware. The change management process, when applied to ICS, requires careful assessment by ICS experts (e.g., control engineers) working in conjunction with security and IT personnel. < Managed Support. Typical IT systems allow for diversified support styles, perhaps supporting disparate but interconnected technology architectures. For ICS, service support is usually via a single vendor, which may not have a diversified and interoperable support solution from another vendor. In some instances, third-party security solutions are not allowed due to ICS vendor license and service agreements, and loss of service support can occur if third party applications are installed without vendor acknowledgement or approval. 2-15 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY < Component Lifetime. Typical IT components have a lifetime on the order of 3 to 5 years, with brevity due to the quick evolution of technology. For ICS where technology has been developed in many cases for very specific use and implementation, the lifetime of the deployed technology is often in the order of 10 to 15 years and sometimes longer. < Component Location. Most IT components and some ICS are located in business and commercial facilities physically accessible by local transportation. Remote locations may be utilized for backup facilities. Distributed ICS components may be isolated, remote, and require extensive transportation effort to reach. Table 2-1 summarizes some of the typical differences between IT systems and ICS. Table 2-1. Summary of IT System and ICS Differences Category Performance Requirements Information Technology System Non-real-time Response must be consistent High throughput is demanded High delay and jitter may be acceptable Less critical emergency interaction Tightly restricted access control can be implemented to the degree necessary for security Availability (Reliability) Requirements Responses such as rebooting are acceptable Availability deficiencies can often be tolerated, depending on the system’s operational requirements Industrial Control System Real-time Response is time-critical Modest throughput is acceptable High delay and/or jitter is not acceptable Response to human and other emergency interaction is critical Access to ICS should be strictly controlled, but should not hamper or interfere with human-machine interaction Responses such as rebooting may not be acceptable because of process availability requirements Availability requirements may necessitate redundant systems Outages must be planned and scheduled days/weeks in advance High availability requires exhaustive predeployment testing Manage data Human safety is paramount, followed by protection of the process Fault tolerance is essential, even momentary downtime may not be acceptable Major risk impacts are regulatory noncompliance, environmental impacts, loss of life, equipment, or production Differing and possibly proprietary operating systems, often without security capabilities built in Software changes must be carefully made, usually by software vendors, because of the specialized control algorithms and perhaps modified hardware and software involved Systems are designed to support the intended industrial process and may not have enough memory and computing resources to support the addition of security capabilities Risk Management Requirements Control physical world Data confidentiality and integrity is paramount Fault tolerance is less important – momentary downtime is not a major risk Major risk impact is delay of business operations Systems are designed for use with typical operating systems Upgrades are straightforward with the availability of automated deployment tools System Operation Resource Constraints Systems are specified with enough resources to support the addition of thirdparty applications such as security solutions 2-16 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY Category Communications Information Technology System Standard communications protocols Primarily wired networks with some localized wireless capabilities Typical IT networking practices Industrial Control System Many proprietary and standard communication protocols Several types of communications media used including dedicated wire and wireless (radio and satellite) Networks are complex and sometimes require the expertise of control engineers Software changes must be thoroughly tested and deployed incrementally throughout a system to ensure that the integrity of the control system is maintained. ICS outages often must be planned and scheduled days/weeks in advance. ICS may use OSs that are no longer supported Service support is usually via a single vendor Lifetime on the order of 10-15 years Components can be isolated, remote, and require extensive physical effort to gain access to them Change Management Software changes are applied in a timely fashion in the presence of good security policy and procedures. The procedures are often automated. Managed Support Component Lifetime Components Location Allow for diversified support styles Lifetime on the order of 3-5 years Components are usually local and easy to access In summary, the operational and risk differences between ICS and IT systems create the need for increased sophistication in applying cybersecurity and operational strategies. A cross-functional team of control engineers, control system operators and IT security professionals needs to work closely to understand the possible implications of the installation, operation, and maintenance of security solutions in conjunction with control system operation. IT professionals working with ICS need to understand the reliability impacts of information security technologies before deployment. Some of the OSs and applications running on ICS may not operate correctly with commercial-off-the-shelf (COTS) IT cybersecurity solutions because of specialized ICS environment architectures. 2.5 Other Types of Control Systems Although this guide provides guidance for securing ICS, other types of control systems share similar characteristics and many of the recommendations from this guide are applicable and could be used as a reference to protect such systems against cybersecurity threats. For example, although many building, transportation, medical, security and logistics systems use different protocols, ports and services and are configured and operate in different modes than ICS, they share similar characteristics to traditional ICS [18]. Examples of some of these systems and protocols include: Other Types of Control Systems < < < < < < < < < Advanced Metering Infrastructure Building Automation System Building Management Control System CCTV Surveillance System CO2 Monitoring Digital Signage Systems Digital Video Management Systems Electronic Security System Emergency Management System 2-17 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY < < < < < < < < < < < < < Energy Management System Exterior Lighting Control Systems Fire Alarm System Fire Sprinkler System Interior Lighting Control System Intrusion Detection Systems Physical Access Control System Public Safety/Land Mobile Radios Renewable Energy Geothermal Systems Renewable Energy Photo Voltaic Systems Shade Control System Smoke and Purge Systems Vertical Transport System (Elevators and Escalators) Protocols/Ports and Services < < < < < < < Modbus: Master/Slave - Port 502 BACnet: Master/Slave - Port 47808 LonWorks/LonTalk: Peer to Peer - Port 1679 DNP3: Master/Slave - Port 20000 IEEE 802.x - Peer to Peer Zigbee - Peer to Peer Bluetooth – Master/Slave The security controls provided in Appendix G of this guide are general and flexible enough be used to evaluate other types of control systems, but subject matter experts should review the controls and tailor them as appropriate to address the uniqueness of other types of control systems. There is no “one size fits all”, and the risks may not be the same, even within a particular group. For example, a building has many different sub-systems such as building automation, fire alarm, physical access control, digital signage, CCTV, etc. Critical life safety systems such as the fire alarm and physical access control systems may drive the impact level to be a “High”, while the other systems will usually be “Low”. An organization might decide to evaluate each sub-system individually, or decide to use an aggregated approach. The control systems evaluation should be coupled to the Business Impact, Contingency Plan, and Incident Response Plan to ensure organizational critical functions and operations can be recovered and restored as defined by the organizations Recovery Time Objectives. 2-18 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY 3. 3.1 ICS Risk Management and Assessment Risk Management Organizations deal with risk every day in meeting their business objectives. These risks may include financial risk, risk of failure of equipment, and personnel safety risk, to name just a few. Organizations must develop processes to evaluate the risks associated with their business and to decide how to deal with those risks based on organizational priorities and both internal and external constraints. This management of risk is conducted as an interactive, ongoing process as part of normal operations. Organizations that use ICS have historically managed risk through good practices in safety and engineering. Safety assessments are well established in most sectors and are often incorporated into regulatory requirements. Information security risk management is an added dimension that can be complementary. The risk management process and framework outlined in this section can be applied to any risk assessment including both safety and information security. A risk management process should be employed throughout an organization, using a three-tiered approach to address risk at the (i) organization level; (ii) mission/business process level; and (iii) information system level (IT and ICS). The risk management process is carried out seamlessly across the three tiers with the overall objective of continuous improvement in the organization’s risk-related activities and effective inter-tier and intra-tier communication among all stakeholders having a shared interest in the mission/business success of the organization. This section focuses primarily on ICS considerations at the information system level, however, it is important to note that the risk management activities, information, and artifacts at each tier impact and inform the other tiers. Throughout the following discussion of risk management, ICS considerations will be highlighted and the impact that these considerations have on the risk management and risk assessment process will be discussed. For more information on multi-tiered risk management and the risk management process, refer to NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission and Information System View. NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, provides guidelines for applying the Risk Management Framework to federal information systems to include conducting the activities of security categorization,1 security control selection and implementation, security control assessment, information system authorization,2 and security control monitoring. NIST Special Publication 800-30, Guide for Conducting Risk Assessments, provides a step-by-step process for organizations on: (i) how to prepare for risk assessments; (ii) how to conduct risk assessments; (iii) how to communicate risk assessment results to key organizational personnel; and (iv) how to maintain the risk assessments over time. 3.2 Introduction to the Risk Management Process As shown in Figure 3-1, the risk management process has four components: framing, assessing, responding and monitoring. These activities are interdependent and often occur simultaneously within an organization. For example, the results of the monitoring component will feed into the framing component. 1 FIPS 199 provides security categorization guidance for nonnational security systems. CNSS Instruction 1253 provides similar guidance for national security systems. 2 Security authorization is the official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. 3-1 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY As the environment in which organizations operate is always changing, risk management must be a continuous process where all components have on-going activities. It is important to remember that these components apply to risk management for any risk whether information security, physical security, safety or financial. Figure 3-1. Risk Management Process Applied Across the Tiers The framing component in the risk management process consists of developing a framework for the risk management decisions to be made. The level of risk that an organization is willing to accept is its risk tolerance.3 The framing component should include review of existing documentation, such as prior risk assessments. There may be related activities; such as community wide disaster management planning that also should be considered since they impact the requirements that a risk assessment must consider. ICS-specific Recommendations and Guidance For operators of ICS, safety is the major consideration that directly affects decisions on how systems are engineered and operated. Safety can be defined as “freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment”.4 Part of the framing component for an ICS organization is determining how these requirements interact with information security. For example, if safety requirements conflict with good security practice, how will the organization decide between the two priorities? Most ICS operators 3 Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems, Revision 1, National Institute of Standards and Technology, February 2010, p. 6. 4 MIL-STD-882E, Standard Practice – System Safety. Department of Defense (DoD). 11 May 2012. 3-2 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY would answer that safety is the main consideration – the framing component makes such assumptions explicit so that there is agreement throughout the process and the organization. Another major concern for ICS operators is the availability of services provided by the ICS. The ICS may be part of critical infrastructure (for example, water or power systems), where there is a significant need for continuous and reliable operations. As a result, ICS may have strict requirements for availability or for recovery. Such assumptions should be developed and stated in the framing component. Otherwise, the organization may make risk decisions that result in unintended consequences on those who depend on the services provided. The physical operating environment is another aspect of risk framing that organizations should consider when working with ICS. ICS often have specific environmental requirements (e.g., a manufacturing process may require precise temperature), or they may be tied to their physical environment for operations. Such requirements and constraints should be explicitly stated in the framing component so that the risks arising from these constraints can be identified and considered. Assessing risk requires that organizations identify their threats and vulnerabilities, the harm that such threats and vulnerabilities may cause the organization and the likelihood that adverse events arising from those threats and vulnerabilities may actually occur. ICS-specific Recommendations and Guidance The DHS National Cybersecurity & Communications Integration Center (NCCIC), http://www.dhs.gov/about-national-cybersecurity-communications-integration-center serves as a centralized location where operational elements involved in cybersecurity and communications reliance are coordinated and integrated. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)5 collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures. ICS-CERT works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. When assessing the potential impact to an organization’s mission from a potential ICS incident, it is important to incorporate the effect on the physical process/system, impact on dependent systems/processes, and impact on the physical environment among other possibilities. In addition, the potential impact on safety should always be considered. The responding component is based on the concept of a consistent organization-wide response to the identification of risk. Response to identification of risk (as opposed to the response to an incident) requires that organizations first identify possible courses of actions to address risk, evaluate those possibilities in light of the organization’s risk tolerance and other considerations determined during the framing step, and choose the best alternative for the organization. The response component includes the 5 https://ics-cert.us-cert.gov/ 3-3 SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY implementation of the chosen course of action to address the identified risk: acceptance, avoidance, mitigation, sharing, transfer, or any combination of those options6. ICS-specific Recommendations and Guidance For ICS, available risk responses may be constrained by system requirements, potential adverse impact on operations, or even regulatory compliance regimes. Guide to Industrial Control Systems (ICS) Security Thinking security to ensure productivity. Constantly monitored and integrated security is essential for industrial automation. It is Industrial Security Manual. Institut Suisse de Météorologie. Industrial Security Staff Approval; Industrial Servo Hydraulics Inc. SPECIAL PUBLICATION 800-82, REVISION 2 DRAFT GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY iii Reports on Computer Systems Technology. The effective Industrial firewall system offers a scalable security function, beginning with a clear firewall and ending with a firewall with VPN (Virtual Private.
0 Comments
Chris Kyle was an ex-US Navy Seal Sniper who, after four tours of Iraq, went on to write a bestselling book graphically chronicling his life as the US's most prolific. By Chris Sajnog, Author Navy SEAL Shooting. After the success of my first book on shooting, How to Shoot Like a Navy SEAL, I received a lot positive. G&P EBR MK14 Custom AEG Series -- CNC Process EBR Chassis with Handguard, Grip & Stock -- NAVY SEAL VERSION -- Come with MAGPUL PTS CTR Battery Stock & Cheek Riser. Navy Seal Sniper Manual ScribdThe complete training manual used by real navy seals to train, equip, and operate. “From 1962 when the first SEAL teams were commissioned to present day, Navy SEALs. Navy Seal Sniper Manual BookLes SEAL (acronyme de « Sea, Air, Land »; en français « mer, air et terre ») [2] ou Navy SEALs sont la principale force spéciale de la marine de guerre des. Chris Kyle was an ex-US Navy Seal Sniper who, after four tours of Iraq, went on to write a bestselling book graphically chronicling his life as the US's most prolific marksman. Upon retirement he co-founded Craft International, a security company which provides training to military, police, corporate and civilian clients, and Fitco Cares, a foundation he helped establish for veterans with post-traumatic stress disorder (PTSD). View and Download Kawai CP150 supplementary manual online. Kawai CP150 Electric Piano: Supplementary Guide. CP150 pdf manual download.
25,610,633 reviews 5,181 brands 457,840 products Diplotop - product comparison - gathers KAWAI CP150 users reviews, tests and opinions.With a data base of unprecedented wealth, 6 reviews for the KAWAI CP150, Diplotop compares the KAWAI CP150 with its competitors in order to find the best. On average, its users find the user-friendliness of the KAWAI CP150 reasonable.They give it a very high score for its reliability and sturdiness., And, there are many of them who share the same opinion. You can look at the KAWAI CP150 forum to identify problems that users have come across and the suggested solutions. Its users find it fairly efficient., Moreover, most of them share the same opinion They think that it is sold at the right price You can download the KAWAI CP150 user manual to ensure that its features correspond to your needs. Manual abstract: rAID rebuilding 2. Locating (blinking with the HDD activity LED) KAWAI CP150 Series 1-9 1-10 Chapter 1: Product introduction Chapter 2 This chapter lists the hardware setup procedures that you have to perform when installing or removing system components. Chassis cover Removing the rear cover Locate and remove the side screws. Loosen the two thumbscrews on the rear panel. Firmly hold the cover and slide it toward the rear panel for about half an inch until it is disengaged from the chassis. Lift the cover from the chassis. To recover the rear cover, reverse step 1 to 4. A protection film is pre-attached to the system cover before shipping. Please remove the protection film before turning on the system for proper heat dissipation. 2-2 Chapter 2: Hardware setup 2. 2 Central Processing Unit (CPU) The motherboard comes with two surface mount LGA 2011 Socket R designed for the Intel® Xeon® E5-2600 series processor family. Ensure that all power cables are unplugged before installing the CPU. â· Upon purchase of the motherboard, ensure that the PnP cap is on the socket and the socket contacts are not bent. Contact your retailer immediately if the PnP cap is missing, or if you see any damage to the PnP cap/socket contacts/motherboard components. KAWAI shoulders the repair cost only if the damage is shipment/transit-related. Keep the cap after installing the motherboard. KAWAI will process Return Merchandise Authorization (RMA) requests only if the motherboard comes with the cap on the LGA2011 socket. The product warranty does not cover damage to the socket contacts resulting from incorrect CPU installation/removal, or misplacement/loss/incorrect removal of the PnP cap. Installing the CPU To install a CPU Locate the CPU socket on the motherboard. aSUS CP150 Series 2-3 2... The users were asked the following question : Is the CP150 easy to use? 6 users answered questions and rated the product on a scale of 0 to 10. The rating is 10/10 if the KAWAI CP150 is very user-friendly. The reviews (rough results) are presented in the following graph : 0 1 2 3 4 5 6 7 8 9 10 By leaving the mouse on a column for a few seconds, you can see the number of people who voted to make up the score that appears in the horizontal axis. Statistical data : = 6.67 = 1.49 The average score balanced by the number of reviews is 6.67 and the standard differential is 1.49. The users were asked the following question : Is the CP150 highly efficient? 6 users answered questions and rated the product on a scale of 0 to 10. The rating is 10/10 if the KAWAI CP150 is, in its domain, the best on a technical level, the one offering the best quality, or offering the largest range of options. The reviews (rough results) are presented in the following graph : 0 1 2 3 4 5 6 7 8 9 10 By leaving the mouse on a column for a few seconds, you can see the number of people who voted to make up the score that appears in the horizontal axis. Statistical data : = 7.17 = 1.57 The average score balanced by the number of reviews is 7.17 and the standard differential is 1.57. The users were asked the following question : Is the CP150 reliable, sturdy? 6 users answered questions and rated the product on a scale of 0 to 10. The rating is 10/10 if you think that the KAWAI CP150 is a sturdy product, which will last a long time before breaking down. The reviews (rough results) are presented in the following graph : 0 1 2 3 4 5 6 7 8 9 10 By leaving the mouse on a column for a few seconds, you can see the number of people who voted to make up the score that appears in the horizontal axis. Statistical data : = 7.50 = 1.50 The average score balanced by the number of reviews is 7.5 and the standard differential is 1.5. The users were asked the following question : Is the CP150 good value for money? 6 users answered questions and rated the product on a scale of 0 to 10. The rating is 10/10 if you think that the KAWAI CP150 is really not expensive considering its features. The reviews (rough results) are presented in the following graph : 0 1 2 3 4 5 6 7 8 9 10 By leaving the mouse on a column for a few seconds, you can see the number of people who voted to make up the score that appears in the horizontal axis. Statistical data : = 6.83 = 1.77 The average score balanced by the number of reviews is 6.83 and the standard differential is 1.77. Kawai Owner's Manuals: These owner's manuals are in Adobe PDF format. You can open them in your Acrobat Reader for viewing or printing. Or, you can right click on the.May I be permitted to open with a few references to the ownership and transfer of title to land, in what is now Manitoba, in the three centuries prior to the year. The Title to Land in Manitoba As an Authorized Alberta Registry Agent. We offer Motor Vehicle, Corporate, Vital Statistics, Land Title and Alberta Health Registry Services. Land Title Practice Manual Alberta FerrettiProperty law, principles, policies, and rules by which disputes over property are to be resolved and by which property transactions may be structured. The Association has prepared a brochure to help you understand Real Property Reports. Copies of Association brochures can also be ordered using our online form. HIStalk Announcements and Requests. Slightly more poll respondents consider the impact of VC/PE as positive rather than negative. Frank Poggio added a comment, “The. MHS Transactions were originally published by the Manitoba Historical Society on the above date. We make online versions available as a free, public service. As an historical document, Transactions may contain language that is no longer in common use and which may offend some readers. They should not be construed to represent the views of today’s Manitoba Historical Society. This online version was prepared using Optical Character Recognition software so that spelling and punctuation errors may have occurred inadvertently. If you find any such errors, please inform us, indicating the document name and error. Please direct all inquiries to [email protected]. May I be permitted to open with a few references to the ownership and transfer of title to land, in what is now Manitoba, in the three centuries prior to the year Manitoba became a Province. In 1669, King Charles II of England signed a document of transfer of an area of land in North America, which area is described at great length in the document, but for present purposes may be described simply as all the land in the watershed of Hudson Bay. This transfer was in favour of "The Governor and Company of Adventurers of England, trading into Hudson's Bay." Of this Company the King's nephew, Prince Rupert, was the leading spirit and, appropriately, the charter discloses that the area shall henceforth be known as "Rupert's Land." The area of this immense tract was added to by the adventurous explorers and traders of this great Company during the succeeding two hundred years. The limits of the original grant were extended southward until it included a part of North Dakota, westward and southward to where the Columbia River joins the Pacific Ocean, and northward until the boundary rested on the Arctic Ocean. The title to the vast area in the original grant was a somewhat dubious one. By the Treaty of St. Germain-en-Laye, 1632, The King of France was possessed of a better title to the area than His Majesty Charles, but the transfer by Charles was implemented by the Company going into possession, and remaining in possession. As you know, title to land can, even today in various jurisdictions, be acquired by individuals if they have been in undisturbed possession for many years, but such is not the case under the Manitoba Real Property Act. It is of interest to note that the possessory rights of the aboriginal inhabitants of the area - its original first possessors - were not considered by King Charles when he made the grant, but King Louis of France would have been equally indifferent to the rights of the Indians. In the years following the grant to the Hudson's Bay Company, the questionable title of the Company had been validated by the Treaty of Utrecht, 1713, confirmed by the Treaty of Paris, 1763, by which Treaty, France surrendered all of Canada to the British. Thus it may be assumed that the company at last had a good and safe holding title to the land in the grant. The next transfer of title which is of interest to us is that of the Hudson's Bay Company to Lord Selkirk, in 1811. At that time, the Company transferred an area of 116,000 square miles, part of the lands given to the Company by King Charles. Lord Selkirk was a man of vision, whose compassionate nature was stirred by the desperate plight to which the poorer farm people of Scotland were reduced in the years following the Rebellion of 1745. Upon obtaining this grant, Lord Selkirk offered to pay the expenses of any of the Scottish cotters who would come to the Red River as settlers, and many accepted and many came out in 1811 and the four following years. The tract of land granted to Lord Selkirk roughly corresponds to what was to become the Province of Manitoba as it was in 1870. In 1836, the Hudson's Bay Company repurchased from Selkirk's heirs all the lands originally granted to Selkirk twenty-five years before. This contract between the Selkirk heirs and the Company did not specify that any deeds given by Lord Selkirk to any of his settlers during the tenure of his ownership were to be confirmed to the settlers by the Company, but the Company honoured these grants. Now we come to one of the most famous transfers of land in history, one that has been called "The greatest single transfer of territory ever made, excepting those which may have resulted from a War". This was the sale of the territory of the Hudson's Bay Company to Canada in 1869. Provision for this passing of title had been made in the British North America Act of 1867, so Rupert's Land joined Confederation when Manitoba became a Province on July 15, 1870. The conditions of transfer included the payment of £300,000 to the Company but, in addition, the Company was allowed to retain one twentieth of the fertile land and five hundred acres of a reserve around each of its trading posts. These lands were to be allotted to the Company as soon as surveys could be made. Eventually, the Company secured title to almost seven million acres of land. All deeds to settlers given by the Company were confirmed, and any claims by the Indians to portions of the territory were to be settled by Canada. At that time, Fort Garry at the junction of the Red and Assiniboine Rivers, where the bulk of the trading was carried on, had around it a settlement of about two hundred people, a half dozen or more shops of the free traders, and an almost equal number of taverns. This collection of a few score wooden shacks was the embryo of a great city. The census of 1871 gave it a population of but two hundred and forty-one, but it became an incorporated town in 1873 and the City of Winnipeg in 1877. Before the agreement whereby the Canadian government was to purchase the Company's land was completed, Canada sent surveyors into the Red River settlement to survey the lands, that they might be readily sold to the many settlers who, it was hoped, would soon be seeking land in the area. Up to this time, the only surveyed lands in the settlement consisted of the rows of lots along the Red and Assiniboine Rivers. The Hudson's Bay Company had used these early surveys when it granted deeds to purchasers. These lots had a frontage of ten chains on the river by two miles in length, with the privilege to the owner of acquiring a further two miles extension-this second parcel was known as the "Hay Privilege" or the "Outer Two Miles" of the river lot. This was the only form of survey of which the settlers had any knowledge and, as there were rumours that the whole of the area was to be surveyed into townships six miles square, each to contain thirty-six sections of six hundred and forty acres, there was great apprehension in the community, as some of the settlers feared their homes and farms would be taken from them. These fears were strongest among those from Quebec where the same system of surveys existed along the rivers. This situation was among the causes which led to the Red River Rebellion of 1869-70. The arrival of Wolseley's Expedition at Fort Garry on August 24, 1870, and the flight of the rebel leaders closed that chapter of the history of Manitoba. In the summer following, the surveyors started their work again. Within a few months, the newly surveyed lands were open as homesteads for the new settlers who were coming into the settlement in steadily increasing numbers. Since that time, it has been usual to assume that title to land in the Province can be issued only after some formal survey has been made and registered. Yet, the ownership of land has from time immemorial passed without surveys, as we know them. Even in Manitoba today, instances can be found of land being sold and title issued to the lands described by what is known to conveyancers, as a "metes and bounds" description, which may be liberally translated as "limited by measurement and boundary". The most interesting example of this, that comes to mind, is the title to "Hawthorne Lodge" near St. Andrew's Locks, on the Red River. The history of this notable property so fascinated me that I made a detailed study of it as, apart from its historic interest, I consider that the fact that the province of Manitoba issued a guaranteed title to the property is one of the best evidences of the flexible efficiency of the system of land titles we have in the province. To illustrate my point, I ask you to bear with me while I recite the description of this property in the deed from the Hon. Alfred Boyd to Dr. David Young in 1871. From this, it will be apparent, that the surveys of the period did not have the certainty of the modern surveys. "ALL AND SINGULAR, that certain parcel or tract of land and premises, situate lying and being in the said Parish of St. Andrews North and in the County of Lisgar and the Province of Manitoba aforesaid and being composed of part of lots numbers One Hundred and Sixteen (116), One Hundred and Seventeen (117), and One Hundred and Eighteen (118) in the said Parish of Saint Andrews North as surveyed by A. H. Vaughan, D.L.S. and which may be better known and described as follows: that is to say, Commencing at a point at high water mark on the West side of the Red River. Thence North sixty degrees West astronomically (at forty-five links there is an offset at right angles to the left nine links to an oak tree blazed on three sides) five chains and sixty links to the middle of a brook. Thence North sixteen degrees East, following the said brook, one chain and eighty-two links intersecting a granite boulder to the middle of a bridge which crosses the said brook. Thence North Fifty-six degrees and ten minutes East following the general course of the middle of the said brook Eight chains and thirty links to the said Red River. Thence South Fifteen degrees West Nine chains and seventy links along the said Red River to the place of beginning. Being bounded on the East by the said Red River, on the North and West by the said brook and on the South by the fence being the Northern boundary of the parcel of land one chain wide bought from James Gunn by the said party of the first part through which the late B. R. Ross had a right of way to the Red River aforesaid. CONTAINING by admeasurement Three acres one rood and five perches of land be the same more or less. AND also the right of way to the river from the aforesaid lot over the land which was purchased from one James Gunn by the said party of the first part and also the right of way to and from Hawthorne Lodge by the road now used for that purpose to the main highway." Application was made later to bring the land under the Manitoba Real Property Act and the District Registrar, having taken evidence, decided the applicant had a safe holding title and issued the guaranteed title, according to a plan of survey which the District Registrar had directed to be made. Few know it, but the certificate of title issued is the only one in Manitoba in which the Registrar General, appreciating the historic significance of the place, permitted the inclusion of the name of the property in the Certificate of Title. Today, as part of the description of the land, appear the words "known as Hawthorne Lodge". A proud distinction indeed, but clearly no home in the province is so steeped in tradition. In support of this statement, may I give the names of the eminent men who have been owners of the property, as this is the only place where they will likely be recorded. The first owner was George Taylor, the official "Surveyor of the Colony", who made the first complete survey thereof, and left the famous "Register B" containing the names of the owners of all the lands he surveyed. This Register has been appropriately described as "The Doomsday Book of the Red River". Mr. Taylor held title from 1839 to 1848. He was followed in ownership by John Flett, 1848 to 1858. Mr. Flett was an officer of the Hudson's Bay Company. In 1858, Mr. Flett sold it to Chief Factor John Edward Harriott, a distinguished officer of the Hudson's Bay Company. In 1862, it became the home of Judge John Black, the President of the Court of the Governor and Council of Assiniboia, the Supreme Tribunal of Rupert's Land. Recorders had been the chief legal authorities in Red River previously, but it is believed Black was the first person to be designated a Judge. From 1868 to 1871, it was the home of the Hon. Alfred Boyd, the first premier of Manitoba. There is record in the Provincial Library of Manitoba that he had the unique distinction of being appointed to that position, and that of Provincial Secretary on September 16, 1870, to assist the Governor until the first election could be held, which position he held until December 14, 1871. Following the election, he became Minister of Agriculture and Public Works in the first Cabinet, later resigning from the legislature to provide a seat for the Hon. John Norquay who succeeded him in these portfolios. Dr. David Young acquired the property in 1871 and held it until 1905. Doctor Young was one of the most distinguished physicians of the province, and from 1885 to 1911, was Superintendent of the Selkirk Mental Hospital, and was the oldest member of the profession in the province when he died in 1931. From 1905 to 1914, Roderick Ross Sutherland, M.A., son of Senator Hon. John S. Sutherland, was the owner. He was one of the first class to graduate from the University of Manitoba as B.A. 1882, and M.A. 1885. He was called to the Bar, 1888. Following him, was the Hon. Robert Jacob, K.C., Attorney-General of the province in the government of Hon. T. C. Norris, who held the property from 1914. In 1918, he sold it to Dunbar Hibbard Hudson who built the present Hawthorne Lodge and lived there until 1946. A wealthy man, he left the residue of his fortune to The Winnipeg Foundation. On his death, Hawthorne Lodge passed to the Hon. James O. McLenaghen, K.C., one of Manitoba's most distinguished Attorneys-General who died there in 1950, from whose estate it passed to the present owner, Lt. Colonel G. P. R. Tallin, Q.C., the learned Dean of the Faculty of Law of the University of Manitoba. Thus, the records show that from 1839 to the present day, those who dwelt at Hawthorne Lodge were men of high character and distinction, honoured by their fellow-men, contributing much to the development of Rupert's Land, and of the New Canada of the West that came with the founding of Manitoba. In Manitoba prior to 1870, dealings with land followed the practice in Britain, except that there were no Registry Offices; however, the Hudson's Bay Company allowed anyone who wished to deposit a document affecting land to do so in the office of the accountant of the Company, but there was no obligation to do so. When Manitoba became a Province, the Registry Act was one of the first statutes passed by the Legislature and Registry Offices were opened in each county. Today, the title to land in Manitoba is either under the Real Property Act or the Registry Act of the Province. Almost eight-five percent of the valuable land in the province has been brought under the operation of the Real Property Act since the Act came into force July 1, 1885. It is in the earlier settled districts of the province where the greater part of the lands remaining under the Registry Act are still to be found, but in the cities, larger towns, and more recently-opened districts the titles are under the Real Property Act. The Registry Act of Manitoba is a product of the evolution of the real property law of England and it was under this system that all registrations affecting land in the province were made prior to 1885. The chief principle of the Registry Act is to give notice by registration, which registration makes the instrument a prior instrument for what it is worth. In practice, in the early days in Manitoba, the whole document was copied into an abstract book in the Registry Office. Later, this cumbersome practice was not followed, only brief particulars of the document were entered on the abstract, but the person making the registration was required to present the document in triplicate; one copy being placed in the regular files of the office, one copy returned to the person requesting registration, and the third copy filed by the Registrar in what was hoped was a safe depository, remote from the place where the office copy was filed. With these precautions it was hoped to ensure that at least one of the three copies would escape loss by fire, or loss in any other way. Under the Registry Act the following features militate against efficiency and security; any dealing with a title necessitates an investigation of every document, deed, mortgage, passage by devolution on death of an owner, or by legal process, back to the grant from the Crown, before an attorney can safely give any opinion on the validity of a title. This may entail days of work by a lawyer and thus the man who sells or buys a property of small value may have a bill for legal fees far out of proportion to the value of the land. Further, as there is no obligation to register documents, they may be retained by an owner in his own depository. There may be difficulty, therefore, in locating all documents affecting the title, any one of which might disclose interests at variance with those of an apparent owner. The lawsuit based on lost or destroyed deeds has, through the centuries, provided one of the most lucrative sources of income of lawyers. Again, what are known as "clouds on title" appear on an abstract of the title in a Registry Office. Such a "cloud" may occur as any instrument containing a legal description of land, and bearing the signature of anyone purporting to have an interest in the property, with an affidavit of a witness may be registered and take its place on the abstract, though it may have no legal effect whatsoever, yet an action in court may be necessary to remove it from the record. All these features cause delay, danger and expense. Under the Registry Act, a mortgage is a conveyance to the money lender, of the land mortgaged, with a proviso that the conveyance shall be void on satisfaction of certain covenants made by the borrower. This places the mortgagee in a most favored position, nevertheless, the practice under the Manitoba Real Property Act has proved so satisfactory to both the mortgagor and the mortgagee that today when application is made for a loan to be secured by mortgage and the property effected is under the Registry Act, the lender frequently insists that the property be brought under the Real Property Act before advancing the money. The Registry Act is the system found in the eastern provinces of Canada (excepting parts of Ontario) and the United States. Many of the states in the latter country have on their statutes an Act similar to the Manitoba Real Property Act, but in the United States the title guarantee companies, which issue policies of insurance guaranteeing titles, have strong lobby groups, which persuade the legislators not to put the acts in force. To my own knowledge, mortgage companies lending money in California, and having abstract and title guarantee companies as subsidiaries, have actually obliged a borrower to withdraw his land from under this new system and place it under the old abstract or Registry Act system, before they will advance the money. Thus, a company not only makes the usual profit of a money-lender, but makes a further profit by selling the borrower a policy guaranteeing his own title which, up to that time, had been guaranteed by the state. With these few remarks on the Registry Act and before entering on a discussion of the Real Property Act, it would be appropriate to mention something of the careers of the men who introduced this new system into Manitoba, particularly as no record of these early administrators has hitherto been assembled. During the four years following the passing of the Act in 1885, three men filled the position of Registrar General, but the names of these three men are entirely unknown to the present generation. In the circumstances it is hoped that there is sufficient justification for mention of pertinent points of their careers. The first Registrar General was one of the most colourful figures in the public life of Manitoba, in the days when Manitoba had many such, so I will set down something of what my research has revealed as to that ambitious, talented, and robust personality. The Hon. James Andrews Miller was the son of a barrister practicing in Galt, Ontario, where the future Registrar General was born in 1839. He took his B.A. with honours in classics and mathematics at Trinity College in Toronto in 1859, followed by degrees of B.C.L., and D.C.L. In 1863 he was called to the bar and soon had a lucrative practice in St. Catherines, Ontario. In 1880 he was created a Q.C. and in October of the same year, he came to Manitoba, on his appointment as a puisne Judge of the Superior Court of this Province. On December 31, 1882, Mr. Justice Miller resigned from the Bench, ostensibly at the request of the Hon. John Norquay, the then premier of the province, who was said to want Mr. Miller as Attorney-General in his cabinet, but it is hinted the real reason was that Miller was incensed because he was not made Chief Justice in succession to Chief Justice Wood who died October 7, 1882. The resignation of the Hon. A. M. Sutherland, the Attorney-General, opened the way for Mr. Miller, who was sworn in as Attorney-General. In the general election of January 23, 1883, Mr. Miller attempted to obtain a seat in the Legislature, being a candidate in the constituency of Rockwood. However, he was badly defeated by the Liberal candidate Samuel Jackson. The election campaign was conducted in the free-and-easy Western style of the period; candidates and their supporters driving through the constituency distributing liquor and other presents to the homes of the electors. When the Attorney-General was defeated, an action was at once started to have the victor unseated. The case went on for weeks; the most damaging evidence being produced. As might be expected, Jackson was unseated for corrupt practices, and his defense is alleged to have cost him six thousand dollars. The newspaper which supported Jackson castigated Miller and said: "Jackson would beat him four to one if he ever again attempted to run in Rockwood." The subtle Attorney-General had other plans, however. The town of Rat Portage was in disputed territory, that is, it was uncertain whether it was in Ontario or Manitoba; the eastern boundary of the Province being not then officially defined. Manitobans sometimes claimed the boundary of Manitoba was somewhere east of Port Arthur, Ontario. Rat Portage was then a settlement of approximately one hundred families. Here Manitoba maintained a Courthouse, Land Registry Office, jail, magistrates, and a police force of twenty-five men. Ontario had the same, and many conflicts arose between the two authorities. If a man was jailed by one police force and he had friends in the other force, the jail would be broken into and the man released by the other force. In one foray, the Manitoba jail was burned down and Premier Norquay, with a strong force, occupied the town and overcame the Ontario police force and brought them back to Winnipeg for trial. So life went on in this exciting way. The district had a member in the legislature of Ontario where there was a Liberal government at the time, so Mr. Miller deemed it only fair that it should have a member in the legislature of Manitoba, and he announced that he would be the Conservative candidate. Mr. Miller promised the electors that he would at once arrange to have the district confirmed as part of Manitoba, and at meetings flourished a telegram from Sir John A. MacDonald, the then Prime Minister of Canada, wishing him success, and promising every support. Leading men of each party took part in the election and the campaign grew more heated every hour. To add to the confusion and conviviality, an election was to be held in Rat Portage for a member of the Ontario legislature on the same day as the Manitoba election. This was all that was needed to turn the event into a wild carnival of election corruption - all of which was thoroughly enjoyed by the population of which the vast majority were transient workers employed in putting through the main line of the C.P.R. which had just then reached Rat Portage. These men revelled in the entertainment most generously provided by the four candidates seeking their votes. It is doubtful if ever an election was conducted in such circumstances in any place in the realm of good Queen Victoria. The campaign was a hectic one, for if ever there was a frontier town this was one, in fact, it was an over-lapping frontier town. For days the fiesta continued, growing more uncontrolled every hour. This was now to provide the excuse for the final touch that completed the festivities. It will never be known who thought of the next move, but it was hinted that it came from Mr. Miller's fertile brain. A rumour had been circulated that the Ontario police had secret orders to seize certain ballot boxes containing the ballots of those voting for the candidates contesting the seat for the Ontario legislature, to prevent the votes being counted. In the circumstances, it was but natural that Attorney-General Miller should be fearful that his ballot boxes might be seized, so he ordered the 13th Field Battery of Winnipeg under the command of Lt. Col. William Kennedy - fifty-five strong and armed with rifles - to occupy the town on election day. In this he must have had the acquiescence of the government at Ottawa. A special train was chartered to carry the troops from Winnipeg, with four cars attached for the voters. Naturally, it was expected that these men would vote for Mr. Miller. For reasons that may be apparent, Mr. Miller finished his campaign and returned to Winnipeg the night before the election. The newspapers of the day, reporting the election, described in forthright language how elections were carried on in the dawn of democracy. As was expected, Mr. Miller received a sweeping majority. The Manitoba Free Press, reporting the event on September 29, 1883, said editorially: "The majority for Miller was made up of the voters taken out from Winnipeg like so many cattle. There are not enough bona-fide property holders in the Constituency to make up the number who voted for Mr. Miller. These men were virtually hired by the Attorney-General and his government. It is not pleasant to see men who are supposed to be in charge of our legislation, not only break the laws openly, but encourage others to break them too. The Attorney-General's support was derived from the lowest order of street loafers and bar-room rowdies of Winnipeg. There is strong reason to suppose the funds needed for this were supplied by Ottawa. Men went from Morris and Emerson to vote, who did not own a foot of property in the whole division. The Attorney-General should never be allowed to hold his office with the fraudulent manufacture of votes as a basis of his tenure." The paper also stated: "The most unhappy man over the result should be John Norquay. Mr. Miller, now that he is in the government, will never rest until he is Premier unless his overweening ambition might land him out of the Cabinet as it did off the bench, when aiming for the highest position thereon a short time ago." So Mr. Miller sat in the Manitoba Legislature as member for Rat Portage, but not for long. In 1884, the surveys undertaken by the Dominion government revealed that the territory was part of the province of Ontario, and in December of that year, Mr. Miller resigned the position of Attorney-General and from the Legislature. As the Real Property Act was then about to be passed by the Legislature, he was made the first Registrar General to administer the Act. People lived robustly in those days, and Mr. Miller moved in a circle of bon vivants. It is a matter of record that, but a few years before, the Chief Justice of Manitoba had been reprimanded by the Minister of Justice for "acts of public intoxication." There is no evidence that this recognition of his conduct adversely affected his career, as he remained Chief Justice until his death years afterward. A news item in the Free Press of November 2, 1886 states in part: "Mr. Miller a few days ago, slipped on the stairway of the McKenzie Hotel and hurt himself. To one so heavy as Mr. Miller, the fall was a serious one, his ribs were fractured and a cut inflicted on the back of his head; he died this morning; he left a widow." The same issue contained an editorial interesting in several ways. To quote: "The news of Mr. Miller's death has been received on every side with feelings of regret. Though his life was a short one, it has been a busy one, bringing him in contact with men in university life, at the bar, on the bench, in politics, and just previous to his death, as Registrar General for the province under the Torrens Act. At the bar, his talents and ability were universally acknowledged. He had a judicial mind of high order, and legal ability above the average. On the bench, to which he was elevated in 1880, he showed the same judicial talent which he displayed at the bar, but even in more marked degree. His decisions were regarded with confidence and respect. His descensus from the bench to politics was, in our opinion, ill-advised, but of this and his subsequent political career we will say nothing, except that in common with that of his colleagues, the course of the late Attorney-General met with our disapproval. Outside the pales of political and professional life, there is another sphere in which qualities of the heart and mind more or less foreign to law and politics, have play, and in social life the late Mr. Miller found his good natured geniality, love of sports, and appreciation of the refined pleasures of life, well-received. We have nothing more to say, we can only express the regret which all feel, point the moral, and extend our sympathies to those mourning the loss." The tragic death of Mr. Miller brought the appointment of Felix Chenier as Registrar General pro-tempore. Mr. Chenier was a gentleman of an entirely different type who had studied law in Quebec and had come to Manitoba as a member of the Quebec Battalion of Wolseley's Expedition to the relief of Fort Garry. He became a member of the bar of Manitoba on June 29, 1871, in the only way possible at that time, by an Order-in-Council of the Lieutenant-Governor. He was elected to the second legislature of the province representing Baie St. Paul for the years 1874-1878. He was the first Registrar of Deeds for the County of Marquette, from which office he came into the Winnipeg Land Titles Office as an Examiner of Titles on the introduction of the Real Property Act in July, 1885. He held the position of Registrar General from November 1, 1886 until the appointment of Mr. Coutlee July 1, 1887. Mr. Chenier then became Deputy Registrar General. Louis William Coutlee, son of the then Sheriff of Ottawa, was born in Hull, Quebec in 1851. He graduated from McGill University as B.C.L. in 1873 and was called to the bar of Lower Canada in 1873, the bar of Upper Canada in 1875, and the bar of Manitoba. 1885. He served in the Fenian Raids of 1866 and 1870 and the North West Rebellion of 1885. Lt. Col. Coutlee joined the Manitoba Civil Service in 1883 and was Deputy Attorney-General before he became Registrar General. From Mr. Macara, who followed Coutlee as Registrar General, I learned of the dramatic exit of Mr. Coutlee from office. In 1883, Joseph Martin, a lawyer of great political ambition, was elected by the Liberals of Portage la Prairie to a seat in the Legislature of Manitoba. That stormy petrel of politics in early Manitoba was an amazing master of political strategy and platform oratory. He was, it is believed, the only man who was ever a member of four legislative bodies in the Empire. He became Attorney-General of Manitoba in 1888, a member for Winnipeg in the House of Commons at Ottawa in 1893, and in 1898, became Attorney-General of British Columbia, and later Premier of that Province, and then in 1910, became the Liberal member for St. Pancras, London, in the Imperial House of Commons. While Martin was a practising lawyer, he had occasion to attend on the Registrar General on behalf of a client. The documents presented by Mr. Martin did not satisfy the critical Mr. Coutlee who declined to approve registration. The fiery Mr. Martin and the adamant Mr. Coutlee clashed, strong words passed, and the Registrar General is reported to have ordered Mr. Martin out of the office. Mr. Martin never forgot anyone who thwarted him. Strong words and direct action were his stock-intrade. The year after Mr. Coutlee's appointment, the fortunes of politics made Mr. Martin, Attorney General, and thus, the head of the Department which included the Land Titles Office of which Mr. Coutlee was the head. A further clash arose between these two strong-minded men. This time Mr. Martin was in a position to take the direct action of which he was a master. One can imagine he rather enjoyed himself when, on October 28, 1889, he signed a recommendation to the Executive Council for the abolition of the office of Registrar General of Manitoba. As soon as the Order-in-Council was signed, the Attorney-General marched across Broadway into the office of the Registrar General, and is reputed to have said: "Mr. Coutlee, I hear you are writing a book on The Torrens System - I do not think you know anything about it - but that you may have more time to work on it, you are relieved from duty. Here is an Order-in-Council abolishing your position. Take your hat and coat and get out." Mr. Coutlee's book, A Manual on the Law of Registration of Title to Real Estate in Manitoba and the North-West Territories, was duly finished and published the following year, and it became a standard work on the subject. A later government of Manitoba put the book into the libraries of every Land Titles Office in Manitoba. The work had an exceptional reception by the legal profession, and Mr. Coutlee, in his day, was acclaimed an authority on the subject not only in Canada but wherever the Torrens System had been introduced throughout the world. Within a year Attorney-General Martin re-established the office of Registrar General, appointing William Elliot Macara to the position on September 21, 1890, and he held the position until his death on May 15, 1929. Mr. Macara joined the staff of the Winnipeg Land Titles Office as an Examiner of Titles on January 1, 1887, and was District Registrar at the time he was appointed Registrar General. Beyond doubt he was one of the most able administrators of the Torrens System and gave Manitoba a system and practice unsurpassed in Canada. The Torrens System was placed on the statutes of Ontario in the same year as in Manitoba, but in Ontario the members of the legal profession would not, for many years, advise their clients to adopt it. In Manitoba, due to the great respect in which Mr. Macara's administration was held, the system steadily increased in popularity with lawyers and laymen, until today, only a small percentage of the lands in the province remain outside the Real Property Act. In itself, this was a triumph, as it must be remembered that, for years after this new system of title-holding was placed on the statutes of Manitoba, the vast majority of the lawyers practising in Manitoba had graduated in law in provinces where the system was unknown. A further tribute to Mr. Macara was the fact that, in 1905 and 1906, when the Provinces of Alberta and Saskatchewan were created and the Torrens System became law in those provinces, the practice Mr. Macara had formulated for the Land Titles Offices of Manitoba was adopted in full for the offices of the new provinces. Manitoba and Canada owe a great debt of gratitude to Mr. Macara for the development of the system during the thirty-nine years of his administration. In 1923 he was created a King's Counsel, and more than once it was mentioned that his services would be recognized by a knighthood; such an honour was richly deserved, and would have been particularly appropriate for the grandson of Sir Robert Macara, Colonel of the Black Watch, who was killed at Waterloo. The Manitoba Real Property Act is based on the system introduced into South Australia by Sir Robert Torrens in 1858. Torrens, while collector of customs in Port Adelaide, South Australia, conceived the idea of a land transfer system based on the Shipping Acts. These Acts provided an efficient mode of transfer of ships, on the principle of conveyance by entry in a public office. By adapting this principle to land titles he relieved dealings with lands of many of the involved practices which had hampered it in past ages. This was an entirely new method of dealing with land, but its advantages were at once apparent, especially when the validity of the certificates of title was guaranteed by the state or province. This system, with modifications, was later introduced into other Australian states and into many other parts of the world. Today, there are more than sixty jurisdictions of the system in the British Empire and Commonwealth. The organization and administration of the Manitoba Real Property Act is under the Department of the Attorney-General. The chief officer of the System is the Registrar General who, in earlier years, ranked as a Deputy Minister in this Department. To ensure that men of experience held the appointment of Registrar General, the Statute required that the appointee should have at least ten years standing at the Bar, and a District Registrar should have at least five years standing before being appointed to his position. The reason for this will be apparent when consideration is given to the powers and responsibilities delegated to these officers. The Province of Manitoba, with a population of over 850,000, in an area of 246,712 square miles, of which the land surface is 219,723 square miles, the balance being covered by waters or lakes, has an assessed value of approximately one billion dollars and is divided into eight land titles districts. The chief officer of each district is a District Registrar who administers both the Real Property Act and the Registry Act in his district. Approximately one half of the valuable settled land surface of the Province is in the Winnipeg Land Titles District, and considerably more than half of the population of the Province is in this latter district. Today, the staff of the Winnipeg Office includes nine lawyers and an Examiner of Surveys who is a qualified land surveyor. The Registrar General and the Examiner of Surveys must approve of all plans of survey in the province before they are registered. By statute, the title to the land must be under the Real Property Act before the plan is entered for registration. This new Manitoba law, which was to revolutionize the conveyacing of lands in the province, had, at its beginning, a preamble which was taken almost in its entirety from the Act as passed by the legislature of the State of Victoria, Australia. It was expressed as follows in the Manitoba Act of 1885: From the wording of these two paragraphs emerge the two outstanding principles of this new system: firstly, certainty of title and facility of proof; secondly, simplicity in dealing with land. It will be noted that the above "preamble" concludes with the words that the Act is "to render dealings with land less expensive," and the paragraph of "Objects" ends with the words that the Act "is to be construed in a manner to best give effect to these objects." These two latter quotations may be dismissed for the present. Nevertheless they have been great contributing factors in the success of the system. That dealings with land were less expensive under the new system, as compared with dealings when the title was under the Registry Act, was at once apparent and the power given the District Registrar to exercise a discretion to permit registration of documents which did not fully conform to the regulations has enabled the Act to be "construed in a manner to best give effect" to the act. These two rather subordinate factors proved most important in establishing the popularity of the system with both lawyers and laymen. The first "Object" of the Act, "certainty of title and proof thereof," is obtained by the issue of a Certificate of Title, which is a document declaring, by authority of the Act, that the person named therein is the registered owner of the specified estate. This Certificate makes it unnecessary to consider any change of ownership prior to the date of the certificate and is the final and absolute evidence of the ownership. The second "Object" of the Act, "simplicity in dealing with land," is ensured by requiring a document presented for registration to be in substantial conformity with one in the "Schedule of Forms" appended to the Act. This schedule lays down the form of transfer, mortgage, lease, etc., and a form of caveat which may be used to protect equitable interests; this use of the forms in the schedule facilitates transactions and secures a desirable uniformity. Every document in the form provided, executed in the manner required by statute and practice, is a "direction" to the District Registrar to make the appropriate change in the title, but until the document is actually registered, it does not affect the title; it is simply evidence of some change in the rights of the parties named therein. It is only after a document has been signed and sealed by a District Registrar that the document creates, transfers, charges, surrenders, releases or discharges the estate or interest concerned. The dangers due to faulty or careless conveyancing are minimized by the maintenance of a legal staff in each Land Titles Office to examine and approve the validity of each instrument presented for registration, with power to reject such as are defective or do not substantially conform to the statutory instrument, thus preventing the "cloud on title," so common under Registry Act or other older systems of registration. As the government guarantees the title, it is but right that it should prescribe the forms of conveyancing and have each document approved by its own legal examiners before acting upon it. Following the injunction in the preamble of the Act of 1885 that dealings should be made less expensive and, as an inducement to bring lands from under the Registry Act to the Real Property Act, the province has kept the fees for registration of all documents under the latter act at a minimum. Another inducement was the fact that the assurance fee for guaranteeing the new title is collected only once in Manitoba, as distinguished from other jurisdictions of the Torrens System, for instance in Alberta and Saskatchewan. These provinces have insured continuous additions to the Assurance Fund for all time by collecting contributions to the Fund on each succeeding transfer of land. Incidentally, the companies guaranteeing titles charge a fee on every transfer of a guaranteed title which is approximately the same as that paid in Manitoba by the applicant for the first title under the Real Property Act, which fee, once paid, gives a perpetual guarantee. Throughout the years, the people of Manitoba have had a great benefit from the lowest tariff of land titles fees in Canada, with the result that every Land Titles Office in the province has a steady flow of applications from owners of lands remaining under the Registry Act to have their titles brought under the Torrens system. Earlier in these remarks, reference has been made to the Assurance Fund and to the government guarantee of title. The introduction of this guarantee of title was beyond doubt one of the most important of all modern land reforms. The people of the provinces and states which enjoy the many advantages of the system have accepted its benefits for so long that they no longer appreciate the great advance which was made by the introduction of the Torrens system. Queen Victoria, however, recognized Robert Torrens' great services to the state by conferring a knighthood on him. The guarantee was arranged in this way. An Assurance Fund was created by the Act to provide compensation for the public and protection to the province for any loss which may occur through any omission, mistake or misfeasance of an official in the Land Titles Office during the performance of his duties. The money for the fund is obtained by collecting an assurance fee of one quarter of one per cent of the value of the land, which is paid by the owner who applies to have his land brought under the Real Property Act. In spite of this almost nominal rate of charge, approximately three quarters of a million dollars has been collected for the Manitoba Assurance Fund since 1885 but, as the claims against the fund have been rare, the government has taken the fund into the consolidated revenue of the province and allows only seventy-five thousand dollars to remain in the fund. This is ample for, if the money in the fund was not sufficient to pay any claim, the government of the province would be obliged to supplement the fund. Great credit is due to the District Registrars of Manitoba; the high order of their administration being shown in the fact that, in the past seventy-two years, less than forty thousand dollars has been paid out of the Fund to those who claimed that they had suffered loss due to some error in the work of the staff of a Land Titles Office. The method of bringing land under the operation of the Real Property Act now becomes of interest. In many jurisdictions of the Torrens System, initial registration of title to land is a purely judicial proceeding; the examiner of titles makes a report of his findings to a Superior Court and the Judge issues a decree directing the Registrar to issue a certificate of title to the applicant. After consideration, Manitoba dispensed with this expensive formality. Here the application to bring land under the Real Property Act is made direct to the District Registrar of the Land Titles District in which the land is located; the District Registrar being vested with all power necessary to deal with it. In practice, the owner of land under the Registry Act makes written application to the District Registrar of his district to bring his title under the Real Property Act. At once the District Registrar makes a note on the abstract of the old system land, which closes the abstract to further registrations under the Registry Act. Then the Examiner of Titles goes over the abstract back to the Crown grant, and examines every document registered to establish a complete chain of title in the applicant. If "clouds on title" or any adverse claims are found the applicant's lawyers are called on to produce the evidence necessary to dispose of them. When the abstract is under investigation, the District Registrar has the powers of a judge, in that, he can summon witnesses to attend before him for examination under oath and, to facilitate proceedings, he may relax the rules of evidence, if he so decides. When the Examiner of Titles is satisfied that the applicant has a safe-holding title, he makes a report which is final and conclusive, and the District Registrar forthwith issues a Certificate of Title which will show the exact estate of the owner. It may be issued subject to a mortgage or encumbrance registered while the title was under the Registry Act, if the owner so requests. Should the adverse claims be such that the applicant cannot dispose of them, the application will be rejected and the abstract reopened for registrations under the Registry Act. It is an essential principle of the system that, when a District Registrar issues a Certificate of Title, he forthwith becomes the protector of that title, and he will not accept any document purporting to effect that land unless he is completely satisfied that it is in order in every respect. Now consideration may be given to the registration of a document of transfer under the Real Property Act. This does not only give notice of a transfer of title but, by the statute, the title is taken out of the transferor and vested in the transferee. The basic principle of the system is the registration of the title to the land, instead of registering the evidence of such title. Briefly, it is the statute not the document of transfer that takes the title out of one person and vests it in another. This certificate is conclusive evidence in every Court of Law or Equity that the person named therein has a valid title to the estate mentioned, except in the very rare instance when the Court finds that the transfer was based on fraud. The possession of a transfer by a person properly entitled to have it gives that person a right to register it, and the statute continues that right in the transferee even after the death of the transferor. As mentioned earlier, mortgages under the Act differ from those under the Registry Act, in that, they do not operate as a conveyance of the land. They are simply charges on the land, but the Real Property Act gives the mortgagee the same rights and powers he would have had under a mortgage giving him the legal estate. In some jurisdictions of the Torrens System, when a mortgagor is in default, the mortgagee in a registered statutory mortgage must apply to the Courts for orders for sale or foreclosure. This most expensive formality is unnecessary in Manitoba; the District Registrar having been vested with all powers required in such matters. The Manitoba Act provides that, when a mortgagor makes default in a payment under the mortgage covenant for one month or such longer period as may have been agreed upon by the parties, the mortgagee may register a notice in the Land Titles Office and serve a copy on the mortgagor demanding payment and, in the same notice, advise the mortgagor that unless payment is made within a second month he will apply to the District Registrar for an Order for Sale of the property. On such an application, the District Registrar approves the conditions of sale and sets the date of sale. These conditions contain premises protective of the mortgagor. If the highest offer received at the auction sale is insufficient to pay the then amount of the mortgage and the costs of sale proceedings, the mortgagee, after waiting six months, his claim and costs still remaining unpaid, may apply to the District Registrar for an Order of Foreclosure which must be served on the mortgagor and on all persons having a registered interest in the land. If the default is not remedied, the foreclosure will be completed and title to the land will be issued to the mortgagee clear of the mortgage. Equitable mortgages are not interfered with by the Act. For instance, an owner may deposit his Certificate of Title with a moneylender who may protect his investment by filing a caveat to give notice of his claim and maintain his priority over lien holders and judgment creditors. An equitable mortgage must be enforced through the Courts. The Real Property Act provides a form of caveat that may be filed to protect equitable rights. Caveats are notices to the District Registrar by a person who claims a right or interest in land under the Act. This notice cautions the District Registrar and the public against dealings with the land which might be prejudicial to the rights of the caveator. As Coutlee expresses it in his book: "they are analogous to ex parte injunctions in restraint of dealings with estates or interests in land." A caveat prevents registration of dealings unless they are expressed to be subject to the claim of the caveator. Caveats may also be filed by a District Registrar or by direction of a Court to protect the interests of the Crown or a person under disability or to prevent an improper dealing with land. A registered owner who disputes the claim of a caveator may apply to the District Registrar for a notice to be served on the caveator, requiring him to take action in Court to maintain his rights within a certain period or his caveat will be lapsed and removed from the certificate of title by the District Registrar and if the Court finds that the caveator has filed his caveat wrongfully or without reasonable cause, that is, that he has not an enforcible right in the land, the Act provides that he shall be liable in such damages as the Court may decide. Another registration is that of the Certificate of Lis Pendens. The plaintiff in an action pending before the Court effecting a specific piece of land may obtain one of these certificates from the Court, which, when registered in the Land Titles Office concerned, is noted on the certificate covering the land effected. This gives notice that some question is before the Court in which the title to this land is involved and anyone dealing with the land must take it subject to the suit then before the Court. Certificates of Judgment, decrees, or orders of court for payment of money may be registered and from that time form a charge on all the lands which may be registered in the name of the debtor named in the court certificate. Because of the time at our disposal only the essential principles of the Act have been mentioned and only a few of the more common documents which may be registered have been touched upon, and these very briefly, and references to practice in Land Titles Offices have been kept to a minimum. The duties and powers of a District Registrar are set out in the Statute, and many of these have been noted earlier in these remarks. However, the District Registrar recognizes that, in any extraordinary transaction that comes before him, the Act places on him the responsibility of satisfying himself by inquiry as to every factor which might in any way affect the validity of the title concerned, and to assist him in this, he is empowered to require production of any supplementary evidence necessary to satisfy him of the bona fides of the parties to a transaction should it, in any case, appear to him proper so to do. In many ways a District Registrar in Manitoba is given a greater judicial power than under any other jurisdiction of the Torrens System. As referred to above the District Registrar has exclusive jurisdiction in regard to proceedings on default under mortgage of lands under the Real Property Act. He, not a judge, issues the orders of sale and foreclosure. The Municipal Act of the province and the Real Property Act place in the District Registrar the entire supervision and authority over the issuance of title to land pursuant to sale of lands for taxes. In many states, even those where some form of the Torrens System is on the statutes, this is a most involved and expensive procedure; a Judge of a Superior Court being obliged to issue a judgment directing the issue of the Certificate of Title to the purchaser at the tax sale. Under the system in Manitoba these matters are handled in a most expeditious and inexpensive manner and, though tens of thousands of such tax titles have been issued in the past seventy years, I believe that there is but one instance of the Assurance Fund having to pay a claim to a person who established that he had suffered a loss due to the mistake of a District Registrar when issuing a title based on tax sale proceedings. In this province, when a certificate of title is issued to an executor or administrator of a deceased owner, the Act makes the will "part of the certificate of title" and the District Registrar must be satisfied that the personal representative is carrying out the terms of the will or the Devolution of Estates Act before permitting registration of documents effecting the lands of the estate. Thus, the superiority of the Torrens System over the older systems of land registration (in connection with these estate transfers) is again immediately apparent. The evidence required by the District Registrar before he approves the transfer of the title must be placed on file in the Land Titles Office and becomes available for future reference. On the other hand, under the older systems of land registry, a deed from an executor or an administrator would be registered without production of any authority to deal with the land. After a lapse of several years, the solicitor for persons dealing with the land may find it difficult or impossible to obtain satisfactory evidence to support or disprove the document registered by the executors or administrators. It is impossible to estimate the money that has been and will continue to be saved to the people of Manitoba by the granting to the District Registrar of this power to supervise the transactions of executors and administrators. Due to the care exercised by the District Registrars in approving transactions regarding the lands of a deceased owner the legal profession has complete confidence in any certificate of title based upon the acts of executors or administrators. A further evidence of the responsibility of a District Registrar is that the courts hold that it is the duty of the District Registrar to satisfy himself that a corporation owning land is dealing with it in accordance with the powers given it by its charter or act of incorporation; thus providing an exceptional protection to shareholders and creditors of such a body. In practice, every corporation, excepting those created by an act of the Legislature of Manitoba, must, before it can own or deal with land, file a copy of its charter or the statute of its incorporation in the Land Titles Office of the district where the land concerned is registered. A District Registrar is also empowered to decide similarly the priority represented by the claim of a creditor under a registered certificate of judgment of court and that of a registered owner. The simple procedure in such cases is another evidence of the great saving in time and money to the parties involved. In many other respects a District Registrar exercises quasi-judicial powers in matters formerly in the exclusive jurisdiction of the courts, yet, due to the careful selection of the lawyers appointed as District Registrars and their judicious administration of these delegated powers, confidence in the system has steadily increased. The Registrar General has duties under scores of Statutes, for instance: The Surveys Act, The Special Surveys Act, The Municipal Act, The Public Schools Act, The Religious Estates Act, The Wills Act, the Devolution of Estates Act, The Trustee Act, The Dower Act, etc.; also certain Federal Acts, notably the Bankruptcy Act, the Expropriation Act and the Act dealing with the custody and property of alien enemies. Under the Devolution of Estates Act the Registrar General has powers equivalent to a Surrogate Court Judge in dealing with the lands of an estate in cases where the interests of infants, lunatics and other beneficiaries of the estate are under a disability. Thom, the Canadian authority on the Torrens System, in his book, The Canadian Torrens System, referring to the Registrar General of Manitoba, states: "He has more authority than the head of the system in any other Province." All District Registrars may refer questions of interpretation and practice to him. In any case where a District Registrar has made a ruling in some matter before him, which is not acceptable to the solicitor representing a party, the matter may be referred by the District Registrar to the Registrar General and, if the Registrar General rules that the District Registrar has acted correctly, the solicitor may take the matter before a Judge of the Court of Queen's Bench who may, if he wishes, decide the issue or refer it to the Court of Appeal of the province. To reiterate the advantages of the system; first, every certificate of title issued is guaranteed by the government; second, it is simple; a lawyer can satisfy himself within a few minutes as to the state of the title; third, it is inexpensive. The forms of conveyancing provided by the Act are simple and the fees in Manitoba are believed to be the lowest in any jurisdiction of the Torrens System, yet the revenue is sufficient to maintain the existing offices and the staff. Again, many matters of practice embodied in the acts of the Australian states were, after advisement, left out of the Manitoba Act as being likely to trammel and cramp a liberal and elastic interpretation of the spirit of the system. As one authority states: "The Registrar is at liberty to substitute moral certainty for legal certainty where the latter is unavailable, acting on the view that the purpose of the Act is to facilitate the transfer of land. Where this practice obtains, the system becomes correspondingly popular." It must again be emphasized that the liberality of the interpretation of the Act, exercised by the District Registrars, has not resulted in a lowering in the standard of conveyancing. Rather, due to the watchful guidance of the Registrars General in the years of the inception of the system in the province and since, there has been a steady growth of accurate conveyancing for, while accuracy is insisted upon, such technical perfection as would impair the usefulness of the system or render it unpopular with the public or legal profession is not demanded. Therefore, it is only a matter of time before all the lands in Manitoba will have a guaranteed title under the Real Property Act. After Mr. Macara's death, Mrs. Macara presented to the Winnipeg Land Titles Office, a handsome portrait of her husband by Sir Wyly Greer, President of the Royal Canadian Academy. This portrait is seen daily by scores of lawyers and law students who are unaware that it is probably the most valuable portrait of a Manitoban in the province. Edmund Wyly Greer (1862-1957) was the first Canadian to receive a knighthood in recognition of his work as an artist. Studied in England, Rome and Paris. Exhibited with Royal Society of British Artists while Whistler was president. At the Paris Salon his picture "Bereft" won the gold medal and at the Pan-American Exhibition his canvas received the silver medal. President of the Ontario Society of Artists and the Royal Canadian Academy and a member of National Academy, New York. Page revised: 22 May 2010 http://www.FreeFitnessGuru.com/FreePassword.html Free 97 page BodyBuilding anatomy manual for you to download right now. THE STUDENT’S ANATOMY OF EXERCISE MANUAL. ANATOMY & BODYBUILDING; ANATOMY & 100 ESSENTIAL STRETCHING EXERCISES;. is Professor of Anatomy in the Department of. Free 97 page BodyBuilding anatomy manual for you to download right now. Amazon.com: Muscle Anatomy Manual eBook: Gareth Thomas: Kindle Store. Amazon Try Prime Kindle Store. Learn about the different muscles of the body and what exercises work them. Find out how to do them properly with the bodybuilding chart of anatomy! Muscle and Body Building Anatomy Manual Is Now Yours - Completely 100% free Please Check Your Email for Latest Download and Password Step 1: Open the confirmation email. Nec - Nitsuko DSX 40 DSX-40 Demo Kit Quick Start Guide Rev 1 DSX-40 Hardware Manual Rev 1 DSX-40 Quick Start Guide Rev 1. Below you can download technical manuals, user guides, support instructions for telephones brands such as Commander Hx, Nt, Connect, Vision, Nec, Samsung, Avaya, LG.View and Download NEC NEAX 2000 IPS configuration manual online. NEC Electronics America Server User Manual. NEAX 2000 IPS Server pdf manual download. Technical Manuals Download for HX Commander, How to program & install a Commander HX Or Commander NT telephone System including other phone system manuals & User Guides & Instructions Click on bars below to expand/contract sections. Contact Center Solutions (NEAX ACD). ATLAS 550 Dual Nx 56-64 Module User Manual ATLAS 550 Dual T1-PRI Module User Manual ATLAS 550 Nx56-64 BONDing Module User Manual (Rev A) ATLAS 550 Octal E&M Module. Manuals Download - BUY ONLINE OR CALL FOR HELP 1300 088 088 NIVEL OPTICO marca Sokkia modelo B40. Objetivo de 24x. Precision de 2.0 mm en un kilometro de nivelacion. Imagen directa. Enfoque minimo a 30 cm. Compensador. Niveles automaticos y laser para topografia en Mexico Mas Informacion: OFERTA!!! NIVEL Topcon AT-B4 ENTREGA INMEDIATA Excelente Nivel para trabajo en campo, economico y durable, Automatico, de 24 aumentos (24X), imagen. Nueva serie de estaciones totales topcon con medicion sin prisma series “es” (easy station) y “os (on board station)” nuevo diseÑo con tecnologia superior. DESCRIPCCION: NIVEL OPTICO marca Sokkia modelo B40. Objetivo de 24x. Precision de 2.0 mm en un kilometro de nivelacion. Imagen directa. Enfoque minimo a 30 cm. Catalogo PDF Precio: $6,000.00 IVA INCLUIDO Nivel automatico marca Sokkia modelo B40 con precision de ±2 mm/Km. nivelado con aumentos de 24x, con circulo horizontal de 360 grados , incluye estuche de plastico y tripode ligero de aluminio con tornillo central de 5/8 x 11" de extension. ENTREGA INMEDIATA SALVO PREVIA VENTA El equipo comprende: · 1 Nivel Sokkia B40 · 1 Estuche resistente al alto impacto. · 1 Manual de operacion. · 1 Tripie de aluminio de 5/8 de extension. · 1 Estadal de aluminio de 4 m · 1 curso de operacion en nuestras oficinas · 1 certificado de calibracion · 1 año de garantia Nivel Sokkia, nivel SETL, nivel Leica, equipo de nivelacion topografico, nivelacion con equipo en Mexico. Product documentation for WorkCentre 5225/5230. Hints and Tips on installation and configuration of your Xerox WorkCentre, WorkCentre Pro, and Document Centre. User Guide User Guide XE3021EN0-2 ME3612E4-1 © 2008 by Fuji Xerox Co., Ltd. All rights reserved. Copyright protection claimed includes all forms and matters of copyrighted material and information now allowed by statutory or judicial law or hereinafter granted, including without limitations, material generated from the software programs which are displayed on the screen, such as icons, screen displays, looks etc. User Guide User Guide • Xerox WorkCentre 5222/5225/5225A/5230/ 5230A is synonymous with the machine. allow manual sending can initiate relay broadcasting to the machine. • Xerox WorkCentre 5222/5225/5225A/5230/ 5230A is synonymous with the machine. Orientation Orientation is used to mean the direction of images on the. Manual Receive. • Xerox WorkCentre 5222/5225/5225A/5230/ 5230A is synonymous with the machine. allow manual sending can initiate relay broadcasting to the machine. Get supplies and support for WorkCentre 5225/5230. Although this product is no longer sold as new, please see our newer models. V1.4.7. fix: Russian NLS file removed with other langs; fix: Missing nLite.inf if only Tweaks selected; fix: KB951376 direct integration. Page 1 of 80 - Integration of NVIDIA's nForce RAID and AHCI drivers - posted in nLite: @ all users with a NVIDIA nForce RAID or AHCI system:Important information for. Where on computer are windows 7 installation files located? This is a discussion on Where on computer are windows 7 installation files located? within the. Ever since I released the nLite update after so many years, I am getting the same question: will there be nLite for Windows 7+, is current nLite update all there is? The answer is that I am working on such a tool, release date is unknown, but it can be counted in months, not years. Unfortunatelly my quality bar is now much higher so I will not be releasing alpha versions to the public, still considering betas. I'll post news here as soon as there is any, in the meantime nLite will be updated as it would be if I never left. Well, there goes another 5 years. I have finally decided to return to the project, and will be actively supporting it from now on. If you have contacted me over the years about a language translation update, an updated link to an nLite guide, or similar, please do so again so I can follow up. Enjoy and feel free to contact me or post at the forums if there is something important to fix or add. Thank you for your support. List of changes. This first batch of updates is mainly maintenance. Another thing to add is that direct hotfixing of WMP and x64 ASMS hotfixes is disabled due to safety concerns until a better method is developed for those special cases. If you do not boot from CD then a few issues could occur when installing XP SP3 with winnt(32).exe. If you did not have any issues then no need to update. Fix: XP SP3 manual install (winnt32) issues. Note: I read that some of you think that nLite breaks the floppy F6 method. That is not true, it is a Windows limitation, just disable the OEM Preinstall on the Unattended - General page or integrate the driver. Finally the XP SP3 was released so here is the final nLite version update as well. Just one important thing changed, SP3 Slipstream under Vista. It would reject your valid CD-Key. Not my doing but it is fixed anyway. So in order to fix the XP SP3 CD-Key issues remake the Slipstreamed version from scratch with this nLite version. Update: if you are upgrading from RTM to SP3 then first slipstream SP2 if you are using Vista as a host. Here is the quick fix, or should I say update to follow the newly introduced internal changes to the XP SP3 build 5503. Some say it might be an RTM version, others to be careful because it is not yet confirmed. Also if some hotfixes did not integrate directly that did in the older version then this one will correct that as well. Update #2: it has been confirmed that RTM is build 5512. This nLite version works with builds 5508 and 5512 as well. Ever since I released the nLite update after so many years, I am getting the same question: will there be nLite for Windows 7+, is current nLite update all there is? Easy guide to slipstream your SATA AHCI drivers into a Windows XP installation CD using nLite. Windows XP will be able to detect SATA AHCI HDD. Nlite Manual Installation Files Are CorruptNlite Manual Installation Files For CanonnLite - Deployment Tool for the bootable Unattended Windows installation Public Health Information and Data: A Training Manual National Network of Libraries of Medicine National Library of Medicine. Welcome to our online resource library where you will find everything from detailed cedar specifications, project installation guides and much more. Buy Backyard Discovery Tucson Cedar Wooden Swing Set at Walmart.com. Find 1000s of pages of Dog Training and Health Information in our Large Online Manual/Encyclopedia. Use the Active Discussion Forum to Ask Questions and get Help. Location of Issuance, National Driver Register, Out-of-State Permit Holders, Requirements for Obtaining a Permit/License, Kentucky state laws, etc. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |