1 An IACS user viewpoint for Cyber Security Management System 15-Jul-2014 Hironobu Takeda Mitsubishi Chemical Engineering Corporation IACS : Industrial Automation and control System Agenda Why Cyber Security Management System? How to build CSMS(1) What to do at first How to build CSMS(2) Risk assessment How to build CSMS(3) Key points, remarks
2 Objects you should protect for IACS Cyber Security For Cyber security Management System is indispensable in addition to technical protection of hard/software What to protect? CSMS HSE(Health, Safety, Environment) Priority : Availability I>C ISMS Information assets Priority : A<I<Confidentiality CSMS : Cyber Security Management System ISMS : Information Security Management System
3 Effort to P.A. system security up to CSMS In-house PA Network security guidelines(the first edition,2009) - by Work Gr. among process control tech. Grs. of four plants Outline of in-house PA network security guidelines Clarifying PA NW security management section Ideal network configuration Guidance of firewall setting Remarks about PA network usage Change control. FW registration review on a regular basis User education PA : Process automation, FW : Firewall Check, Action was insufficient after established it. PDCA cycle delayed, and far from procedure unification
4 Motive of the CSMS Activity Motive of participation of CSMS pilot authentication project (*1) 1Current issues: IACS Cyber Security Maintenance and sophistication Enhancement of IACS cyber security by following management system based on IEC Investment for the future (from standpoint as a system integrator) 3Business Preparation for clients demand in the future like SIS (Safety instrument system), especially on overseas work Early acquisition of IACS Cyber Security techniques Making company reputation better e.g. CSR, BCP Expansion of business scope Consultation IACS : Industrial Automation and control System CSR : Corporate social responsibility BCP : Business continuity plan (*1) METI 2013
5 Cyber Security Management System Continuous brushing up of security measures is necessary. Gathering information, orchestration Other sections Suppliers, external experts Clarification of object scope Maintenance Education Organization Incident response Object scope Change management Risk evaluation Improvement Risk countermeasures Technical response System enhancement Rule of network usage Standards Check list Evidence of the activity Raising consciousness and knowledge acquirement Consistent emergence of vulnerability and threat Update and apply new countermeasures.
6 Outline of IACS cyber security standard IEC62443 series outline Manufacturer, user System integrator standardization Evaluation, Certification Management, operation Standardization target Generalpurpose control system Petroleum and chemical plant System for special use Power Technology supply system Smart grid Railway sysytem Organization Components, devices Suppliers System Component The source : IPA/Information-technology Promotion Agency Japan HP https://www.ipa.go.jp/security/fy24/reports/ics_sec/ics_annex.pdf Standard map for control system Explanatory notes International standard Industry-wide standard
7 To obtain leadership support Business rationale Detailed control Develop a business rationale Detailed control The organization should develop a high-level business rationale, as a basis for its effort to manage IACS cyber security, which addresses the unique dependence of the organization on IACS Clarify business rationale and obtain executive s support Leadership commitment and support Authorizing the team carrying it out
8 Scope of CSMS Common Historian OA PC The scope of CSMS OA Network FW PA network PDB OPC APC Computer terminal in control room This CSMS covers both Kashima and Mizushima plants PDB:Plant database APC:Advanced process control system OPC:OPC server of DCS OA:Office automation
9 Project team Aug-2013 ~ The CSMS certification pilot project team is as follows. Project manager (1 person)communication to the executive Office staffs (2 persons) General affairs Operation leader (1 person) Development of standards. Reconciliation in views Promoters in site(1 prsn/site)operation for CSMS in site Technical support members(2 persons) Technical support. In-house auditing Getting support from the Information system section and facilities maintenance section by communicating appropriately
10 Top level activities for establishing a CSMS Initiate CSMS program High-level risk assessment Establish policy, organization and awareness Maintain the CSMS Detailed risk assessment Select and implement countermeasures The source:iec Annex B A rational risk evaluation brings a feeling of assent Standardize a risk estimation method. Design a management plan based on the risk estimation.
11 High-level risk assessment Conduct a high-level risk assessment A high-level system risk assessment shall be performed to understand the financial and HSE consequences in the event that availability, integrity, or confidentiality of the IACS is compromised Identify the IACS The organization shall identify the various IACS, gather data about the devices to characterize the nature of the security risk and group the devices into logical systems. Classify Managed IACS information assets into categories based on each character. Classify common vulnerable items into each IACS category - Operational management, human mistake, environment and virus, etc. points of view Assume and recognize average risk from each viewpoint.
12 Detailed risk assessment Inventory IACS systems, Networks and devices Screen and prioritize High-level risk assessment Identify detailed vulnerabilities Identify and prioritize associated risks Update high level risk assessment The source:iec Annex B
13 Detailed risk assessment Integrate physical, HSE and cyber security risk assessment results The results of physical, HSE and cyber security risk assessments shall be integrated to understand the assets overall risk Conduct risk assessments throughout the lifecycle of the IACS Risk assessments shall be conducted through all stages of the technology lifecycle including developments, implementation, changes and retirement.
14 Informational asset inventory Plant name Category of IACS group Asset name Priority of the information asset Priority about Availability, Integrity, Confidentiality etc. Incorporate a viewpoint of HSE into priority evaluation. e.g. Influence on safety, environment, production, quality when the information asset fails.
15 Detailed risk assessment in Operate detailed risk assessment based on the high-level risk assessment that is carried out in each IACS category and on characteristics of each information asset. Example of characteristics of information assets Issues for setting environment of facilities e.g.: Uninhabited room. General power supply (not for instrumentation) Operational issues e.g.: Use in a large number of operators Regular use basis (7days24hour)
16 Determining the IACS risk rating Identify a detailed risk assessment methodology The organization s risk assessment methodology shall include methods for prioritizing detailed vulnerabilities identified in the detailed vulnerability assessment Determine the organization s tolerance for risk The organization shall determine and document its risk tolerance as a basis for creation of policy and risk management activities. Risk rating=f(priority of the information asset, residual risk) Classify risk rank from A to D. Reflect it to countermeasures
17 Risk rating and countermeasures Risk rating=f(priority of the information asset, residual risk) class A situation countermeasure B C Clarify description of risk rating Show the countermeasure to each risk rating D
18 Key points for CSMS (for the CSMS certification) What we felt through CSMS building : Build CSMS by harmonizing existing cyber security activity without denying it. On this occasion, use existing work items that can adapt to the certification standard continuously. Carry out high-level/detailed risk assessment. And determine controls to be adopted. Carry out CA in a review. And turn PDCA cycle. Check and Action Make medium-and long term plan that needs time and cost. And carry out it.
19 Remarks A frame to continue activity was made. PDCA cycle of the security maintenance and enhancement has begun rotating by CSMS operation. A rational controls with a feeling of assent were built by risk assessment. We realized a need of incident training. - Do possible training even if on the desk. - Consider about utilizing knowledge and facilities of outsource such as CSSC, especially when you need large scale training.
20 Resdidual issues Work load balance between detailed control and continuous activity - If detailed controls brings excessive work load, it influences on the activity itself. Re-check if there are excessive controls. Simplify controls in the range that does not lose standards essence. Sense of balance among risk, effect and work load is important. The review of the detailed controls is apart of PDCA in CSMS.
ISMS User s Guide for Medical Organizations Guidance on the Application of ISMS Certification Criteria (Ver.2.0) ISMS: Information Security Management System 8 November 2004 Japan Information Processing
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee 185-189, 53175 Bonn Contents Contents 1 Introduction 1.1 Version History 1.2 Objective 1.3 Target group 1.4 Application
Document subject to 4.1 General requirements The organization shall: a) b) establish, document, implement, maintain and improve an EnMS in accordance with the requirements of this International Standard;
ITIL V3 Application Support Volume 1 Service Management For Application Support ITIL is a Registered Trade Mark and Community Trademark of the Office of Government and Commerce. This document may contain
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
CYBERSECURITY WORKFORCE DEVELOPMENT MATRIX RESOURCE GUIDE October 2011 CIO.GOV Workforce Development Matrix Resource Guide 1 Table of Contents Introduction & Purpose... 2 The Workforce Development Matrix
PUBLIC POWER CORPORATION S.A. INFORMATION TECHNOLOGY DIVISION CENTRAL SYSTEMS SUPPORT SECTION IT SYSTEMS SECURITY SUBSECTION PROCEDURE FOR SECURITY RISK MANAGEMENT IN PPC S.A. INFORMATION TECHNOLOGY SYSTEMS
HIPAA Security Procedures Resource Manual The following security policies and procedures have been developed by North Dakota State University (NDSU) for its internal use only in its role as a hybrid entity
Review of Asset Management Practices in the Ontario Electricity Distribution Sector March 10th, 2009 Disclaimer The views expressed in this report are those of KPMG LLP and do not necessarily represent
Chapter 6 Business Continuity Planning & Disaster Recovery Planning LEARNING OBJECTIVES: To develop business continuity plan 6.0 Introduction Business continuity focuses on maintaining the operations of
APPENDIX 1 DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES March 2008 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS EXECUTIVE SUMMARY...1
(Provisional translation) *This translation is provisionally prepared and subject to change without notice. Insurance Inspection Manual (Inspection Manual for Insurance Companies) January 2012 Insurance
Security Policy: Best Practices White Paper Document ID: 13601 Introduction Preparation Create Usage Policy Statements Conduct a Risk Analysis Establish a Security Team Structure Prevention Approving Security
Guidance for Industry Q10 Pharmaceutical Quality System U.S. Department of Health and Human Services Food and Drug Administration Center for Drug Evaluation and Research (CDER) Center for Biologics Evaluation
Computer validation Guide Final draft Version 2 December 2002 Revision History: Version 1 August 2002 Version 2 References to 21 CFR part 11 in Chapter 6. Legal Reference December 2002 COMPVALFINALDRAFTDECEMBER2002.DOC
Concordia University College of Alberta Master of Information Systems Security Management (MISSM) Program 7128 Ada Boulevard, Edmonton, AB Canada T5B 4E4 Information Security Awareness: Issues and Proposed
INFORMATION ASSURANCE AND CYBER SECURITY STRATEGIC PLAN Table of Contents 1 CONTENTS 1 EXECUTIVE SUMMARY...6 2 INTRODUCTION...8 2.1 Background...9 2.2 Current and Emerging Cyber Security Threats...9 2.2.1
Processes 395 Integrating configuration management into existing processes 7.2 Integrating configuration management into existing processes To implement configuration management in a complex environment,
` City of Beverly Hills Public Works Services Department 345Foothill Road Beverly Hills, CA. 90210 Infor (Hansen) Computerized Maintenance Management System Request for Proposal For Infor System Re-implementation
Job Family Standard for Administrative Work in the Information Technology Group, 2200 TABLE OF CONTENTS INTRODUCTION... 2 COVERAGE... 2 MODIFICATIONS TO AND CANCELLATIONS OF OTHER EXISTING OCCUPATIONAL
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Joint UNECE/Eurostat/OECD Work Session on Statistical Metadata (METIS) Generic Statistical Business Process Model Version 4.0 April 2009 Prepared by the UNECE Secretariat 1 I. Background 1. The Joint UNECE
Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations
Federal Communications Commission Information Technology Strategic Plan Implementing technology today to meet FCC business needs tomorrow Office of the Managing Director Information Technology Center July
Vanderbilt University Medical Center Project Implementation Process (PIP).......... Project Implementation Process OVERVIEW...4 PROJECT PLANNING PHASE...5 PHASE PURPOSE... 5 TASK: TRANSITION FROM PEP TO
The Asset Management Landscape Second Edition ISBN 978-0-9871799-2-0 Published March 2014 www.gfmam.org The Global Forum on Maintenance and Asset Management The Global Forum on Maintenance and Asset Management