Vision & Positioning Statement For Wurldtech Labs

Transcription

1 Vision & Positioning Statement For Wurldtech Labs Wurldtech Security Technologies s Industrial Cyber Security Solutions For Global Process Automation & Control System Stakeholders

2 Presentation Purpose To introduce the Achilles Practices Certification program and provide WIB attendees with a clear understanding of the program s purpose and structure as well as the benefits and business case for global process automation and control stakeholders. Agenda 1. Section 1 Background & Catalyst 2. Section 2 The Achilles Practices Certification Program 3. Section 3 The Path To Success

3 The Landscape Until Now Too Much FUD, Not Enough Facts No Common Language Or Communications Framework Asymmetric Stakeholder Efforts Workinggroupitis No Data, No Business Case, No Budget, No Improvement Lack Of Economics & Incentives Product Pitches Instead Of Process Solutions Led To.

4 Consultants Vendors End-Users Wurldtech

5 Common Cyber Security Benchmarks Achilles Certified Industrial Devices, Systems & Applications Achilles Certified Cyber Security Best Practices Achilles Certified Industrial Automation Professionals

6 Before Product Certification Device Test Case Monitors Impacted Recovery Time Rank SIS PLC Arp Cache Saturation Storm Discrete, ICMP Requires Restart PLoV + PLoC

7 After Product Certification

8 Section 2: Practices Certification 1. Program Purpose & Success Criteria 2. The Model & Framework 3. The Business Case & Benefits 4. Status Update 5. The Roadmap

9 Certification Program Evolution To Date Phase 1 Finalize Shell DEP Requirements - Stakeholder Input & Revisions Phase 2 Make Requirements Generic For Wide Adoption - Vendor Agnostic - International Standards Alignment Phase 3 Create A Certification Program Framework - Simple, Scalable, Repeatable & Cost Effective - Maturity Model & Standards Alignment Phase 4 Pilot The Program & Launch

10 The Benchmark

11 The Reference Model The SSE-CMM has two dimensions, domain and capability. The domain dimension simply consists of all the practices that collectively define security engineering. These practices are called base practices. The capability dimension represents practices that indicate process management and institutionalization capability. These practices are called generic practices as they apply across a wide range of domains. The generic practices represent activities that should be performed as part of doing a base practice.

12 The Framework Wurldtech has tailored twenty three (23) Process Areas to be used by Vendors applicants. These PAs are organized into three logical categories: (1) Organization Process Level, (2) Product Process Area, and (3) Commissioning & Maintenance Process Area. Table 1 describes the Process Area within each category.

13 The Requirements

14 The Requirements

15 The Requirements

16 The Evidence The questionnaires are administered to collect the evidence needed for assessment. All questionnaires include the information shown in Table 1. When the questionnaire is administered, the respondent answers the question with a simple YES, NO, Don t Know by checking the appropriate box. If the answer is YES, the respondent cites the evidence by referring to a document ID.

17 The Process

18 The Result Bronze certification is awarded for successful completion of all applicable and approved Base Practices for Level 1 maturity. Silver certification is awarded for successful completion of all applicable and approved Base Practices for Level 1 maturity and those Base Practices applicable to Level 2 maturity. Gold certification is awarded for successful completion of all applicable and approved Base Practices for Level 1 maturity, those applicable to Level 2 maturity, and those applicable to Levels 3, 4 and 5 maturities.

19 Process Areas PA01 - Set The Stage PA02 Designate A Security Contact PA03 Get Certified PA04 Harden The System PA05 Protect From Malicious Code PA06 Implement Patch Management PA07 Secure Account Management PA08 Support Backup/Restore PA09 Increase Network Visibility PA10 Standardize On Historians PA11 Control Set Points PA12 Connect Wirelessly PA13 Fortify IPS Connectivity PA14 Provide Remote Access PA15 Set The Stage PA16 Manage The Deployment PA17 Harden The System PA18 Protect From Malicious Code PA19 Implement Patch Management PA20 Secure Account Management PA21 Support Backup/Restore PA22 Implement The Architecture PA23 Connect Wirelessly PA24 Provide Remote Access WIB 2010 Cyber Security Seminar Presentation The Result Level 5 Level 4 Level 3 Level 2 Level 1 Capability Levels Security Engineering Process Areas Commissioning & Maintenance Process Areas

20 The Status Pilot Program Five Global Suppliers Certified April 2010 Finalize Practices Certification & Go To Market

21 Section 3: The Path To Success

22 Wurldtech 1. Leverage Our Reputation To Drive Support 2. Increase Industry Stewardship 3. Lay The Foundation

23 Suppliers 1. Be Proactive & Get Involved 1. Use Security As A Differentiator 1. Align Internal Stakeholders

24 End Users 1. Stand On The Shoulders Of Giants 2. Mandate Conformance 3. Get Involved

25 Governments 1. Facilitate Information Sharing 1. Create Incentive Programs 2. Build The Business Case 1. Limit Involvement

26 Let s Recap The Final Requirements Were Created, Reviewed & Revised By Industry Stakeholders From Different Sectors & Regions The Certification Program Structure Is Simple, Scalable, Functional & Cost Effective The Program Model Follows International Certification Guidelines & Aligns With Current & Emerging Cyber Security Standards (NIST, ISA SP99) The Program Integrates A Internationally Recognized Maturity Concept To Enable Industry/Segment/Vendor Analysis

27 Questions?

28 Vision & Positioning Statement For Wurldtech Labs Wurldtech Security Technologies Suite West Georgia Street Vancouver BC Canada V6B 5A1 T F [email protected] Wurldtech Labs The Global Center Of Excellence For Securing Digital Energy Infrastructure Into The 21 st Century Perry A. Pederson, VP Wurldtech Labs Manager Of Centre Of Excellence Initiative * Strictly Confidential Must Not Be Distributed