Information Security Standards in Critical Infrastructure Protection

Transcription

1 Information Security Standards in Critical Infrastructure Protection Berlin 11/11/2015 Alessandro Guarino StudioAG

2 Introduction Computers everywhere! ICT Technologies pervasive even in very analog settings: trains, planes, automobiles (and water treatment) Worse everything seems to be connected Slide 2 of 19

3 Introduction However we have a problem Industrial plants and infrastructure applications have their own peculiarities: Physical effects Long life and legacy systems Geographical dispersion Safety first! Important societal impacts several stakeholders Slide 3 of 19

4 Introduction [...]an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions. Slide 4 of 19

5 Introduction Standards as an integral part of Infosec In CIP and Cyber Security they are becoming integral to policy Cybersecurity policy at the crossroads of Information Technology, Security, Policy, Economics... Slide 5 of 19

6 The World of Standardisation Overly fragmented and complex (actors and bodies, geography, interests involved ) Rough classification of norms along two params: Technical vs. Organisational Certifiable vs. Non-certifiable Slide 6 of 19

7 The World of Standardisation Who writes standards? An alphabet soup (selection): Europe: CEN, CENELEC & ETSI The European Standardisation Organisations United States: NIST, ANSI, NERC Worldwide: ISO, IEC Many, many others... Slide 7 of 19

8 Available Standards (Some of them...) ISO Common Criteria, aka ISO NIST NERC CIP ANSI/ISA 99 Slide 8 of 19

9 ISO Risk-based Wide range of controls Not specific, needs to be tailored and implemented Part of the ISO 27xxx series Slide 9 of 19

10 Common Criteria Concerned with design & development Adopted in the military Not directly applicable but useful to assess the level of security of single elements of the system Slide 10 of 19

11 American Standards NIST Security and Privacy Controls for Federal Information Systems and Organizations The framework for Cyber Security of 2014 Slide 11 of 19

12 American Standards NERC Standards for the Power Grid A very interesting case study for policy (Specific sector but example of a Critical Infrastructure, central to many others) Slide 12 of 19

13 Standardisation Policies Standard development Standard implementation and adoption Slide 13 of 19

14 Standardisation Policies The development phase Europe: The ESO ecosystem, the Commission and their interactions US: Free Market and Supreme Executive Power Slide 14 of 19

15 Standardisation Policies Adoption of standards: policy options No mandatory standardisation (non-interference) Voluntary standardisation compliance Possibly with economic incentives Mandatory compliance (NERC CIP) Slide 15 of 19

16 Standardisation Policies Slide 16 of 19

17 Conclusions Benefits of technical standardisations is mostly non-controversial Organisational models adoption sketchy Problem Organisational Security Models are fundamental for Cyber Security Policy-wise, mandatory adoption seems necessary for CI. Alternatives? Slide 17 of 19

18 Thank you! Any questions? Full Paper and Slide Deck Freely Available at: (Information Security Blog) StudioAG Infosec Consultancy Firm Slide 18 of 19

19 References CEN-CENELEC-ETSI Cyber Security Coordination Group: Recommendations for a Strategy on European Cyber Security Standardisation, 2014 ( Dept. of Homeland Security: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization and Protection, 2003 ISO/IEC: ISO/IEC 27001:2013 Information Technology Security Techniques Information Security Management Systems Requirements NIST: Framework for Improving Critical Infrastructure Cybersecurity, 2014 NIST: NIST Special Publication Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations Slide 19 of 19