Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA Utilities Telecom Council 1

Transcription

1 Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA 2014 Utilities Telecom Council 1

2 Why do we need cybersecurity? Agriculture and Food Energy Transportation Chemical Industry Postal and Shipping Water Public Health Telecommunications Banking and Finance Key Assets Critical Infrastructure / Key Resources Railroad Tracks Highway Bridges Pipelines Ports Cable Fiber Reservoirs Treatment plants Farms Food Processing Plants Hospitals Power Plants Production Sites FDIC Institutions Chemical Plants Delivery Sites Nuclear power plants Government Facilities Dams Control Systems SCADA PCS DCS Services Managed Security Information Services Physical Infrastructure Hardware Telecommunications Networking Equipment Software Financial Systems Internet Human Resources Domain Name System Web Hosting IT and Telecommunications Infrastructure Source: Don Davidson, DOD-CIO Trusted Mission Systems and Networks 2014 Utilities Telecom Council 2

3 Utilities are a target ICS CERT Responded to the toal of 245 incidents in September 2014-February % 3% 2% 2% 2% 2% 1% Energy Critical Manufacturing Water 5% 5% 6% 6% 6% 27% 32% Information Technology Transportation Nuclear Communications Govenment Facilities Commercial Facilities Emergency Services Financial Healthcare Dams Utilities Telecom Council 3

4 What do you have that others want? Customer data Infrastructure data Infrastructure 2014 Utilities Telecom Council 4

5 Verizon Breach Report is a comprehensive look at the global state of cybersecurity Utilities Telecom Council 5

6 Attackers are getting better while defenders are running in place 100% Time to compromise is in days or hours 75% 50% 25% Time to discovery is in days or hours Utilities Telecom Council 6

7 In the meanwhile the number of devices connected to the Internet is growing exponentially 1970 = = = 313, = 93,000, = 5,000,000, = 31,000,000,000 Source: Intel 2014 Utilities Telecom Council 7

8 Secure and reliable networks are critical for the utility networks of the future 2014 Utilities Telecom Council 8

9 ISA-62443/IEC series provides guidance for industrial process control systems security 2014 Utilities Telecom Council Copyright ISA 9

10 Guidelines Requirements Terminology Governance ISO/IEC Information Security Management System (ISMS) Family of Standards ISO/IEC Overview and Vocabulary ISO/IEC ISMS Requirements ISO/IEC Audit & Certification Requirements ISO/IEC Code of Practice ISO/IEC ISMS Guidelines ISO/IEC Audit Guidelines ISO/IEC Guidance for auditors on ISMS controls ISO/IEC Measurement ISO/IEC Use of ISO/IEC for sector/service-specific Third- Party accredited certifications ISO/IEC Risk Management ISO/IEC 270XX Sector-Specific Guidelines ISO/IEC Information security management guidelines based on ISO/IEC for process control systems specific to the energy utility industry Security Engineering ISO/IEC Common Criteria ISO/IEC Secure software development and evaluation under ISO/IEC and ISO/IEC Implementation ISO/IEC Supplier Relationships ISO/IEC Application Security Identity Management and Privacy Technologies ISO/IEC Code of practice for PII protection in public clouds acting as PII processors Source: Booz Allen Hamilton 2014 Utilities Telecom Council 10 10

11 NIST Cybersecurity Framework summarizes existing standards and advocates a tailored risk-based approach Identify Protect Detect Respond Recover Tier 4 Adaptive Tier 3 Repeatable Tier 2 Risk Informed Tier 1 Partial Risk Management Process Continuous improvement, predictive, adaptive Formally approved and responsive to change Informal and Ad Hoc Risk Management Program Part of organizational culture Approved but not enterprisewide Organizationwide, effective response Organizational awareness, processes and procedures Irregular, case-by-case External Participation Proactively shares information Understands dependencies Informal external information sharing None Resources Required knowledge and skills Required knowledge and skills Sufficient Insufficient Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implement Action Plan 2014 Utilities Telecom Council 11

12 PROCESS IMPLEMENTATION NIST standards and guidelines provide detailed information NIST SP Information Security Risk Management Assess Risk NIST SP Risk Assessment NIST SP Security Measurement NIST SP Key Management NIST SP Incident Handling Frame NIST SP Supply Chain Risk Management NIST SP Security Lifecycle Monitor NIST SP Continuous Monitoring Respond NIST SP Security Controls NIST SP A Security Controls Assessment NISTIR 7628 Smart Grid Security NIST SP Industrial Control Systems Security 2014 Utilities Telecom Council 12

13 Utilities cybersecurity needs and priorities Harmonize standards and guidelines to facilitate practical implementation Transition from legacy network architectures to smart networks of the future Develop utility cybersecurity workforce that can implement reliable and secure networks for the future Facilitate productive dialog with ICT vendors about integrating security into utility ICT products and services Reduce variability of security practices among different utilities and provide quick start implementation guides Enable security-aware culture where everyone in a utility understands security risks and is able to behave accordingly Continue progress towards the legal framework for threat and vulnerability information sharing 2014 Utilities Telecom Council 13

14 Utilities are increasingly putting cybersecurity under a single point of responsibility Operations Engineering Telecom IT Cybersecurity Converged IT/OT with Cybersecurity 2014 Utilities Telecom Council 14

15 Challenges moving forward Emerging threat Evolving regulation Qualified workforce IT/OT convergence Vendor assurance practices 2014 Utilities Telecom Council 15

16 Questions 2014 Utilities Telecom Council 16