An IACS user viewpoint for Cyber Security Management System

Similar documents
CSMS. Cyber Security Management System. Conformity Assessment Scheme

This is a preview - click here to buy the full publication

ISMS Implementation Guide

Which cybersecurity standard is most relevant for a water utility?

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Information Security Awareness Training

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

IT Governance: The benefits of an Information Security Management System

SAM Standards: A Review of ISO and 2

TECHNICAL SPECIFICATION

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Input and Output of ISM-Benchmark

Guidance for Addressing Cybersecurity in the Chemical Sector. Version 2.0 December 2004

How small and medium-sized enterprises can formulate an information security management system

Information Technology Engineers Examination. Systems Auditor Examination. (Level 4) Syllabus

Fujitsu s Approach to Cloud-related Information Security

Does Aligning Cyber Security and Process Safety Reduce Risk?

CSSC-CL Announces ISASecure Certification of Hitachi and Yokogawa Industrial Control Devices. ~For More Globally Competitive Control System Devices ~

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Information Technology Engineers Examination

A Concise Model to Evaluate Security of SCADA Systems based on Security Standards

Information Security Management Systems

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Information Technology Security Review April 16, 2012

Road map for ISO implementation

Total Security Solution Essential Security for Net Businesses

Understanding Management Systems Concepts

How to gain and maintain ISO certification

Information Security Report 2014

University of Sunderland Business Assurance Information Security Policy

Security on Embedded Systems

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Domain 1 The Process of Auditing Information Systems

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

Service Asset & Configuration Management PinkVERIFY

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Information Security Program Management Standard

Management Standards for Information Security Measures for the Central Government Computer Systems

Information Technology

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

Technical Information

Industrial Control Systems Security Guide

Copyright 11/1/2010 BMC Software, Inc 1

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

NIST Cybersecurity Framework Manufacturing Implementation

HP Fortify Application Security Lucas v. Stockhausen PreSales Manager HP Fortify EMEA Enterprise Security

Building Security In:

Process Control System Cyber Security Standards an Overview

Understanding changes to the Trust Services Principles for SOC 2 reporting

Industrial Cyber Security 101. Mike Spear

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Management of Change: Addressing Today s Challenge on Documenting the Changes

Why you need an Automated Asset Management Solution

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Business Continuity Plan

TECHNICAL REPORT IEC TR Security for industrial automation and control systems Part 2-3: Patch management in the IACS environment

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Rethinking Cyber Security for Industrial Control Systems (ICS)

The Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary) July 2, 2015 Financial Services Agency

Effective Use of Assessments for Cyber Security Risk Mitigation

Looking at the SANS 20 Critical Security Controls

ISACA rudens konference

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Network Cyber Security. Presented by: Motty Anavi RFL Electronics

Assessing the Effectiveness of a Cybersecurity Program

What is CFSE? What is a CFSE Endorsement?

OPC & Security Agenda

KPMG s Financial Management Practice. kpmg.com

State of Oregon. State of Oregon 1

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

ISO Information Security Management Systems Foundation

Why SIL3? Josse Brys TUV Engineer

Introduction to IT Infrastructure Components and Their Operation. Balázs Kuti

Guide to Vulnerability Management for Small Companies

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

CMDB Federation. DMTF Standards for Federating CMDBs and other Management Data Repositories

Infrastructure Information Security Assurance (ISA) Process

Cloud Computing Thunder and Lightning on Your Horizon?

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

The rocky relationship between safety and security

Bellevue University Cybersecurity Programs & Courses

Transcription:

An IACS user viewpoint for Cyber Security Management System 15-Jul-2014 Hironobu Takeda Mitsubishi Chemical Engineering Corporation IACS : Industrial Automation and control System Agenda Why Cyber Security Management System? How to build CSMS(1) What to do at first How to build CSMS(2) Risk assessment How to build CSMS(3) Key points, remarks

Objects you should protect for IACS Cyber Security For Cyber security Management System is indispensable in addition to technical protection of hard/software What to protect? CSMS HSE(Health, Safety, Environment) Priority : Availability I>C ISMS Information assets Priority : A<I<Confidentiality CSMS : Cyber Security Management System ISMS : Information Security Management System

Effort to P.A. system security up to CSMS In-house PA Network security guidelines(the first edition,2009) - by Work Gr. among process control tech. Grs. of four plants Outline of in-house PA network security guidelines Clarifying PA NW security management section Ideal network configuration Guidance of firewall setting Remarks about PA network usage Change control. FW registration review on a regular basis User education PA : Process automation, FW : Firewall Check, Action was insufficient after established it. PDCA cycle delayed, and far from procedure unification

Motive of the CSMS Activity Motive of participation of CSMS pilot authentication project (*1) 1Current issues: IACS Cyber Security Maintenance and sophistication Enhancement of IACS cyber security by following management system based on IEC62443-2-1 2Investment for the future (from standpoint as a system integrator) 3Business Preparation for clients demand in the future like SIS (Safety instrument system), especially on overseas work Early acquisition of IACS Cyber Security techniques Making company reputation better e.g. CSR, BCP Expansion of business scope Consultation IACS : Industrial Automation and control System CSR : Corporate social responsibility BCP : Business continuity plan (*1) METI 2013

Cyber Security Management System Continuous brushing up of security measures is necessary. Gathering information, orchestration Other sections Suppliers, external experts Clarification of object scope Maintenance Education Organization Incident response Object scope Change management Risk evaluation Improvement Risk countermeasures Technical response System enhancement Rule of network usage Standards Check list Evidence of the activity Raising consciousness and knowledge acquirement Consistent emergence of vulnerability and threat Update and apply new countermeasures.

Outline of IACS cyber security standard IEC62443 series outline Manufacturer, user System integrator standardization Evaluation, Certification Management, operation Standardization target Generalpurpose control system Petroleum and chemical plant System for special use Power Technology supply system Smart grid Railway sysytem Organization Components, devices Suppliers System Component The source : IPA/Information-technology Promotion Agency Japan HP https://www.ipa.go.jp/security/fy24/reports/ics_sec/ics_annex.pdf Standard map for control system Explanatory notes International standard Industry-wide standard

To obtain leadership support 4.2.2 Business rationale Detailed control 5.1 4.2.2.1Develop a business rationale Detailed control 5.1.1 The organization should develop a high-level business rationale, as a basis for its effort to manage IACS cyber security, which addresses the unique dependence of the organization on IACS Clarify business rationale and obtain executive s support Leadership commitment and support Authorizing the team carrying it out

Scope of CSMS Common Historian OA PC The scope of CSMS OA Network FW PA network PDB OPC APC Computer terminal in control room This CSMS covers both Kashima and Mizushima plants PDB:Plant database APC:Advanced process control system OPC:OPC server of DCS OA:Office automation

Project team Aug-2013 ~ The CSMS certification pilot project team is as follows. Project manager (1 person)communication to the executive Office staffs (2 persons) General affairs Operation leader (1 person) Development of standards. Reconciliation in views Promoters in site(1 prsn/site)operation for CSMS in site Technical support members(2 persons) Technical support. In-house auditing Getting support from the Information system section and facilities maintenance section by communicating appropriately

Top level activities for establishing a CSMS Initiate CSMS program High-level risk assessment Establish policy, organization and awareness Maintain the CSMS Detailed risk assessment Select and implement countermeasures The source:iec62443-2 Annex B A rational risk evaluation brings a feeling of assent Standardize a risk estimation method. Design a management plan based on the risk estimation.

High-level risk assessment 4.2.3.3 Conduct a high-level risk assessment A high-level system risk assessment shall be performed to understand the financial and HSE consequences in the event that availability, integrity, or confidentiality of the IACS is compromised. 4.2.3.4 Identify the IACS The organization shall identify the various IACS, gather data about the devices to characterize the nature of the security risk and group the devices into logical systems. Classify Managed IACS information assets into categories based on each character. Classify common vulnerable items into each IACS category - Operational management, human mistake, environment and virus, etc. points of view Assume and recognize average risk from each viewpoint.

Detailed risk assessment Inventory IACS systems, Networks and devices Screen and prioritize High-level risk assessment Identify detailed vulnerabilities Identify and prioritize associated risks Update high level risk assessment The source:iec62443-2 Annex B

Detailed risk assessment 4.2.3.11 Integrate physical, HSE and cyber security risk assessment results The results of physical, HSE and cyber security risk assessments shall be integrated to understand the assets overall risk. 4.2.3.12 Conduct risk assessments throughout the lifecycle of the IACS Risk assessments shall be conducted through all stages of the technology lifecycle including developments, implementation, changes and retirement.

Informational asset inventory Plant name Category of IACS group Asset name Priority of the information asset Priority about Availability, Integrity, Confidentiality etc. Incorporate a viewpoint of HSE into priority evaluation. e.g. Influence on safety, environment, production, quality when the information asset fails.

Detailed risk assessment in Operate detailed risk assessment based on the high-level risk assessment that is carried out in each IACS category and on characteristics of each information asset. Example of characteristics of information assets Issues for setting environment of facilities e.g.: Uninhabited room. General power supply (not for instrumentation) Operational issues e.g.: Use in a large number of operators Regular use basis (7days24hour)

Determining the IACS risk rating 4.2.3.8 Identify a detailed risk assessment methodology The organization s risk assessment methodology shall include methods for prioritizing detailed vulnerabilities identified in the detailed vulnerability assessment. 4.3.2.6.5 Determine the organization s tolerance for risk The organization shall determine and document its risk tolerance as a basis for creation of policy and risk management activities. Risk rating=f(priority of the information asset, residual risk) Classify risk rank from A to D. Reflect it to countermeasures

Risk rating and countermeasures Risk rating=f(priority of the information asset, residual risk) class A situation countermeasure B C Clarify description of risk rating Show the countermeasure to each risk rating D

Key points for CSMS (for the CSMS certification) What we felt through CSMS building : Build CSMS by harmonizing existing cyber security activity without denying it. On this occasion, use existing work items that can adapt to the certification standard continuously. Carry out high-level/detailed risk assessment. And determine controls to be adopted. Carry out CA in a review. And turn PDCA cycle. Check and Action Make medium-and long term plan that needs time and cost. And carry out it.

Remarks A frame to continue activity was made. PDCA cycle of the security maintenance and enhancement has begun rotating by CSMS operation. A rational controls with a feeling of assent were built by risk assessment. We realized a need of incident training. - Do possible training even if on the desk. - Consider about utilizing knowledge and facilities of outsource such as CSSC, especially when you need large scale training.

Resdidual issues Work load balance between detailed control and continuous activity - If detailed controls brings excessive work load, it influences on the activity itself. Re-check if there are excessive controls. Simplify controls in the range that does not lose standards essence. Sense of balance among risk, effect and work load is important. The review of the detailed controls is apart of PDCA in CSMS.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information