Ernie Hayden CISSP CEH GICSP Executive Consultant www.securicon.com

Similar documents
Altius IT Policy Collection Compliance and Standards Matrix

Looking at the SANS 20 Critical Security Controls

Using ISA/IEC Standards to Improve Control System Security

This is a preview - click here to buy the full publication

IT Security Management Risk Analysis and Controls

Security and Privacy Controls for Federal Information Systems and Organizations

TECHNICAL SPECIFICATION

Security Compliance In a Post-ACA World

AF Life Cycle Management Center

CTR System Report FISMA

WORKSHOP Rethinking Cyber Security for Industrial Control Systems

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

White Paper. 7 Steps to ICS and SCADA Security. Tofino Security exida Consulting LLC. Contents. Authors. Version 1.0 Published February 16, 2012

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Session 14: Functional Security in a Process Environment

Bellingham Control System Cyber Security Case Study

CRR-NIST CSF Crosswalk 1

Innovative Defense Strategies for Securing SCADA & Control Systems

ISACA rudens konference

Code of Practice for Cyber Security in the Built Environment

CONTINUOUS MONITORING

FSIS DIRECTIVE

Help for the Developers of Control System Cyber Security Standards

Get Confidence in Mission Security with IV&V Information Assurance

Security Testing in Critical Systems

1 ISA Security Compliance Institute

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Which cybersecurity standard is most relevant for a water utility?

System Security Certification and Accreditation (C&A) Framework

An Introduction to SCADA-ICS System Security. Document Number IG-101 Document Issue 0.1 Issue date 03 February 2015

Manufacturing Operations Management. Dennis Brandl

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Security Controls Assessment for Federal Information Systems

Ernie Hayden CISSP CEH Executive Consultant

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Industrial Control Systems Security Guide

Does Aligning Cyber Security and Process Safety Reduce Risk?

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

Cloud Security for Federal Agencies

Rethinking Cyber Security for Industrial Control Systems (ICS)

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

SIMATIC IT Historian. Increase your efficiency. SIMATIC IT Historian. Answers for industry.

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

HHS Information System Security Controls Catalog V 1.0

NIST National Institute of Standards and Technology

The State-of-the-State of Control System Cyber Security

Integrating Electronic Security into the Control Systems Environment: differences IT vs. Control Systems. Enzo M. Tieghi

How To Write A Cybersecurity Framework

Is your current safety system compliant to today's safety standard?

Dr. György Kálmán

What is CFSE? What is a CFSE Endorsement?

SCADA City of Raleigh. Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Meeting the Cybersecurity Standards of ANSI/ISA with Data Diodes

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

SCADA Security Training

Security Control Standards Catalog

ISA Security Compliance Institute

Cybersecurity Throughout DoD Acquisition

DeltaV System Cyber-Security

Raising the Bar on Scalability

ICS-SCADA testing and patching: Recommendations for Europe

How To Protect Water Utilities From Cyber Attack

Building Security In:

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY

IEEE-Northwest Energy Systems Symposium (NWESS)

What Risk Managers need to know about ICS Cyber Security

Industrial Cyber Security 101. Mike Spear

ISA-99 Industrial Automation & Control Systems Security

Redesigning automation network security

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Announcement of a new IAEA Co-ordinated Research Programme (CRP)

Network Cyber Security. Presented by: Motty Anavi RFL Electronics

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

SAFETY LIFECYCLE WORKBOOK FOR THE PROCESS INDUSTRY SECTOR

NIST Cybersecurity Framework Manufacturing Implementation

GOOD PRACTICE GUIDE PROCESS CONTROL AND SCADA SECURITY

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Cyber Security for SCADA/ICS Networks

Process Control System Cyber Security Standards an Overview

Cybersecurity Training

Compliance Overview: FISMA / NIST SP800 53

Techno Security's Guide to Securing SCADA

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Secure Networks for Process Control

Transcription:

Ernie Hayden CISSP CEH GICSP Executive Consultant www.securicon.com V1 10-7-14 This Presentation is Proprietary to Securicon, Inc. Any use of this document without express written approval from Securicon is strictly prohibited.

The Opportunity The Approach Current Framework Future Plans/Changes Q&A 1

Major Global Consumer Products Company Hired Securicon to Help with ICS Security Key Needs Kick-start ICS Security for 20+ global factories Begin assessing ICS Security program from organizational perspective as well as at plants Assist in hiring ICS Security Lead Develop framework for implementing ICS Security across the corporation Caveat Allowed to Discuss Framework but Company Wishes to Remain Anonymous 2

Key Questions to Be Answered Purpose? Functions of Framework? Scope? 3

Philosophy: ICS systems are the foundation of the production systems and factories Without their safe, secure and reliable operations production and shipments negatively impacted Customer Satisfaction Corporate Revenue The Framework establishes the key elements of ICS security for the plants and factory operations For: ICS architecture, design, procurement, operation, maintenance, repair and decommissioning Overall Intent: Compliment and integrate with overall cyber and physical security controls for corporation and associated regional/national laws affecting the company 4

Criteria: Does it help analyst/policymaker understand and provide structure to a complex phenomena (i.e., ICS Security)? Does it help focus on important dimensions of policy design? Does it help generate additional hypotheses for possible future action? Does it offer guidance for prioritizing actions? Reference: Border Security: The Complexity of the Challenge http://fas.org/sgp/crs/homesec/rl32839.pdf 5

Key Reference: ISA Security of Industrial Automation and Control Systems Master Glossary (March 2013) ISA-TR62443-1-2 ICS Defined As: Personnel, hardware and software that can affect or influence the safe, secure, and reliable operation of an industrial process Involved in the operation of the industrial processes and that can affect or influence its safe, secure and reliable operation 6

Systems Include ICS including distributed control systems (DCS) Programmable Logic Controllers (PLCs) Remote Terminal Units (RTUs) Intelligent Electronic Devices (IED) SCADA Networked Electronic Sensing and Control, Monitoring and Diagnostic Systems Includes Safety Instrumented Systems (SIS) Associated Information Systems Advanced/Multivariable Control, Online Optimizers, Dedicated Equipment Monitors, Process Historians, Manufacturing Execution Systems (MES) Associated Human, Network or Machine Interfaces for Control, Safety and Mfg Ops 7

Specifically Expressed in Framework Needed to Aid in IT/OT Communications A - Availability I - Integrity C - Confidentiality 8

REFERENCE MODEL: is a framework for understanding significant relationships among entities in select environments and for development of consistent standards and specifications supporting that environment. Basis: Purdue Model 9

Now What Standards to Follow? 10

11

AC Access Control AT Awareness & Training** AU Audit & Accountability BC Business Continuity CM Configuration Management** IR Incident Response ** = Initial Areas of Focus PM Program Management** PS Personnel & Security RA Risk Analysis** SC System & Communication Protection SA System and Services Acquisition & Development** Similar to NIST 800-53 Security Control Classes, Families & Identifiers 12

ISA 99/IEC-62443 Industrial Automation and Control Systems Security Standards NIST 800-82, Guide to Industrial Controls Systems Security (R2) ISO/IEC 27001/2:2005: Information Technology Security Techniques Information Security Management Systems ICS-CERT Recommended Practices https://ics-cert.us-cert.gov/introduction- Recommended-Practices 13

Next Step The Control Matrix 14

Many formatting ideas taken from NIST Cybersecurity Framework 15

Risk & Impact Analysis 16

Framework is intended to provide guidance and a semblance of criteria in order to ascertain ICS impact levels to be ultimately used to categorize ICS components and systems for risk assessments Reference: 800-82, Revision 2, Page 88 17

18

ICS Cybersecurity Model/Grading 19

20

Additional Security Guidance 21

Essential Function A function or capability that is required to maintain health, safety, the environment and availability of equipment under control. 22

Security measures shall not adversely affect essential functions of a high availability ICS unless supported by a risk assessment. Security measures should not cause loss of protection, loss of control, loss of view or loss of other essential functions. Access controls shall not prevent operation of the essential functions. Essential functions of the ICS shall be maintained if zone boundary protection goes into fail-close and/or island mode A denial of service (DoS) event on the ICS or SIS network shall not prevent the SIS and its associated functions from acting. Reference: ANSI/ISA-62443-3-3 (99.03.03)-2013 Page 24 23

This section focuses on the need to allow for exceptions to the Framework and associated Matrix Exceptions need to be reviewed for business risk and approved by plant management and the security organization Exceptions are intended to be reviewed at least annually 24

Systems out of compliance are subject to disconnection from company network Employees disciplinary action Vendors and 3 rd Parties termination of contract and/or loss of business with the company 25

Purpose Functions of a Conceptual Framework Scope Framework Statement Primary ICS Security Philosophy Primary Network Reference Model Primary ICS Security Standards Risk and Impact Analysis for ICS ICS Cybersecurity Maturity Model/Grading Common Control System Constraints Exceptions Enforcement Appendix A: ICS Security Controls Matrix 26

Future Plans & Changes for the Framework 27

Framework being used globally Plant ICS security assessments in progress using Framework for reference Matrix continues to be augmented and updated Challenges with rate of change to ISA/IEC-62443 Documents More work required to ensure it is viable 28

Ernie Hayden CISSP CEH GICSP Executive Consultant (C) 425-765-1400 ernie.hayden@securicon.com 29

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information