Adding security to your ICS environment? Fine! But how?!

Slides:



Advertisements
Similar presentations
Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.
Advertisements

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
PRESENTATION. INDUSTRIAL International Clients demand response and construction efficiency and are looking to review their business investments to give.
Aquatic Renewable Energy Technologies (Aqua-RET) 2 Workshop Vocational Training in Marine Renewable Energy Technologies 3 rd International Conference on.
Lessons Learned in Smart Grid Cyber Security
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
The Preparatory Phase Proposal a first draft to be discussed.
1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.
1 SG C Regulatory Fitness and Performance Programme (REFIT) September 2014.
Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
1 Washington State Critical Infrastructure Program “No security, No infrastructure” Infrastructure Protection Office Emergency Management Division Washington.
Governor’s Office of Homeland Security & Emergency Preparedness LOUISIANA BANKERS ASSOCIATION 2010 Louisiana Emergency Preparedness Coalition Meetings.
Internet of Things in Industries
Reducing data loss by threats detection. InfoWatch Traffic Monitor & Workplace Security. Andrey Sokurenko Business Development Director.
A global nonprofit: Focusing on IP Protection and Anti-Corruption Sharing leading practices based on insights from global companies, academics, organizations.
Telephone : +234 (0) | Website : Registered company : Telephone : +234.
Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Surveillance and Security Systems Cyber Security Integration.
Business Continuity and Disaster Recovery
Security and resilience for Smart Hospitals Key findings
Draft - Enterprise Risk Management Risk Universe
Business Briefing Security Service Providers
Federal Energy and Environmental Regulation Agencies and Laws
Danube Water Conference 2017, Vienna
An Overview on Risk Management
Uniper Energy Services
Position Paper Ukraine
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Ken Watson 9 Sep 2003 Critical Infrastructure Assurance: Business Case for Public-Private Partnership Ken Watson 9 Sep 2003
Go LNG LNG Value Chain for Clean Shipping, Green Ports and Blue Growth in Baltic Sea Region.
SMART & SUSTAINABLE CITIES
10 year investment plan ERGEG approach and contribution
University of Stellenbosch Business School
Critical Infrastructure in Varna
and Security Management: ISO 28000
BUSINESS CONTINUITY BY HUI ZHENG.
French Port Cybersecurity Initiative
Cyber Resilient Energy Delivery Consortium
Current ‘Hot Topics’ in Information Security Governance Auditing
Cyber Protections: First Step, Risk Assessment
Hello, Today we will look at cyber security and the Internet of Things and how it could impact our business.
An Integrated Industrial Policy for the Globalisation Era
ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT
Preparing for Negotiation & Drafting Business Contracts
Standards for success in city IT and construction projects
© 2016 Global Market Insights, Inc. USA. All Rights Reserved Industrial Control Systems Security Market to reach $7bn by 2024: Global.
Principles of Risk Management: The 10 P’s
Cyber Security in Ports Business as Usual?
ISO 30300:2011 Management systems for records
Governance, audit and digital preservation
“Smart City: Future Perspectives”
Country, Date, Presenter
Copenhagen Strategy European Policy Seminar on Off-shore Wind Power
MIMOSA Open Meeting Standards-based Critical Infrastructure Risk Management Alan Johnston.
Group Meeting Ming Hong Tsai Date :
The European Union response to cyber threats
ISO management systems
Conformity Assessment
National Information Assurance (NIA) Policy
Developing the power sector in Federal Nepal Main lessons from international experience Kathmandu, November 06, 2018.
European Programme for Critical Infrastructure Protection (EPCIP)
Water Accounting - Introduction
Environment, Health & Safety (EH&S) Manager Middlesbrough & Billingham, UK SEQENS is an integrated global leader in pharmaceutical synthesis and specialty.
Energy Storage & Cyber Security
Civil Air Patrol Critical Infrastructure Austin Worcester 15 Jul 2019.
Presentation transcript:

Adding security to your ICS environment? Fine! But how?! SBX3-R3 Adding security to your ICS environment? Fine! But how?! Larry Vandenaweele Security Consultant PwC @lvandenaweele

First things first.. Control Systems? “A device, or multiple devices, that manages, commands, directs or regulates the behaviour of other devices or systems.”

Critical Infrastructure in the U.S. Presidential Policy Directive 21 (PPD-21) categorized U.S. critical infrastructure into the following 16 Critical Infrastructure sectors: Chemical Energy Nuclear Reactors, Materials, Waste Commercial Facilities Financial Services Transportation Systems Communications Food & Agriculture Critical Manufacturing Government Facilities Water and Wastewater Systems Dams Healthcare & Public Health Defense Industrial Base Information Technology Emergency Services

Critical Infrastructure in Europe European Directive 2008/114/EC defines 2 sectors and their respective sub-sectors: Energy Transport Electricity Road Transport Oil Rail Transport Gas (+ LNG Terminals) Air Transport Inland Waterways Ocean and Short Sea Shipping

Critical Infrastructure in Europe 2.0. European Directive 2016/1148 AKA Network and Information Systems (NIS): Energy Transport Banking Financial Market Infrastructures Health Drinking Water Supply & Distribution Digital Infrastructure Transposition deadline 9 May 2018

1 2 3 4 $ ICS is a “hot” topic.. Nation State Hacktivists Industrial Control Systems Geology Or Environmental Details Nation State 1 Payment Card And Related Information / Financial Markets Advanced Materials And Manufacturing Techniques, Methods And Processes Hacktivists 2 Transportation Control Systems And Logistics / Delivery Data R&D, Product Design Data And Formulas Organised Crime 3 Healthcare, Pharmaceuticals, And Related Technologies Corporate Strategy, Business Deals Information Health Records And Other Personal Data Industrial Internet Of Things Endpoints – Sensors, Aviation Insiders 4 $ Marketing And Product/Service Pricing Data, Customer Lists Construction Contracts And Related Details,

ICS is a “hot” topic..

So “hot” that.. it keeps Operations awake at night + Human Safety Incident Loss of Production Components IT Infrastructure Damage Violation of Data Privacy Leakage of Intellectual Property Leakage of Planning Data Loss of Trading Revenue IMPACT LIKELIHOOD Loss of View Loss of Control Manipulation of View Manipulation of Control Manipulation of Sensors + *The quadrant above is for illustrative purposes only

So “hot” that.. It even keeps the Business awake Regulations Ownership Patch Management Compliance Access Control Industry Standards Asset Management Legacy Hardware Password Management Incident Response Cryptography Accountability Monitoring Industrial IoT Wireless Access Control Governance Network Segmentation

Don’t panic, but FOCUS “FOCUS!”

Taking back control, One step at a time Define goals and prioritize them for your organisation. Define Stakeholders. Are there national / regulations in place (CFATS, NERC CIP, etc)? Be Realistic! Determine the current maturity level of your organisation. Organise workshops with stakeholders. Are there policies and procedures in place and are they enforced? Plan Assess Implement Analyse the results and map them against your defined goals. Verify with stakeholders. Set short, mid, and long term goals. Define a strategic roadmap and create an action plan. Communicate with team – transparency! Define

Plan OT IT Security Define stakeholders Identify sanctioning bodies Management OT Security IT Define stakeholders Identify sanctioning bodies Prioritize your actions Network Design Governance Asset Management

*Table - for illustration purposes only – contains fictive values Assess Maturity assessment, technical risk assessment. Assess and verify which controls are already in place. This will take time! *Table - for illustration purposes only – contains fictive values

*Table - for illustration purposes only – contains fictive values Assess Determine which assets are most critical for your organisation. Assess which components are most vital for your assets. Determine the criticality based on realistic attack scenario’s . Talk to the right people! *Table - for illustration purposes only – contains fictive values

Define Analyse your results and map them against your business goals. Use known good practices for measurement (e.g. ISO 27K series). Identify gaps. Verify the results with stakeholders. Define short, mid, and long term goals. *Spider diagram - for illustration purposes only – contains fictive values

Define Define goals for your ICS environment. Follow good practices, applicable to your organisation (e.g. IEC 62443[-3-3]). Set a to-be baseline for all sites. Be realistic and prioritize. There is no “one size fits all” solution. *Spider diagram - for illustration purposes only – contains fictive values

Define - challenges

Implement Invest time in creating a realistic roadmaps. Prioritize actions tailored to your goals (e.g. CSC Top 20) – be realistic! Validate with the business. Commitment of the stakeholders. Deadlines, status meetings, frequent revision of the roadmap. Short term Mid term Long term 2017 2018 2019 Goal Q3 Q4 Q1 Q2 Q3 Q4 Q1 Network Architecture Task 1 Task 3 Task 2 Task 4

Implement

To Conclude Critical Infrastructure Sectors differ per continent, including their national regulations. ICS is becoming more interesting for Threat Actors due to the diverse attack surface. Organisations are becoming aware, but often don’t know where to start. A pragmatic and prioritized approach is key. Define and set goals that are important for your line of service. Work together with all stakeholders, including vendors, integrators, etc. One step at a time.

Thank you! Questions? Larry Vandenaweele Security Consultant PwC SBX3-R2 Thank you! Questions? Larry Vandenaweele Security Consultant PwC @lvandenaweele