Adding security to your ICS environment? Fine! But how?! SBX3-R3 Adding security to your ICS environment? Fine! But how?! Larry Vandenaweele Security Consultant PwC @lvandenaweele

First things first.. Control Systems? “A device, or multiple devices, that manages, commands, directs or regulates the behaviour of other devices or systems.”

Critical Infrastructure in the U.S. Presidential Policy Directive 21 (PPD-21) categorized U.S. critical infrastructure into the following 16 Critical Infrastructure sectors: Chemical Energy Nuclear Reactors, Materials, Waste Commercial Facilities Financial Services Transportation Systems Communications Food & Agriculture Critical Manufacturing Government Facilities Water and Wastewater Systems Dams Healthcare & Public Health Defense Industrial Base Information Technology Emergency Services

Critical Infrastructure in Europe European Directive 2008/114/EC defines 2 sectors and their respective sub-sectors: Energy Transport Electricity Road Transport Oil Rail Transport Gas (+ LNG Terminals) Air Transport Inland Waterways Ocean and Short Sea Shipping

Critical Infrastructure in Europe 2.0. European Directive 2016/1148 AKA Network and Information Systems (NIS): Energy Transport Banking Financial Market Infrastructures Health Drinking Water Supply & Distribution Digital Infrastructure Transposition deadline 9 May 2018

1 2 3 4 $ ICS is a “hot” topic.. Nation State Hacktivists Industrial Control Systems Geology Or Environmental Details Nation State 1 Payment Card And Related Information / Financial Markets Advanced Materials And Manufacturing Techniques, Methods And Processes Hacktivists 2 Transportation Control Systems And Logistics / Delivery Data R&D, Product Design Data And Formulas Organised Crime 3 Healthcare, Pharmaceuticals, And Related Technologies Corporate Strategy, Business Deals Information Health Records And Other Personal Data Industrial Internet Of Things Endpoints – Sensors, Aviation Insiders 4 $ Marketing And Product/Service Pricing Data, Customer Lists Construction Contracts And Related Details,

ICS is a “hot” topic..

So “hot” that.. it keeps Operations awake at night + Human Safety Incident Loss of Production Components IT Infrastructure Damage Violation of Data Privacy Leakage of Intellectual Property Leakage of Planning Data Loss of Trading Revenue IMPACT LIKELIHOOD Loss of View Loss of Control Manipulation of View Manipulation of Control Manipulation of Sensors + *The quadrant above is for illustrative purposes only

So “hot” that.. It even keeps the Business awake Regulations Ownership Patch Management Compliance Access Control Industry Standards Asset Management Legacy Hardware Password Management Incident Response Cryptography Accountability Monitoring Industrial IoT Wireless Access Control Governance Network Segmentation

Don’t panic, but FOCUS “FOCUS!”

Taking back control, One step at a time Define goals and prioritize them for your organisation. Define Stakeholders. Are there national / regulations in place (CFATS, NERC CIP, etc)? Be Realistic! Determine the current maturity level of your organisation. Organise workshops with stakeholders. Are there policies and procedures in place and are they enforced? Plan Assess Implement Analyse the results and map them against your defined goals. Verify with stakeholders. Set short, mid, and long term goals. Define a strategic roadmap and create an action plan. Communicate with team – transparency! Define

Plan OT IT Security Define stakeholders Identify sanctioning bodies Management OT Security IT Define stakeholders Identify sanctioning bodies Prioritize your actions Network Design Governance Asset Management

*Table - for illustration purposes only – contains fictive values Assess Maturity assessment, technical risk assessment. Assess and verify which controls are already in place. This will take time! *Table - for illustration purposes only – contains fictive values

*Table - for illustration purposes only – contains fictive values Assess Determine which assets are most critical for your organisation. Assess which components are most vital for your assets. Determine the criticality based on realistic attack scenario’s . Talk to the right people! *Table - for illustration purposes only – contains fictive values

Define Analyse your results and map them against your business goals. Use known good practices for measurement (e.g. ISO 27K series). Identify gaps. Verify the results with stakeholders. Define short, mid, and long term goals. *Spider diagram - for illustration purposes only – contains fictive values

Define Define goals for your ICS environment. Follow good practices, applicable to your organisation (e.g. IEC 62443[-3-3]). Set a to-be baseline for all sites. Be realistic and prioritize. There is no “one size fits all” solution. *Spider diagram - for illustration purposes only – contains fictive values

Define - challenges

Implement Invest time in creating a realistic roadmaps. Prioritize actions tailored to your goals (e.g. CSC Top 20) – be realistic! Validate with the business. Commitment of the stakeholders. Deadlines, status meetings, frequent revision of the roadmap. Short term Mid term Long term 2017 2018 2019 Goal Q3 Q4 Q1 Q2 Q3 Q4 Q1 Network Architecture Task 1 Task 3 Task 2 Task 4

Implement

To Conclude Critical Infrastructure Sectors differ per continent, including their national regulations. ICS is becoming more interesting for Threat Actors due to the diverse attack surface. Organisations are becoming aware, but often don’t know where to start. A pragmatic and prioritized approach is key. Define and set goals that are important for your line of service. Work together with all stakeholders, including vendors, integrators, etc. One step at a time.

Thank you! Questions? Larry Vandenaweele Security Consultant PwC SBX3-R2 Thank you! Questions? Larry Vandenaweele Security Consultant PwC @lvandenaweele