assessing information security maturity in an industrial ... · assessing information security...
TRANSCRIPT
Ekaterina Rudina
Critical Infrastructure Defense
KL ICS-CERT
Assessing information security maturity in an industrial company
1
2
Contents
1. Motivation
2. Security Maturity assessment as a base for security processes in IIoT
3. Security Maturity Model, its purpose and intended use
4. Security Maturity enhancement process
5. Identifying and targeting required Security Maturity level
6. Conclusions and further work
3
Security FacetsWhich, when, where, and to which extent?
Consumerization & mobility
Increasing
online
commerceCritical infrastructure at
risk Big
data
Internet of ThingsCloud &
virtualization
Privacy & data
protection
challenge
Fragmentation of the
Internet
Cars become smarterConnected Cities
Mobile threats
banking at
risk
Massive data
leaks
Decreasing cost of
APTs
Commercialization of APTs
Supply chain attacks
Cyber-
mercenaries“Wipers” & cyber-
sabotage
Targeted attacks
Financial phishing attacksRansomware
Malware for
ATMs
Attacks on PoS
terminals
Merger of cybercrime and
APTs
Targeting
hotel
networks
Internet of
Things
Hacktivism
Vulnerable connected
cars
Ransomware in Targeted
Attacks
OnlineThreats
to Smart Cities
Attacks on Smart Cities IoT botnets
Patch
management Risk attitude
Threat modeling
Access control
Asset
management
Security
policy
Vulnerability assessment
Incident response
4
Difference between Security Level and Security Maturity Level
Consistency in the
implementation Assurance on the
implementation
Confidence in
assurance cases
is a degree for the implementation of security practices,
mechanisms, and procedures
is a degree of understanding of the current Security Level,
its benefits, and cost of its support
SECURITY LEVEL
SECURITY MATURITY LEVEL
5
Example. Approaches to Threat Modeling facet
++ valid across various IIoT domains.
-- sometimes they cannot be properly applied to the particular domain
-- in some other cases they do not cover the specific risks
Horizontal models: general (such as STRIDE or CAPEC classification)
technology specific (OWASP Top 10)
Vertical models: valid within one domain (LINDDUN, PASTA, template by NCC)
++ take into account the specific risks for the domains
-- may cover the narrow set of technologies
-- some “vertical” models address only certain objectives
Combining the methods and models is the best option
General objective: Stakeholders collaboration in the process of getting the mature state
Different stakeholders consider the same aspects from the different viewpoints
Business level stakeholders define the security goals*
Technical level implements the mechanisms and procedures**
* Business level here means security aware stakeholders (not CEO but CISO )
** Technical level – not codewriters but architects, high-level developers, etc.
Business level stakeholderCISO level
Technical level stakeholdersArchitects
High-level Developers
Creating the Security Maturity
Target
Planning the
roadmap
Security Maturity
Assessment
Security Maturity
Enhancement
Gap Analysis
Collaboration
The ProcessPerform
evaluation
Implement Plans
Analyze Identified
Gaps
Prioritize and Plan
Perform evaluation
Implement Plans
Analyze Identified
Gaps
Prioritize and Plan
Perform evaluation
Implement Plans
Analyze Identified
Gaps
Prioritize and Plan
Security Maturity Target
State 1 (initial)
State 2
State n
Security Maturity Target
SM Target defines what the 100% Security Maturity for
the system is
Business level -
Strategist
Business Level -
Security Context Aware Practitioner
Technical level stakeholdersArchitects
High-level Developers
Security Maturity Target
Business Strategy Maturity Model
Security Maturity Model
Knows the concerns.Determine
the objectives collaboration
collaboration
Knows the Context.Creates the new Target/
Reuses the Profile/...
Know the Technical Details.Implement the Roadmap to get the Target
Governance Enablement Hardening
Security Maturity Model
Security Program
Threat Modeling and Risk Assessment
Supply Chain and Dependencies Management
Vulnerability and Patch Management
Situational Awareness
Incident Response, Continuity of Operations
Identity and Access Management
Asset, Change and Configuration Management
Data Protection
Dimensions
Security Domains
Security PracticesSecurity
Program
Manageme
nt
Compliance
Manageme
nt
Threat
Modeling
Risk
Attitude
Supply
chain Risk
Manageme
nt
Third-Party
Dependenci
es
Manageme
nt
Establishing
and
Maintaining
Identities
Access
Control
Asset
Management
Change
and
Configurati
on
Manageme
nt
Security
Model and
Policy for
the Data
Implementat
ion of Data
Protection
Controls
Vulnerability
Assessment
Patch
Manageme
nt
Auditing Information
Sharing and
Communica
tion
Event and
Incident
Response
Remediatio
n, Recovery
and
Continuity
of
Operations
Measuring scale for the Security Facet
Specificity
Soph
isti
cati
on
General IIoT sector
specific
System specific
Every box containsBusiness objectives/
Assessment guidance/
Enhancement guidance
Sophistication and specificity are measured independently
The rows describe the measure of the comprehensive, consistent, and highly assured implementation of security controls
The columns relate to the customized, technically appropriate approach to the implementation of security controls
The detailed scale
Sophistication/Specificity
measured independentlyGeneral IIoT Sector specific System specific
No information on of how the Security Facet is
applied
The Security Facet is implemented somehow
The Security Facet is implemented with taking into
account the main use cases
The Security Facet employs the generally accepted
methods, classifications, tools, software, etc.
The Security Facet is implemented consistently,
using the process-oriented approach
Maturity
Security Facets and their maturity
Threat Modeling
Protection of endpoints
Secure communications ...Incident handlingRecovery and remediation
Vulnerability & Patch management Supply chain managementCompliance/conformance assessment
The Security Maturity Model
Specificity
Sop
hist
icat
ion
Specificity
Sop
his
tica
tio
n
EXAMPLE. SM Target
Security strategy and Governance Threat Modeling and Risk AssessmentSupply Chain and External Dependencies ManagementIdentity and Access ManagementAsset, Change and Configuration Management Vulnerability and Patch ManagementSituational AwarenessEvent and Incident Response, Continuity of Operations Information Sharing and Communication
EXAMPLE. SM State
Security strategy and Governance Threat Modeling and Risk AssessmentSupply Chain and External Dependencies ManagementIdentity and Access ManagementAsset, Change and Configuration Management Vulnerability and Patch ManagementSituational AwarenessEvent and Incident Response, Continuity of Operations Information Sharing and Communication
EXAMPLE. How to get the Target?
Security strategy and Governance Threat Modeling and Risk AssessmentSupply Chain and External Dependencies ManagementIdentity and Access ManagementAsset, Change and Configuration Management Vulnerability and Patch ManagementSituational AwarenessEvent and Incident Response, Continuity of Operations Information Sharing and Communication
The Roadmap
Asset, Change and Configuration Management
Phase 1
Phase 2
Phase 3
Phase 1
Phase 1
Phase 3
General Industrial
sector specific
System specific
Phase 1
Phase 2
Phase 3
Level 1
Level 2
Level 3
Level 4
• SMM allows choosing the direction and the strategy:
- use known security practices (increase maturity)
- tailor the security processes to the system (increase specificity), or
- step-by-step increase both parameters
19
Conclusions, current and further work
Two documents describing the SMM and its use
1. SMM description and intended use
2. SMM details and how to apply
The tool (currently Excel-based ) to support the process of setting the SM Target
1. Questionnaire for the business level stakeholders
2. Visualization of SM Target and SM State
Work continues in the Security Applicability WG of Industrial Internet Consortium
A lot of IIC members are already interested in the results
Contributions, comments, reviews are welcomed!
LET’S TALK?
Kaspersky Lab HQ
39A/3 Leningradskoe Shosse
Moscow, 125212, Russian Federation
Tel: +7 (495) 797-8700
www.kaspersky.com