david hanlon - david hanlon secretary, iec conformity assessment board (cab) unece wp.6 annual...

Download David Hanlon - David Hanlon Secretary, IEC Conformity Assessment Board (CAB) UNECE WP.6 annual meeting

Post on 21-Mar-2020

1 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 2019-11-07

    1

    David Hanlon Secretary, IEC Conformity Assessment Board (CAB)

    UNECE WP.6 annual meeting UNOG, Geneva 22nd November, 2019

    UN CRO Guidelines for Cybersecurity • Draft version endorsed in November 2018 • Further developed during 2019 • Added sector examples (uncompleted) • Currently circulated for review • Endorsement of 2nd draft expected Nov.2019

    http://www.unece.org/tradewelcome/tradewp6/groups/ cybersecurity.html

    1st & 2nd draft versions available here

    1

    2

  • 2019-11-07

    2

    UN CRO Guidelines for Cybersecurity • Draft version endorsed in November 2018 • Further developed during 2019 • Added sector examples (uncompleted) • Currently circulated for review • Endorsement of 2nd draft expected Nov.2019

    http://www.unece.org/tradewelcome/tradewp6/groups/ cybersecurity.html

    1st & 2nd draft versions available here

    Proposed decision:

    “The Working Party adopts the proposal for a common regulatory framework as contained in this draft proposal”

    It requests that the proposal be published. It also requests the secretariat to continue to report on the progress of the initiative.

    Systematic Methodology Systems-approach • Model the system • Use the GMM • Risk based • Open choice of requirements  could be standards based

    • Open choice of conformity assessment (CA)

     suppliers declaration (1st party)

     open choice of standards

     Internal audits (2nd party)  Certification (3rd party)

    Use appropriate CA at appropriate points according to risk.

    Often forgotten in other frameworks, yet essential

    3

    4

  • 2019-11-07

    3

    Systematic Methodology 1) Map sector application to Generic Matrix Model (GMM)

    2) Risk analysis of sector application map

    o Identify and rate risk points

    3) Determine appropriate level of CA for each risk point according to risk level rating

    4) Identify requirements documents (standards)

    o Determine what is available/appropriate  standards gap analysis

    o Determine how to fill the gaps ( standards development)

    5) Apply appropriate CA to appropriate standards at each risk point

    Revue, revise, renew (R3)

    pe rio

    di c

    Components

    Interconnections

    Interventions S YS

    TE M

    M OD

    EL

    Products People Processes

    OBJECTS OF CONFORMITY

    product A, B, C… Product development Product manufacture etc

    Systems integration design Systems integration implementation etc / realisation

    Asset owner operation Systems upgrades / patch management Vendor & service providers etc

    Generic Matrix Model (GMM) Systematic Methodology

    5

    6

  • 2019-11-07

    4

    Components

    Interconnections

    Interventions S YS

    TE M

    M OD

    EL

    Products People Processes

    OBJECTS OF CONFORMITY

    product A, B, C… Product development Product manufacture etc

    Systems integration design Systems integration implementation etc / realisation

    Asset owner operation Systems upgrades / patch management Vendor & service providers etc

    Testing Product design competency

    Systems design competency

    Manufacturing processes

    Product manufacturing competency

    Design processes

    IT/OT competency

    IT/OT competency

    Systems build competency

    Component selection processes

    Design / realization processes

    People selection processes

    Supplier qualification processes

    Service processes

    Generic Matrix Model (GMM) Systematic Methodology

    Components

    Interconnections

    Interventions S YS

    TE M

    M OD

    EL

    Products People Processes

    OBJECTS OF CONFORMITY

    product A, B, C… Product development Product manufacture etc

    Systems integration design Systems integration implementation etc / realisation

    Asset owner operation Systems upgrades / patch management Vendor & service providers etc

    Testing Product design competency

    Systems design competency

    Manufacturing processes

    Product manufacturing competency

    Design processes

    IT/OT competency

    IT/OT competency

    Systems build competency

    Component selection processes

    Design / realization processes

    People selection processes

    Supplier qualification processes

    Service processes

    Generic Matrix Model (GMM) Systematic Methodology

    Patch management

    Testing

    Supplier qualification processes

    Product manufacturing competency

    Manufacturing processesInteroperability

    Product design competency

    Design processes

    IT/OT competency Service processes

    Systems build competency

    Component selection processes

    7

    8

  • 2019-11-07

    5

    Generic Matrix Model (GMM)

    Annex C - sector examples (uncompleted) http://www.unece.org/tradewelcome/tradewp6/groups/cybersecurity.html

    9

    10

  • 2019-11-07

    6

    Annex C - sector examples (uncompleted)

    • 8 sector examples o Corporate system o Medical network system o Banking system o Railway system o Traditional energy utility system o Smart grid electrical system o Active assisted living system o Networked vehicles

    Annex C - sector examples (uncompleted)

    Each sector example has a GMM table indicating standards that can be used in the different phases and applications of the system.

    The GMMs are not complete.

    The uncompleted sector examples with GMMs are included in order to stimulate discussion.

    11

    12

  • 2019-11-07

    7

    David Hanlon Secretary, IEC Conformity Assessment Board (CAB)

    UNECE WP.6 annual meeting UNOG, Geneva 22nd November, 2019

    13

    14

Recommended

View more >