exhibition...air traffic icao cyber security summit and management maritime defence exhibition...
TRANSCRIPT
Public Safety
Public Transport
Air Traffic Management
Maritime
Defence ICAO Cyber Security Summit and
Exhibition
Information security improvements based on structured information stream analyses
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 2
Ensuring complete visualization of vulnerable assets
• Information security is another type of risk
• Replacement of the common method of interviews
with a structured analysis
• Information stream analysis guarantees a complete picture
• Measurable improvements
• Information is the value we look at
• Only a sub-set of a normal value stream analysis is performed
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 3
TBD
TBD
TBD
TBD
Background
Duration
Methods
Summary Volker
• Common tool in mass
production
• Originally intended for
process optimization
The information stream analysis represents:
• an adaptation of a Value Stream Mapping (VSM) which
was originally developed as a method within the Toyota
Production System in the 1950s and 1960s.
• an intuitive and very effective method to gain a holistic
overview of the information streams within an organization.
Based on the analysis of a number of scenarios, flow-oriented
state maps representing the current status are created. The
following aspects are taken into account when performing a
information stream analysis:
• actors
• connections and interactions of activities
• systems to be used (dependent on information
known/available)
• documents and information to be exchanged
Value
• Structured analysis of
assets & vulnerabilities
• Assurance of mitigations
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 4
Connection to risk management process
A tool supporting the very extensive and time consuming identification of vulnerable entry
points (attack surface) in the complex environment of Air Traffic Management
Establish the context
Risk identification
Risk analysis Risk
evaluation Risk
treatment
Communication and consolidation
Monitoring
Assumptions:
• Security risk management follows a typical risk management process (ISO 31010)
• Information stream analysis can support this process
Assurance
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Classification Presentation title 5 |
Structured analysis of assets &
vulnerabilities
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 6
The information stream analysis represents a structured process to visualize
this context and build a baseline for the risk identification.
People
(Actors/
Stakeholders)
Processes/
Tasks
Technology
(Systems/
Connections)
Context of a security risk assessment
Who is involved? What are they doing? What systems are they using?
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 7
Steps of the analysis
Definition of the actors & systems, involved in
the process
• Visualize all actors who have an active role
in the process, need to be informed of some
process steps or are decision makers.
• Lists and visualize all systems or system
parts involved in the process
Collection of process steps / tasks
• Define the process steps within one
complete scenario from start to end in detail
Linking of tasks
• Define information sources, relevant
systems, responsibilities, decision makers,
other stakeholders and evaluate task-options
Visualization of systems, documents, data and
other media
Actors
Systems
Tasks
Tasks
Lin
ks
Baseline for the identification of vulnerable entry points
Business criticality KPIs
Kaiz
en fla
sh
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 8
The resulting overview from the information stream analysis could be used to start the assessment with the segregation of security zones
- Critical devices or sensitive network connections are visualized
- Input for structuring into security zones Internal, Shared and Public
Internal zone Shared zone Public zone
- under completely control of a single provider with dedicated resources usage.
- No external access is possible to the components in the internal domain.
- The interfaces are not accessible directly from the outside world.
- the most trusted zone
- in a trusted environment but not under full control of a single system provider
- resource usage is not dedicated but shared with another “trusted” network.
- External access is possible to the components that are in the shared domain.
- part of system with connection to not trusted environment e.g. public network or resources provided by 3rd party (e.g. ISP).
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 9
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 10
Information stream analysis allows the definition of
required levels of
• Confidentiality (C) - property that information is not
made available or disclosed to unauthorized
individuals, entities, or processes
• integrity - property of accuracy and completeness
• availability - property of being accessible and usable
upon demand by an authorized entity
for actors, tasks, systems and connections
C:
I:
A:
C:
I:
A:
C:
I:
A:
C:
I:
A:
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Classification Presentation title 11 |
Assurance of mitigations
Headline
Sub- headline
Content area
Footer | © 2017 Frequentis AG Volker Grantz ICAO Cyber Security Summit and Exhibition | 12
Derive Define
Check
C/I/A levels Security requirements Mitigations
Public Safety
Public Transport
Air Traffic Management
Maritime
Defence