www.dlapiper.com 0September 12, 2016

September 12, 2016

INTERNATIONAL CYBERSECURITY STANDARDS Practical Applications for Growing Corporate Value

If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information. US participants: 1 800 743 4304 Outside the US: 1 212 231 2921 The audio portion is available via conference call. It is not broadcast through your

computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

www.dlapiper.com 1September 12, 2016

Moderator - Kelly Friedman, Partner, DLA Piper Eric Hibbard, CTO for Security and Privacy, Hitachi Data

Systems Nadya Bartol, Associate Head of Cybersecurity Practice,

BCG Platinion Tyson Macaulay, CISSP, CISA - Author of forthcoming

cybersecurity book RIoT Control: Managing Risk and the Internet of Things

Speakers

IntroductionKelly Friedman, Partner, DLA Piper

www.dlapiper.com 3September 12, 2016

“Given the increasingly global, complex, and interconnected nature of the world economy, characterized by rapid advances in technology and use of commercial off the shelf products to assure cybersecurity and resilience, the use of international cybersecurity standards for information technologies (IT)and industrial control systems (ICS)are necessary for the cybersecurity and resilience of all U.S. information and communications systems and supporting infrastructures.”

Interagency Report on Strategic U.S. Government Engagement in International Standardization to Achieve U.S. Objectives for Cybersecurity, prepared by the International Cybersecurity Standardization Working Group of the National Security Council’s Cyber Interagency Policy Committee, December 2015

www.dlapiper.com 4September 12, 2016

“A Standard is a document, established by consensus and approved by a recognized body, which provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.”

ISO/IEC Guide 2:2004: Standardization and related activities - General Vocabulary

www.dlapiper.com 5September 12, 2016

One of the key organizations in the world developing international cybersecurity standards is the International Organization for Standardization / International Electrotechnical Commission Joint Technical Committee 1, Information Technology (ISO/IEC JTC1)

In particular, Subcommittee 27: “IT Security Techniques”

ISO/IEC JTC 1, SC27

ISO/IEC JTC 1 Security StandardizationEric Hibbard, CISSP-ISSAP, ISSEP, ISSMP, CCSP, CISA CTO for Security and Privacy, Hitachi Data Systems

SC 27 is an internationally recognized centre of information and IT security standards expertise serving the needs of business sectors as well as governments. Its work covers the development of standards for the protection of information and ICT. This includes requirements, methods, techniques and guidelines to address aspects of both security and privacy in regard to: Information security management systems (ISMS)

Cryptographic and security mechanisms

Security evaluation, testing and specification

Security controls and services

Identity management and privacy technologies

SC 27 (IT security techniques)

7

ISO project development process

Source: Welcome package of ISO/IEC JTC 1/SC 27 -- IT Security Techniques

8

27000 family of standards (1)

Source: Laura Lindsay, Microsoft

9

ISO/IEC 27000 — Information technology - Security Techniques - Information security management systems — Overview and vocabulary

ISO/IEC 27001 — Information technology - Security Techniques - Information security management systems — Requirements.

ISO/IEC 27002 — Information technology - Security Techniques - Code of practice for information security management

ISO/IEC 27003 — Information technology - Security Techniques - Information security management system implementation guidance

ISO/IEC 27004 — Information technology - Security Techniques - Information security management —Measurement

ISO/IEC 27005 — Information technology - Security Techniques - Information security risk management

ISO/IEC 27006 — Requirements for bodies providing audit and certification of information security management systems

ISO/IEC 27007 — Information technology - Security Techniques - Guidelines for information security management systems auditing (focused on the management system)

ISO/IEC TR 27008 — Guidance for auditors on ISMS controls (focused on the information security controls)

ISO/IEC 27009 - Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements

ISO/IEC 27010 — Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications

27000 family of standards (2)

10

• ISO/IEC 27011 — Information technology - Security Techniques - Information security management guidelines for telecommunications organizations based on ISO/IEC 27002

• ISO/IEC 27013 — Information technology - Security Techniques - Guideline on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1

• ISO/IEC 27014 — Information technology - Security Techniques - Information security governance

• ISO/IEC TR 27015 — Information security management guidelines for financial services

• ISO/IEC TR 27016— IT Security — Security techniques — Information security management –Organizational economics

ISO/IEC 27017 — Information security management for cloud systems

ISO/IEC 27018 — Data protection for cloud systems

ISO/IEC 27019 — Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry

• ISO/IEC 27031 — Information technology - Security Techniques - Guidelines for information and communication technology readiness for business continuity

• ISO/IEC 27032 — Information technology - Security Techniques - Guideline for cybersecurity

• ISO/IEC 27033 — Information technology - Security Techniques - Network security

• ISO/IEC 27034 — Information technology - Security Techniques - Application security

27000 family of standards (3)

11

• ISO/IEC 27035 — Information technology - Security Techniques - Information security incident management

• ISO/IEC 27036 — Information technology - Security Techniques - Information security for supplier relationships –

• ISO/IEC 27037 — Information technology - Security Techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence

• ISO/IEC 27038 — Specification for redaction of digital documents

• ISO/IEC 27039 — Intrusion detection and protection systems

• ISO/IEC 27040 — Guideline on storage security

• ISO/IEC 27041 — Assurance for digital evidence investigation methods

• ISO/IEC 27042 — Analysis and interpretation of digital evidence

• ISO/IEC 27043 — Digital evidence investigation principles and processes

• ISO/IEC 27050- Information technology -- Security techniques -- Electronic discovery

• ISO 27799 — Information security management in health using ISO/IEC 27002

27000 family of standards (4)

12

Interdependencies (e.g. cloud)

13

Sample cloud SDO relationships

14

Cyber Supply Chain Risk Management: Using Standards to Communicate ExpectationsNadya Bartol, Associate Head of Cybersecurity Practice, BCG Platinion

16

72% of Fortune 500 CEOs already consider their company to be a "digital technology company"1

When every company is (becoming) a technology company, supply chain is a major cybersecurity risk

1. 2016 Fortune 500 CEO Survey; 2. JuneOven.com/

17

From The World Is Flat by Thomas FriedmanDell Inspiron 600m Notebook: Key Components and Suppliers

Source: Booz Allen Hamilton and DoD

18

Everyone along the supply chain needs to communicate expectations and provide assurances

ISO/IEC 27036-1: 2013 – Information technology — Security techniques — Information security for supplier relationships — Part 1: Overview and concepts

19

There are several ways to communicate expectations

Supplier Self Assessment

Acquirer Assessment

Independent Third Party Certification

Supplier Attestation

Assessment Results

Certification

Source: Utilities Technology Council

20

Standards help communicate expectations and document conformance

2008

Comprehensive National

Cybersecurity Initiative

Gov

ernm

ent

Indu

stry

DoD ICT SCRM Key Practices

Document

2009 2010 2011 2012 2013

NIST IR 7622 Notional Supply Chain Risk

Management Practices for Federal

Information Systems

SAFECodeSoftware Supply Chain Integrity

papers

SAE Counterfeit Electronic Parts Avoidance series (SAE AS5553, SAE AS6081, etc.)

DHS Vendor Procurement

Language

PMOs developed in DOJ and DOE

DHS ICT Supply Chain Exploits Frame of Reference

GAO ReportCyberspace

Policy Review

The President’s

International Strategy for Cyberspace

Cybersecurity Procurement Language for

Energy Delivery Systems

2014

NIST SP 800-161

2015

IEC 62443-2-4 –Requirements for

IACS Solution Suppliers

ISO/IEC 27036 –Guidelines for Information

Security in Supplier Relationships

ISO/IEC 20243 – Open Trusted Technology Framework and

Conformity Assessments

Source: Utilities Technology Council

21

You can determine which standard(s) applies to you by asking key questions

Industry sector

Required standards

Your role – acquirer or supplier?

Product, service, or both

Context of use

Tailor for your purpose!

IoT Security and Risk ManagementTyson Macaulay, CISSP, CISA

My own participation in IoT standards development (2012 to present)

• ISO JTC1 Working Group 10 – IoT – Delegate• ISO JTC1 Working Group 7 – Sensor Networking• ISO JTC1 SC27 Study Group on IoT – Convener (Concluded)

• ISO JTC1 SC27 WG 4 – Study Period on Emerging Virtualization

• ISO JTC1 SC27 WG 4 – Study Period on IoT Gaps and Requirements

• ITU‐T Study Group 20 ‐ IoT

23

IoT security is a BIG STORY!

Available on Amazon.com

24

“CEO’s Guide to IoT Security” – AT&T, March 2016

of global organizations are considering, exploring, or 

implementing an IoTstrategy

85%

IoT deployments are on the rise

How many connected devices do you have in your organization?

of organizations are fully confident that their connected devices are secure

10%1%

8%20%

35% 32%

5%

NoneFewer than 100100‐9991,000‐4,9995,000+Don't know

Source: AT&T, March 2016

25

Threat agents  in the IoT

Criminals Hacktivists Industrial Spies Nation States

Terrorists Insiders Chaotic Actors & Vigilantes

Regulators

26

Big threat #1 – device‐to‐device attacks

Infected device enters the home and attacks adjacent devices – which in turn launch attacks

Infected/ compromised devices attack internally and externally

27

Big threat #2 – IoT as the weakest link

Personally Identifiable Info

Sabotage or 

privacy invasions

Attack on information‐rich devices

IoT Cloud services

Man‐in‐the‐Middle or 

compromise Cloud

Messages pushed to device manager

“Upgrade now  for your own safety”

Fetch “patches” = malware

Malware

Drop

Compromise of one device leads to all adjacent systems

Social engineering in the IoT

28

Big threat #3 – management of complexity IoT ecosystem has many stakeholders and service providers at each point in the architecture

Cascading impacts almost impossible to project or monitor

Assumptions will fail

3

1 2

Gateway

Service function owner

Gateway owner

Gateway manager

Gateway maker

Supply chain 

Cloud / DC

Service tenant Platform vendor

Software owner Infrastructure owner

Software manager Infrastructure manage

Software vendor Infrastructure vendors

Platform owner  Supply chain 

Platform manager

Network

Network provider Equipment maker

Network owner Supply chain 

Network manager

End point

Device user(s)

Device owner

Device manager

Device maker

Supply chain 

4

29

WHERE DO THE IOT SECURITY ANSWERS LIE?

PARTIALLY WITH THE IOT DEVICES THEMSELVES

BUT MOSTLY WITH THE NETWORK

30

Evolving IoT infrastructure with 5G wireless

31

Evolving 5G / IoT infrastructure with security

Micro‐segmentation(by in‐home service) Form factor: Virtual

Micro‐segmentation(by subscriber) 

Form factor: Virtual

Virtualization of the network elements 

(hardware become software)32

How are standards helping the IoTcause?1. Highlighting that IoT is not the same as 

“conventional” IT• Physical risks• Enhanced privacy risks

2. Gateways are critical controls points• Formerly just considered “dumb” network elements

3. Virtualization of the network has profound security effects• Opportunities• Challenges

33

www.dlapiper.com 34September 12, 2016

Questions?

Contact us to learn more

Kelly FriedmanPartnerDLA Piperkelly.friedman@dlapiper.com

Nadya BartolAssociate Head of Cybersecurity PracticeBCG PlatinionBartol.Nadya@bcgplatinion.com

Eric HibbardCTO for Security and Privacy Hitachi Data Systems Eric.Hibbard@hds.com

Tyson MacaulayAuthor of forthcoming cybersecurity book RIoTControl: Managing Risk and the Internet of Thingsmacaulat@gmail.com