Quality Assurance: The 80% of Industrial Control Systems Cybersecurity-Rabbani Syed

Quality Assurance: The 80% of ICS Security

1. The ICS Context

2. The Challenges

3. Technology, People, Processes

4. Quality Assurance Processes & Frameworks

About me Rabbani Syed Systems Analyst, IT Quality Management, Information Technology, KNPC

Previous: Systems Engineer – Kuwait Controls Co.◦ SCADA, DCS & Telemetry Systems for MEW

Senior Engineer, Bharat Electronics (BEL-India)◦ Design & Development of Real Time Computer Systems for Electronic Warfare

Systems (Anti-Radar and Electronic Counter Measure Systems)

M. Engg. in ECE – Osmania University, B. Tech in ECE – JNTU, India

Certifications: PMP, CISSP, CISA, CISM, CGEIT

Certificates: ISO27001LA, ISA99 Cybersecurity Fundamentals Specialist

The ICS Context ICS – Industrial Control Systems (SCADA, DCS, PLCs, Telemetry, Building Automation Systems etc.)

OT – Operational Technology

IT – Information Technology

The ICS Context

ConfidentialityIntegrityAvailability

ConfidentialityIntegrityAvailability

IT

OT

The ICS Context Differing Performance Requirements:

The ICS Context Differing Reliability Requirements:

The ICS Context Differing Risk Management Approaches

The Challenges: 1. Changes in the ICS Architecture

2. Multi-vendor EPC Contracts

3. Management Expectations

4. Over 20+ Standards

5. SIL Certification does not evaluate Cybersecurity

6. Hackers – No Experience required

7. Unintentional Security Incidents

8. The depth and breadth of ICS Security Tasks

The Challenge: Changes in the ICS Architecture• ICS now use commercial technology

• Highly connected to internet

• Offer remote access

The Challenge: Multi-vendor EPC Contracts

The Challenge: Management Expectations

The Challenge: SIL Certification does not evaluate Cybersecurity• IEC 61508 Certification (SIL Certification)

does not evaluate security.

The ChallengesOver 20+ Standards

1. ISA 99 / IEC 62443 Cybersecurity Standard for ICS

2. NIST SP800-82 : Guide to Industrial Control Systems Security

3. NERC – CIP 002 through CIP -009

4. Oil & Gas Sector: API Standard 1164 – SCADA Security

5. Water & Waste Water Sector Standards

6. Chemical Sector Standards

7. ……

The Challenge: Hackers – No Experience requiredNessus plugins and Metasploit modules have been publically released enabling anyone to find and exploit these vulnerabilities.

The Challenge: Hackers – No Experience requiredwww.rapid7.com, www. shodan.com; Free code to crash PLCs available on internet.

The Challenge: Hackers – No Experience required

The Challenge: Unintentional incidents80% of actual control system security incidents were unintentional (www.risidata.com)

ISA99 / IEC 62443

ISA99 / IEC 62443 – Zones & Conduits

Technology, People and Processes

1. Technology◦ The Cost-Benefit Analysis

2. People◦ Is security awareness enough?

3. Processes◦ The 80% of ICS Security

Quality Assurance

1. Quality Assurance

2. The Processes

3. Frameworks

IT Frameworks

1. IT Governance - COBIT 5

2. IT Service Management - ITIL V3.1

3. Enterprise IT Architecture – TOGAF V9.1

TOGAF 9.1

1. Enterprise IT Architecture

2. Originated from TAFIM of early 1980s, developed by US Dept. of Defense

3. Provides an approach for designing, planning, implementing, and governing an enterprise Information Technology architecture.

COBIT 5

1. Governance & Management Framework for Enterprise IT – End to End

2. Building on 16 Year History

3. Provides Structure, Practices, Tools for:◦ Proactively deliver value◦ Manage Risk◦ Maximize ROI

ITIL V3.1

1. IT Service Management Framework

2. Originated in late 1980s by UK Govt’s CCTA

3. Focus on optimal service provisioning at justifiable cost

NIST Cybersecurity Framework

NIST Cybersecurity Framework

NIST Cybersecurity Framework

Quality Assurance Processes & Frameworks: The 80% of ICS Cybersecurity

THANK YOU