mr. sayed rabbani - quality assurance - the 80% of industrial control system cyber security
TRANSCRIPT
Quality Assurance: The 80% of Industrial Control Systems (ICS) Cybersecurity-Rabbani Syed
About me Rabbani Syed 27 years of wide range of experience in Defense, Manufacturing, Energy, Oil & Gas industries
Systems Analyst, IT Quality Management, Information Technology, Kuwait National Petroleum Company.
Previous: Systems Engineer – Kuwait Controls Co.◦ SCADA, DCS & Telemetry Systems for Ministry of Electricity & Water (MEW) – Kuwait.
Senior Engineer, Bharat Electronics (BEL-India)◦ Design & Development of Real Time Computer Systems for Electronic Warfare Systems (Anti-
Radar and Electronic Counter Measure Systems)
M. Engg. in ECE – Osmania University, B. Tech in ECE – JNTU, India
Certifications: PMP, CISSP, CISA, CISM, CGEIT
Certificates: ISO27001LA, ISA99 Cybersecurity Fundamentals Specialist
Quality Assurance: The 80% of Industrial Control Systems (ICS) Cybersecurity
Overview: 1. The ICS Context
2. The Challenges
3. Technology, People, Processes
4. Quality Assurance: ◦ Processes & Frameworks
Changes in the ICS Architecture• ICS now use commercial technology
• Highly connected to internet
• Offer remote access
In past few years, there has been an increase in number ofCyberattacks on ICS
The ICS Context ICS – Industrial Control Systems (SCADA, DCS, PLCs, Telemetry, Building Automation Systems etc.)
OT – Operational Technology
IT – Information Technology
The ICS Context
Inversion of importance in Core Security Goals:
Confidentiality
Integrity
AvailabilityConfidentiality
Integrity
Availability
IT
OT
The ICS Context, in Contrast with IT Context Differing Performance Requirements:
The ICS Context Differing Reliability Requirements:
IT Network ICS Network
Scheduled Operations Continuous Operations
Occasional Failures tolerated Outages Intolerable
Beta testing in field acceptable Thorough QC testing expected in non-production environment
Modifications possible with little paperwork
Formal Certifications may be required after any change
The ICS Context Differing Risk Management Approaches
The ICS Context Differing Security Architectures:
IT World ICS World
Critical Systems to Protect: Servers, Storage etc.– reside in Computer Room
Critical Systems to Protect: PLC and Smart Instruments – reside in the field
The ICS Challenges: 1. Multi-vendor EPC Contracts
2. Increasing Management Expectations
3. Over 20+ ICS Cybersecurity Standards
4. SIL Certification does not evaluate Cybersecurity
5. Hackers – No Experience required
6. Unintentional Security Incidents
7. Expanding depth and breadth of ICS Security Tasks
The Challenge: Multi-vendor EPC Contracts
The Challenge: Management Expectations
The Challenge: SIL Certification does not evaluate Cybersecurity• IEC 61508 Certification (SIL Certification)
does not evaluate Cybersecurity.
The ChallengesOver 20+ Standards
1. ISA 99 / IEC 62443 Cybersecurity Standard for ICS
2. NIST SP800-82 : Guide to Industrial Control Systems Security
3. NERC – CIP 002 through CIP -009
4. Oil & Gas Sector: API Standard 1164 – SCADA Security
5. Water & Waste Water Sector Standards
6. Chemical Sector Standards
7. ……
The Challenge: Hackers – No Experience requiredNessus plugins and Metasploit modules have been publically released enabling anyone to find and exploit these vulnerabilities.
The Challenge: Hackers – No Experience requiredwww.rapid7.com, www. shodan.com; Free code to crash PLCs available on internet.
The Challenge: Hackers – No Experience required
The Challenge: Unintentional incidents80% of actual control system security incidents were unintentional (www.risidata.com)
Addressing ICS Cybersecurity:
1. Should controls be taken away from Smart Instruments?
2. Why can’t we build secure systems?
3. Is 100% Cybersecurity ever possible?
Addressing ICS Cybersecurity:
Learning from History
Addressing ICS Cybersecurity:
Technology, People and Processes 1. Technology
◦ The Cost-Benefit Analysis
2. People◦ Is Cybersecurity awareness & training enough?
3. Processes◦ Where is the end?
Addressing ICS Cybersecurity: Technology, People and Processes
TECHNOLOGY
•Hardening Servers, Workstations, Networks, DCS Systems, PLCs, Instruments…•Implement technical monitoring & controls
PEO
PLE
•Awareness•Training•Cybersecurity drills
PRO
CESSES
•Implement Processes•Monitor Performance•Review•Improve
Addressing ICS Cybersecurity: Technology, People and Processes
TECHNOLOGY
•The Cost-Benefit Analysis•Constraint:•COST
PEO
PLE
•The Human Factor •The End: •TRUST
PRO
CESSES
•Quality Assurance•Sky is the Limit
Quality Assurance
1. QA/QC – Definitions
2. The Processes
3. Standards & Frameworks◦ The ICS Standards & Frameworks
◦ ISA99◦ …..
◦ The IT Standards & Frameworks◦ TOGAF◦ COBIT◦ ITIL◦ ….
ICS Standards & Frameworks ISA99 / IEC 62443
Relevant part to End-Users: ISA 62443-2 Series Policies & Procedures
ICS Standards & FrameworksISA99 / IEC 62443 – Zones & Conduits
IT Standards & Frameworks
1. ISO 27001
2. IT Governance - COBIT 5
2. IT Service Management - ITIL V3.1
3. Enterprise IT Architecture – TOGAF V9.1
The ContrastIT & ICS Standards & Frameworks
1. Technology Focus ICS
2. Business Enablement IT
TOGAF 9.1
1. Enterprise IT Architecture
2. Originated from TAFIM of early 1980s, developed by US Dept. of Defense
3. Provides an approach for designing, planning, implementing, and governing an enterprise Information Technology architecture.
COBIT 5
1. Governance & Management Framework for Enterprise IT – End to End
2. Building on 16 Year History
3. Provides Structure, Practices, Tools for:◦ Proactively deliver value◦ Manage Risk◦ Maximize ROI
ITIL V3.1
1. IT Service Management Framework
2. Originated in late 1980s by UK Govt’s CCTA
3. Focus on optimal service provisioning at justifiable cost
NIST Cybersecurity Framework
NIST Cybersecurity Framework
NIST Cybersecurity Framework
IT Frameworks : Enabling ICS Security
1. ICS Security - Purchase Specifications
2. ICS Security Portfolio Management
3. Business Justification
4. Compliance to Regulations
5. Business Risk Management
Quality Assurance: The 80% of ICS Cybersecurity
THANK YOU