ntxissacsc3 - managing cyber security across the enterprise by asif effendi
TRANSCRIPT
@NTXISSA #NTXISSACSC3
Managing Cyber Security Across the Enterprise
Asif Effendi
September 3, 2015
austinssi
@NTXISSA #NTXISSACSC3
Slide 2
Managing Cyber Security Across the Enterprise
Oil and Gas Threat Landscape
Challenges in Securing Control Systems
Cyber Security Strategies
Conclusion
Managing Cyber Security Across the Enterprise
Highlights:
@NTXISSA #NTXISSACSC3
Slide 3
Managing Cyber Security Across the Enterprise
Threat Landscape
@NTXISSA #NTXISSACSC3
Slide 4
Managing Cyber Security Across the Enterprise
Threat Landscape
76%
5%
19%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Yes No Unsure
Increase in Sophistication of Attacks Against Infrastructure
(2015 Report of Organization of American States)
Yes
No
Unsure
Increase in sophistication of cyber attacks
@NTXISSA #NTXISSACSC3
Largest sector of cyber incidents is Energy industry
Slide 5
Managing Cyber Security Across the Enterprise
Energy, 53%
Government, 2% Info Tech, 4%
Nuclear, 3%
Postal & Shipping, 1%
Transportation, 5%
Water, 4%
Commercial Facilities, 2%
Communications, 5%
Critical Manufacturing, 17%
Distribution of Cyber Incidents (ICS-CERT)
Threat Landscape
@NTXISSA #NTXISSACSC3
Difference in security attribute between ICS and Enterprise systems
Slide 6
Managing Cyber Security Across the Enterprise
Challenges in Securing Systems
Courtesy: Kaspersky Lab
@NTXISSA #NTXISSACSC3
Differences/similarities in security controls considerations between
ICS and Enterprise systems
Slide 7
Managing Cyber Security Across the Enterprise
Challenges in Securing Systems
Life Span 15 – 20 years 3 – 5 years
COTS Related Vulnerabilities Yes Yes
Third Party Access to Systems Frequent Limited
Security Considerations in Implementation Limited Yes
Wireless Access to Systems Significant Limited
@NTXISSA #NTXISSACSC3
Defense in Depth in securing ICS
Slide 8
Managing Cyber Security Across the Enterprise
Cyber Security Strategies
@NTXISSA #NTXISSACSC3
Risk Based Approach and Management to Securing ICS
Slide 9
Managing Cyber Security Across the Enterprise
Cyber Security Strategies
@NTXISSA #NTXISSACSC3
Network Segmentation
Slide 10
Managing Cyber Security Across the Enterprise
Cyber Security Strategies
(Reference: Defense in Depth Strategies, Idaho National Laboratory, Department of Homeland Security Based on ISA 62443)
@NTXISSA #NTXISSACSC3
Summary
Slide 11
Managing Cyber Security Across the Enterprise
Rapid integration of “Commercial Off the Shelf (COTS) in ICS
environment comes with vulnerabilities and risks
Industrial control systems are not easy to secure
Hacker knowledge base is growing rapidly, resulting in more
sophisticated attacks
Risk has to be managed although it can not be eliminated. Risk
based “Defense in Depth” mitigates cyber risks at multiple layers
in an organization
Conclusion
@NTXISSA #NTXISSACSC3 @NTXISSA #NTXISSACSC3
Slide 12
Thank you
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)