Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adding security to your ICS environment? Fine! But how?!

Published byNorbert Fürst Modified over 4 years ago

Similar presentations

Presentation on theme: "Adding security to your ICS environment? Fine! But how?!"— Presentation transcript:

1 Adding security to your ICS environment? Fine! But how?!
SBX3-R3 Adding security to your ICS environment? Fine! But how?! Larry Vandenaweele Security Consultant PwC @lvandenaweele

2 First things first.. Control Systems?
“A device, or multiple devices, that manages, commands, directs or regulates the behaviour of other devices or systems.”

3 Critical Infrastructure in the U.S.
Presidential Policy Directive 21 (PPD-21) categorized U.S. critical infrastructure into the following 16 Critical Infrastructure sectors: Chemical Energy Nuclear Reactors, Materials, Waste Commercial Facilities Financial Services Transportation Systems Communications Food & Agriculture Critical Manufacturing Government Facilities Water and Wastewater Systems Dams Healthcare & Public Health Defense Industrial Base Information Technology Emergency Services

4 Critical Infrastructure in Europe
European Directive 2008/114/EC defines 2 sectors and their respective sub-sectors: Energy Transport Electricity Road Transport Oil Rail Transport Gas (+ LNG Terminals) Air Transport Inland Waterways Ocean and Short Sea Shipping

5 Critical Infrastructure in Europe 2.0.
European Directive 2016/1148 AKA Network and Information Systems (NIS): Energy Transport Banking Financial Market Infrastructures Health Drinking Water Supply & Distribution Digital Infrastructure Transposition deadline 9 May 2018

6 1 2 3 4 $ ICS is a “hot” topic.. Nation State Hacktivists
Industrial Control Systems Geology Or Environmental Details Nation State 1 Payment Card And Related Information / Financial Markets Advanced Materials And Manufacturing Techniques, Methods And Processes Hacktivists 2 Transportation Control Systems And Logistics / Delivery Data R&D, Product Design Data And Formulas Organised Crime 3 Healthcare, Pharmaceuticals, And Related Technologies Corporate Strategy, Business Deals Information Health Records And Other Personal Data Industrial Internet Of Things Endpoints – Sensors, Aviation Insiders 4 $ Marketing And Product/Service Pricing Data, Customer Lists Construction Contracts And Related Details,

7 ICS is a “hot” topic..

8 So “hot” that.. it keeps Operations awake at night
+ Human Safety Incident Loss of Production Components IT Infrastructure Damage Violation of Data Privacy Leakage of Intellectual Property Leakage of Planning Data Loss of Trading Revenue IMPACT LIKELIHOOD Loss of View Loss of Control Manipulation of View Manipulation of Control Manipulation of Sensors + *The quadrant above is for illustrative purposes only

9 So “hot” that.. It even keeps the Business awake
Regulations Ownership Patch Management Compliance Access Control Industry Standards Asset Management Legacy Hardware Password Management Incident Response Cryptography Accountability Monitoring Industrial IoT Wireless Access Control Governance Network Segmentation

10 Don’t panic, but FOCUS “FOCUS!”

11 Taking back control, One step at a time
Define goals and prioritize them for your organisation. Define Stakeholders. Are there national / regulations in place (CFATS, NERC CIP, etc)? Be Realistic! Determine the current maturity level of your organisation. Organise workshops with stakeholders. Are there policies and procedures in place and are they enforced? Plan Assess Implement Analyse the results and map them against your defined goals. Verify with stakeholders. Set short, mid, and long term goals. Define a strategic roadmap and create an action plan. Communicate with team – transparency! Define

12 Plan OT IT Security Define stakeholders Identify sanctioning bodies
Management OT Security IT Define stakeholders Identify sanctioning bodies Prioritize your actions Network Design Governance Asset Management

13 *Table - for illustration purposes only – contains fictive values
Assess Maturity assessment, technical risk assessment. Assess and verify which controls are already in place. This will take time! *Table - for illustration purposes only – contains fictive values

14 *Table - for illustration purposes only – contains fictive values
Assess Determine which assets are most critical for your organisation. Assess which components are most vital for your assets. Determine the criticality based on realistic attack scenario’s . Talk to the right people! *Table - for illustration purposes only – contains fictive values

15 Define Analyse your results and map them against your business goals.
Use known good practices for measurement (e.g. ISO 27K series). Identify gaps. Verify the results with stakeholders. Define short, mid, and long term goals. *Spider diagram - for illustration purposes only – contains fictive values

16 Define Define goals for your ICS environment.
Follow good practices, applicable to your organisation (e.g. IEC 62443[-3-3]). Set a to-be baseline for all sites. Be realistic and prioritize. There is no “one size fits all” solution. *Spider diagram - for illustration purposes only – contains fictive values

17 Define - challenges

18 Implement Invest time in creating a realistic roadmaps.
Prioritize actions tailored to your goals (e.g. CSC Top 20) – be realistic! Validate with the business. Commitment of the stakeholders. Deadlines, status meetings, frequent revision of the roadmap. Short term Mid term Long term 2017 2018 2019 Goal Q3 Q4 Q1 Q2 Q3 Q4 Q1 Network Architecture Task 1 Task 3 Task 2 Task 4

19 Implement

20 To Conclude Critical Infrastructure Sectors differ per continent, including their national regulations. ICS is becoming more interesting for Threat Actors due to the diverse attack surface. Organisations are becoming aware, but often don’t know where to start. A pragmatic and prioritized approach is key. Define and set goals that are important for your line of service. Work together with all stakeholders, including vendors, integrators, etc. One step at a time.

21 Thank you! Questions? Larry Vandenaweele Security Consultant PwC
SBX3-R2 Thank you! Questions? Larry Vandenaweele Security Consultant PwC @lvandenaweele

Download ppt "Adding security to your ICS environment? Fine! But how?!"

Similar presentations

Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.

Facilitating a Dialog between the NSDI and Utility Companies J. Peter Gomez Manager, Information Requirements, Xcel Energy.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
PRESENTATION. INDUSTRIAL International Clients demand response and construction efficiency and are looking to review their business investments to give.

PRESENTATION. INDUSTRIAL International Clients demand response and construction efficiency and are looking to review their business investments to give.
Aquatic Renewable Energy Technologies (Aqua-RET) 2 Workshop Vocational Training in Marine Renewable Energy Technologies 3 rd International Conference on.

Aquatic Renewable Energy Technologies (Aqua-RET) 2 Workshop Vocational Training in Marine Renewable Energy Technologies 3 rd International Conference on.
Lessons Learned in Smart Grid Cyber Security

Lessons Learned in Smart Grid Cyber Security
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.

Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
The Preparatory Phase Proposal a first draft to be discussed.

The Preparatory Phase Proposal a first draft to be discussed.
1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.

1 Information System Security Assurance Architecture A Proposed IEEE Standard for Managing Enterprise Risk February 7, 2005 Dr. Ron Ross Computer Security.
1 SG C Regulatory Fitness and Performance Programme (REFIT) September 2014.

1 SG C Regulatory Fitness and Performance Programme (REFIT) September 2014.
Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210.

Frankfurt (Germany), 6-9 June 2011 IT COMPLIANCE IN SMART GRIDS Martin Schaefer – Sweden – Session 6 – 0210.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
1 Washington State Critical Infrastructure Program “No security, No infrastructure” Infrastructure Protection Office Emergency Management Division Washington.

1 Washington State Critical Infrastructure Program “No security, No infrastructure” Infrastructure Protection Office Emergency Management Division Washington.
Governor’s Office of Homeland Security & Emergency Preparedness LOUISIANA BANKERS ASSOCIATION 2010 Louisiana Emergency Preparedness Coalition Meetings.

Governor’s Office of Homeland Security & Emergency Preparedness LOUISIANA BANKERS ASSOCIATION 2010 Louisiana Emergency Preparedness Coalition Meetings.
Internet of Things in Industries

Internet of Things in Industries
Reducing data loss by threats detection. InfoWatch Traffic Monitor & Workplace Security. Andrey Sokurenko Business Development Director.

Reducing data loss by threats detection. InfoWatch Traffic Monitor & Workplace Security. Andrey Sokurenko Business Development Director.
A global nonprofit: Focusing on IP Protection and Anti-Corruption Sharing leading practices based on insights from global companies, academics, organizations.

A global nonprofit: Focusing on IP Protection and Anti-Corruption Sharing leading practices based on insights from global companies, academics, organizations.
Telephone : +234 (0) 1 815 8152 | Website : Registered company : 985937 Telephone : +234.

Telephone : +234 (0) | Website : Registered company : Telephone : +234.
Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.

Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

Similar presentations

Ads by Google