Cybersecurity. Can Standards Bring Clarity from the Confusion? Speaker: David Doggett

Size: px

Start display at page:

Download "Cybersecurity. Can Standards Bring Clarity from the Confusion? Speaker: David Doggett"

Shawn Carson
5 years ago
Views:

1 Cybersecurity Can Standards Bring Clarity from the Confusion? Standards Certification Education & Training Publishing Conferences & Exhibits Speaker: David Doggett 2014 ISA Water / Wastewater and Automatic Controls Symposium August 5-7, 2014 Orlando, Florida, USA

David has a BS in Electrical Engineering and has worked on both the

2 Presenter David Doggett David is a Cybersecurity Program Director for Schneider Electric s Industry Business. David has a BS in Electrical Engineering and has worked on both the system integration and supplier side of control systems for 20 years. Aug 5-7, 2014 Orlando, Florida, USA 2

3 Presentation Outline Standards or Certification, which is better? Review of Standards International, National and Segment standards. End user, System Integrator and System Vendors standards. Choosing the right Standard to apply For an end user security program For suppliers Aug 5-7, 2014 Orlando, Florida, USA 3

4 Standards or Certification Standards guide the security level/features of a system Certification provides 3 rd party assurance that a system meets a minimum level of security. Can substitute for expertise when evaluating a system. Do you understand the details of SSL/TLS or just trust the icon on the browser? Aug 5-7, 2014 Orlando, Florida, USA 4

International, National and Segment Segments. NERC-CIP National Standards Under Development France China IEC62443 Certification coming in 2014?

IEC62443 / ISA99 Standards 62443-3-3 System Security Requirements 62443-4-2 Technical Security Requirements 62443-4-1 Product Development Process 62443-2-4 System Deployment Process (SI) System

5 International, National and Segment Segments. NERC-CIP National Standards Under Development France China IEC62443 Certification coming in 2014? Specialist Certifications available today- Certifies a product or system against test criteria/standard ISASecure System Achilles Communication Robustness ISASecure EDSA Achilles Certified Practices IEC62443 / ISA99 Standards System Security Requirements Technical Security Requirements Product Development Process System Deployment Process (SI) System Security Assurance Achilles Communication Robustness Embedded Device Security Assurance Process Domain Security Requirements Product System Functional Product Communications Functional 2014 ISA Security WWAC Symposium Robustness Security Development Lifecycle Aug 5-7, 2014 Orlando, Florida, USA 5

6 IEC Standards IEC Standards Status Aug 5-7, 2014 Orlando, Florida, USA 6

7 End User Standards Check security features for the system and it s operation NERC-CIP Provide guidance on how the system should be procured, installed and operated IEC Provide Guidance on how to implement a security program NIST Security Framework Aug 5-7, 2014 Orlando, Florida, USA 7

NIST Framework Complements, and does not replace, an organization s existing

Organizations can use its current processes and leverage the framework to identify

Core Functions Categories Subcategories Informative Reference Tier 1 - Partial 2 -

8 NIST Framework Complements, and does not replace, an organization s existing business or cybersecurity risk management process and cybersecurity program. Organizations can use its current processes and leverage the framework to identify opportunities to improve an organization s cybersecurity risk management. Core Functions Categories Subcategories Informative Reference Tier 1 - Partial 2 - Risk Informed 3 - Repeatable 4 - Adaptive Profile Establish a Roadmap Aug 5-7, 2014 Orlando, Florida, USA 8

9 NIST Framework mapping to existing standards NIST Framework requirements map back to existing standards. IEC62443, NIST SP etc Aug 5-7, 2014 Orlando, Florida, USA 9

The system as delivered meets specific security levels or provides functionalities.

10 System Integrator Standards mean The System was developed by trusted parties. The end users data was secured during and after system development. The system as delivered meets specific security levels or provides functionalities. The system can be patched and maintained securely. The staff that will maintain the system are trusted. IEC Self Certification Aug 5-7, 2014 Orlando, Florida, USA 10

11 Vendor /Product Standards The product or system was developed in a secure way to minimise the risk of unknown security flaws. The product has a defined set of security functions. Aug 5-7, 2014 Orlando, Florida, USA 11

12 Choosing the correct Standard End user standards for guidance on plant operation. System Integrator standards to ensure the system is delivered securely. Product standards to ensure that products meet a minimum level of functionality. Aug 5-7, 2014 Orlando, Florida, USA 12

BostonONE Campus 800 Federal Street Andover, MA 01810-1067 Office:

13 Questions? David Doggett Cybersecurity Program Director Industry Business BostonONE Campus 800 Federal Street Andover, MA Office: Mobile: Aug 5-7, 2014 Orlando, Florida, USA

Cyber Security What Do I Need to Do Now?

Cyber Security What Do I Need to Do Now? PA AWWA 2016 Annual Conference Thursday, May 12, 2016 2:45 3:15 PM Presented by Dick McDonnell Authored by Jeff M. Miller, PE, ENV SP WARNING! Schneider Electric