Industrial control system (ICS) security

Similar documents
Cybersecurity Protecting your crown jewels

Strategic threat advisory services

IoT & SCADA Cyber Security Services

Securing Industrial Control Systems

Contact us What makes us different Dinesh Anand Our offices Forensic Bangalore Kolkata Cutting-edge technology to deliver more efficiently Services

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Statement for the Record

CYBER RESILIENCE & INCIDENT RESPONSE

Enhancing the cyber security &

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Cybersecurity Overview

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Building a resilient ICS

European Union Agency for Network and Information Security

Control Systems Cyber Security Awareness

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

SWIFT Customer Security Programme

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Continuous protection to reduce risk and maintain production availability

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

The NIS Directive and Cybersecurity in

locuz.com SOC Services

Cyber Security of Industrial Control Systems (ICSs)

Gujarat Forensic Sciences University

Cyber security - why and how

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Securing Network Devices with the IEC Standard What You Should Know. Vance Chen Product Manager

NW NATURAL CYBER SECURITY 2016.JUNE.16

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Innovation policy for Industry 4.0

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Smart Grid Standards and Certification

Rethinking Information Security Risk Management CRM002

Discussion on MS contribution to the WP2018

Cyber Resilience. Think18. Felicity March IBM Corporation

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Sage Data Security Services Directory

Information Security Controls Policy

Maturity assessment on Cybersecurity for critical infrastructures

Cyber Risk and Networked Medical Devices

Critical Infrastructure Analysis and Protection - A Case for Secure Information Exchange. August 16, 2016

ENISA Cooperation in the EU / NIS Directive

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Digital Health Cyber Security Centre

Industrial Defender ASM. for Automation Systems Management

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Cybersmart Buildings: Securing Your Investments in Connectivity and Automation

IPM Secure Hardening Guidelines

Cyber Security. It s not just about technology. May 2017

Cyber Threat Landscape April 2013

SOLUTION BRIEF Virtual CISO

The Australian Government s Approach to Critical Infrastructure Resilience

Global Security Consulting Services, compliancy and risk asessment services

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

Medical Device Cybersecurity: FDA Perspective

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

TEL2813/IS2820 Security Management

Energy Assurance Plans

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

PIPELINE SECURITY An Overview of TSA Programs

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Understanding Holistic Effects of Cyber Events on Critical Infrastructure

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cyber security for digital substations. IEC Europe Conference 2017

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Cybersecurity The Evolving Landscape

13th Florence Rail Forum: Cyber Security in Railways Systems. Immacolata Lamberti Andrea Pepato

Effective Cyber Incident Response in Insurance Companies

ABB Process Automation, September 2014

Water Information Sharing and Analysis Center

Medical Devices and Cyber Issues JANUARY 23, American Hospital Association and BDO USA, LLP. All rights reserved.

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

BHConsulting. Your trusted cybersecurity partner

Firewalls (IDS and IPS) MIS 5214 Week 6

Department of Management Services REQUEST FOR INFORMATION

Risk Management in the Energy Sector: Evolving Cybersecurity Risks & Strategies

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Best Practices in ICS Security for System Operators

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

WHITE PAPER. Vericlave The Kemuri Water Company Hack

Security Management Models And Practices Feb 5, 2008

Transcription:

Industrial control system (ICS) security Contents 1. Operations technology and ICS 2. Threat to ICS sector 3. Adapting standards 4. How PwC can help Operations technology and ICS Operations technology (OT) is the term used in industrial operations. It comprises control systems, networks and other industrial automation components that control physical processes and assets. Control systems are at the heart of the nation s critical infrastructure, which includes electric power, oil and gas, water and waste water, manufacturing, transportation, agriculture and chemical factories. ICSs, which are a part of the OT environment in industrial enterprises, encompass several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other smaller control system configurations such as programmable logic controllers (PLCs), remote terminal units (RTUs), intelligent electronic devices (IEDs) and other field devices. ICSs were originally designed to increase performance, reliability and safety by reducing manual effort. Security was achieved by physical isolation, or a so-called air gap (security by obscurity). Today, the world is talking about connecting everything to the Internet. The fourth industrial revolution (Industry 4.0), a term used to draw together cyber-physical systems, the Internet of things (IoT) and Internet of services, has started to find more resonance with OEMs, system integrators and asset owners. Thus, it is only a matter of time before a lot of ICS information is routed to sophisticated applications across enterprises through a wide area network where security by obscurity no longer offers valid protection. Governments plan to connect ICSs to the Internet for projects such as smart grids and smart cities, which will significantly increase the risk of intrusion from malicious actors. Threat to ICS sector With ICS increasingly getting integrated with the corporate network and Internet to meet business requirements, the sector is obviously opening itself to the world of attackers. This is evident from many global information security surveys, including the widely followed one by ICS-CERT. As highlighted in the figure below, almost all critical infrastructure is targeted. There are two major types of security threats associated with ICS: Inadvertent Safety failures Natural disasters Equipment failures Human mistakes Deliberate Disgruntled employees Industrial espionage Cyber hackers Viruses and worms Terrorism www.pwc.in

Critical manufacturing 64 26% Energy 81 32% Communications 8 3% Food and agriculture 2 1% Commercial facilities 6 3% Chemical 4 3% Finance 3 1% Unknown 16 7% Water 13 5% Transportation 12 5% Nuclear 6 2% Information technology 4 2% Healthcare 15 6% Government facilities 9 4% Source: ICS CERT ICSs have various weaknesses, which make them easy targets for attackers: Legacy control system Lack of cyber security considerations in network architecture/segmentation Poor network protocol implementation Weak network component configuration Plain text traffic Insecure encryption and authentication for wireless ICS networks Weak protection of ICS systems from the enterprise IT network Poor programming and code quality Vulnerable web services Poor passwords practices and weak authentication Insecure remote connectivity to ICS networks No integrity checks at critical asset level Poor patch management Least user privilege violation With cyberattacks continuing to escalate in frequency, severity and impact year after year, ensuring the cyber security of these systems is of paramount importance.

Adapting standards Legacy control system To overcome ICS threats, many government agencies, non-profit organisations and nation states have developed different standards over the years. A few of the standards are country specific, while a few others are globally applicable. These standards provide guidance for developing defence-in-depth strategies to organisations that use ICS components. These standards provide information related to secure configuration, best practices, security policy, secure network architecture and secure operating procedures. Three factors are very critical to these standards: process, technology and people. Together, they are responsible for the security of the system. People How are people following the processes? Security How is the solution deployed, operated and maintained? What is technically implemented in the automation solution? Process Technology In India, the National Critical Information Infrastructure Protection (NCIIPC) guidelines are used by the public and private sectors to secure the critical national infrastructure. Number of Controls: 12 Controls required to be assessed at the conceptualization and design stage to ensure that security is taken as a key design parameter for all new CII. NCIIPC Critical Controls Planning Controls Implementation Controls Operational Controls BCP / DR Controls Reporting and Accountability Controls Number of Controls: 6 Controls required to translate the design/conceptualization to adequate and accurate security configurations. These controls also come into play in case of retrofitting existing, unprotected/poorly protected CII. Number of Controls: 11 Controls required to ensure that security posture is maintained in the operational environment. These controls also come into play in case of retrofitting existing, unprotected/poorly protected CII. Number of Controls: 3 Controls required to ensure minimum downtime, as well as to ensure that the restoration process factors in, and overcomes the initial vulnerabilities, to ensure graceful degradation/minimum maintenance of service provided by CII. Number of Controls: 3 Controls required to ensure that adequate accountability and oversight is exercised by Senior management, as well as reposting to concerned Government agencies when required.

Global ICS security standards: IEC- 62443 IEC 61508 ANSSI Global Standards NIST SP800-82 DHS - CSSP Recommended Practices CPNI - Process Control and SCADA security ENISA - Protecting Industrial Control Systems NIST - Framework for Improving Critical Infrastructure Cybersecurity ISO/IEC TR 27019 NISTIR 7628 DoE - 21 steps for SCADA security Energy API - API 1164 Pipeline SCADA Security NERC - Critical Infrastructure Protection IEC 62351 DoE - Cyber Security Procurement Language for Control Systems Version ENISA - Appropriate security measures for smart grids Nuclear IAEA - Computer Security at Nuclear Facilities NRC - Regulatory Guide 5.71 NRC -10 CFR - 73.54 Each sector faces different challenges and threats, and the standards vary accordingly. For example, NERC CIP applies to the energy sector, while a few standards are globally applicable, such as IEC 62443. How PwC can help Strategy and governance Defining a comprehensive cyber security strategy, prioritising investments and aligning security capabilities with strategic 1 imperatives of the organisation 2 Defining 3 An 4 Establishing Security architecture business-driven security architecture to protect business critical information Security implementation integrated approach towards selecting and implementing security solutions Threat and vulnerability management (TVM) a TVM programme to protect, detect and respond to vulnerabilities in technologies Risk and compliance Effective management of compliance with organisational policies and industry-specific regulatory requirements and 5 standard like NIST and IEC62443 6 Establishing 7 Establishing Incident management a cyber response framework to contain security incidents and minimise damage Managed services and managing best-in-class security operations centres for clients 8 identities Identity and access management Taking into account business requirements and trends to provide a holistic view for managing and maintaining

PwC tailors its services based on the sector and its criticality. PwC provides cyber security services to increase the security posture of your ICS/OT systems from threats. Some of the services are as follows: 1) ICS risk assessments As a first step, we conduct a security assessment of the ICS infrastructure based on custom or relevant standards to assess the current state vs security best practices. The assessment covers system records and activities to determine the adequacy of system controls. The activities include a review of network architecture and network security systems configuration to assess the operating efficiency of technical controls. 2) ICS vulnerability assessment (VA)/penetration testing (PT) Our cyber security team is well versed with the ICS environment and its challenges. We have subject matter experts in VA/PT of ICS components. A three-step approach is followed to examine the ICS security posture: Test ICS network from the Internet Test ICS network from IT Testing selected offline ICS systems for vulnerabilities 3) Compliance assistance Source: ICS-CERT US PwC can help industries in adapting the international and country-specific security standards mentioned in a previous section of this document. We can also can help industries to develop their own ICS standards and policies based on the environment s criticality. 4) Security operations centre (SOC): PwC provides services SOCs to set up a combined ICS-IT environment, which will enable you to monitor and act upon the treats and attacks.

About PwC At PwC, our purpose is to build trust in society and solve important problems. We re a network of firms in 157 countries with more than 2,08,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India s service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details. 2016 PwC. All rights reserved Contacts Sivarama Krishnan Leader, Cyber Security Tel: +91 (124) 626 6707 sivarama.krishnan@in.pwc.com Siddharth Vishwanath Partner, Cyber Security Tel: +91 (22) 66691559 siddharth.vishwanath@in.pwc.com Hemant Arora Executive Director, Cyber Security Tel: +91 (124) 626 6717 Hemant.arora@in.pwc.com PVS Murthy Executive Director, Cyber Security Tel : +91 (22) 66691214 pvs.murthy@in.pwc.com Manu Dwivedi Partner, Cyber Security Tel: +91 (0) 80 4079 7027 manu.dwivedi@in.pwc.com @ Sundareshwar Krishnamurthy Partner, Cyber Security Tel: +91 (22) 6119 8171 sundareshwar.krishnamurthy@in.pwc.com pwc.in Data Classification: DC0 This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take. 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, PwC refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity. MJ/August2016-7136

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback