Security Standardization and Regulation An Industry Perspective

Similar documents
Cyber Security for Industries. Dr. Rainer Falk Principal Key Expert

Platform Economy and Trustworthiness Standardization

Combating Cyber Risk in the Supply Chain

The emerging battle between Cyber Defense and Cybercrime: How Technology is changing to keep Company and HR data safe

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

ISACA West Florida Chapter - Cybersecurity Event

Cybersecurity and Hospitals: A Board Perspective

Cyber-Threats and Countermeasures in Financial Sector

CYBER SECURITY AND MITIGATING RISKS

Cybersecurity and Nonprofit

European Union Agency for Network and Information Security

Business continuity management and cyber resiliency

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

Cyber Criminal Methods & Prevention Techniques. By

Information technology Security techniques Information security controls for the energy utility industry

How will cyber risk management affect tomorrow's business?

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Security in grid control centers: Spectrum Power TM Cyber Security

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Siemens view and approach on critical infrastructure resilience against cyberthreats Joint OECD-JRC Workshop, Paris September 2018

Statement for the Record

Challenges in Developing National Cyber Security Policy Frameworks

Rethinking Information Security Risk Management CRM002

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Cybersecurity The Evolving Landscape

Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas

PROTECTING NATIONAL CRITICAL INFRASTRUCTURE AGAINST CYBER ATTACKS BEST PRACTICES RELATED TO TECHNOLOGY AND STANDARDS FROM EUROPE BANGKOK

How a global industry player addresses the Cybersecurity challenges of Air Transport

The Cyber War on Small Business

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

Personal Cybersecurity

IEC A cybersecurity standard approaching the Rail IoT

Digital Wind Cyber Security from GE Renewable Energy

Cyber Security in Smart Commercial Buildings 2017 to 2021

Understanding the Changing Cybersecurity Problem

Business Continuity Management

NAVAL DISTRICT WASHINGTON SMARTSHORE CASE STUDY Jeff Johnson NDW CIO (N6)

Cybersecurity for the Electric Grid

Cyber Insurance: What is your bank doing to manage risk? presented by

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Incident Response. Tony Drewitt Head of Consultancy IT Governance Ltd

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Cyber (In)Security. What Business Leaders Need To Know. Roy Luebke Innovation and Growth Consultant. Presented by:

Cyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013

Security analysis and assessment of threats in European signalling systems?

Altitude Software. Data Protection Heading 2018

Perspectives on Cybersecurity

Security Policies and Procedures Principles and Practices

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Innovation policy for Industry 4.0

Security Challenges with ITS : A law enforcement view

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

ISO in the world today

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Cyber security for digital substations. IEC Europe Conference 2017

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

HOSTED SECURITY SERVICES

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

falanx Cyber ISO 27001: How and why your organisation should get certified

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

In the wrong hands it s an open invitation

Information Security Management System

GDPR: The Day After. Pierre-Luc REFALO

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Unit 3 Cyber security

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Background. Threats. Present Status. Challenges and Strategies 9/30/2009 TRAI 2

Caribbean Cyber Security: Not Only Government s Responsibility

Cyber Threat Landscape April 2013

Project 2020: Preparing Your Organization for Future Threats Today

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Cybersecurity, safety and resilience - Airline perspective

CCISO Blueprint v1. EC-Council

June 2 nd, 2016 Security Awareness

Cyber Crime Update. Mark Brett Programme Director February 2016

Managing Supply Chain Risks for SCADA Systems

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Governance Ideas Exchange

Systemic Cyber Risk and Cyber Insurance. February 14, 2018

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

The SPARKS Project Motivation, Objectives and Results

Cyber (In)Security, The Internet of Things, and Risk Management

ISO/IEC Information technology Security techniques Code of practice for information security controls

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cybersecurity for Health Care Providers

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

Advanced IT Risk, Security management and Cybercrime Prevention

Addressing the elephant in the operating room: a look at medical device security programs

General Data Protection Regulation. May 25, 2018 DON T PANIC! PLAN!

CONTEMPORARY CYBER ATTACK TRENDS AND CHALLENGES DR SHASHWAT RAIZADA

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

Transcription:

Security Standardization and Regulation An Industry Perspective Dr. Ralf Rammig Siemens AG

Megatrends Challenges that are transforming our world Digitalization In the future, we ll be living in a world that s increasingly interconnected by complex and heterogeneous systems. By 2020, the amount of data stored worldwide will have grown to 44 zettabytes. Around 50 billion devices will be linked online. Source: IDC, The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, April 2014; Dave Evans (Cisco): The Internet of Things, How the Next Evolution of the Internet Is Changing Everything, April 2011 Page 2

Increasing Intelligence and Open Communication Drive Security Requirements in Various Industrial Environments Process Automation Factory Automation Urban Infrastructures Building Automation Energy Automation Mobility Systems Page 3

The Threat Level is Rising Attackers are Targeting Critical Infrastructures Evolution of attacker motives, vulnerabilities and exploits The Age of Computer worms Cybercrime and Financial Interests Politics and Critical Infrastructure Hacking against physical assets Code Red Slammer Blaster Zeus SpyEye Rustock Aurora Nitro Stuxnet "Hacking for fun" "Hacking for money" "Hacking for political and economic gains" States Criminals Hobbyists Organized Criminals Hacktivists State sponsored Actors Terrorists Activists Backdoors Hackers Viruses Anti-Virus Worms BlackHat Responsible Disclosure # of published vulnerabilities Botnets Adware Credit Card Fraud Phishing WebSite Hacking Banker Trojans SPAM Anonymous SCADA RSA Breach DigiNotar APT Targeted Attacks Sony Hack # of new malware samples Cyber war Hacking against critical infrastructure Identity theft Ransomware Major loss of privacy "Gläserner Bürger im Netz" 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Data sources: IBM X-Force Trend and Risk Report HP Cyber Risk Report Symantec Intelligence Report Page 4

Consequences of Security Issues can be far-reaching Security incidents can affect target solution and connected (critical) assets Degradation or disruption of customer business Breaches of legal and regulatory requirements Breaches of contractual requirements Loss of intellectual property or license fraud Examples (since 2016): Maersk Previews NotPetya Impact: Up to $300 Million Fresh Vehicle Hack Disables Airbags, Anti-lock Brakes Verizon Breach: 6 Million Customer Accounts Exposed Ukrainian Power Grid Blackout Alert: Potential Hack Attack Ransomware Attack Affects 500,000 Patients Source: https://www.databreachtoday.co.uk Loss of reputation, customers or market share Safety, Privacy, Environment Page 5

How can the occurrence and consequences of security incidents be reduced?

Industrial Systems and Office World have Different Characteristics & Requirements (Examples) Industrial Systems Office IT Protection target for security Component Lifetime Availability requirement Real-time requirement Security Standards Application of patches Anti-virus Production resources, incl. logistics Up to 20 years Very high Can be critical Under development Controlled / limited due to availability Uncommon, hard to deploy, white listing IT- Infrastructure 3-5 years Medium, delays accepted Delays accepted Focus on ISO/IEC 27000 series Regular / scheduled Common / widely used Office security concepts and solutions are not directly applicable for industrial systems Page 7

Characterization of Different Scenarios Product supplier System Integrator, Operator, Service Provider, Asset Owner Recommendations for regulation B2C Products are connected to the Internet Products with basic state-of-theart security features User has limited expertise Updates are deployed automatically or under user control Basic requirements as legal requirements according to stateof-the-art on product level (NLF) B2B / B2Critis Focus on the intended use and operational environment of the products and solutions Products with intended use specific security features Cyber Security expertise on the user s side (operator, integrator, service provider) Updates are deployed in a controlled manner Regulation of operators depending on criticality Entry level by self-declaration Regulation gives preference on process requirements rather than product certifications Page 8

A Combination of Technical Measures and Processes is needed! Committees / Standards (example) Likelihood Risk Assessment e.g. IEC TC 65 IEC 62443-3-2 Consequence Category A B C High High-risk High-risk Medium-risk Medium High-risk Medium-risk Low-risk Low Medium-risk Low-risk Low-risk Security measures Technical measures Process measures Security for products Security for solutions Rules & procedures People, Training IEC TC 57 IEC 62351-3, 4 IEC TC 65 IEC 62443-3-3 ISO/IEC JTC1/SC 27 ISO/IEC 27019 ISO TC 292 WG4 ISO 12931, ISO 16678 Page 9

IEC 62443 Standards Series A Holistic Security Approach IEC 62443 defines organizational and technical requirements for all stakeholders involved (manufacturer, integrator, operator) targets people, processes, systems, solutions and components/products applies to all types of plants, facilities and systems in all industries supports purpose fit security solutions by supporting security features with different strength used for certification of security processes and security capabilities of the solution Page 10

How could regulation support security?

Managing Cyber Security in Critical Environments through Standards and Regulations (Examples) IEC 62351-1 -14 Power systems management and associated information exchange Data and communications security IEC 62443-1-1-4-2 Industrial communication networks - Network and system security ISO/IEC 15118 Road vehicles -- Vehicle to grid communication interface ISO 27001 Information technology - Security techniques - Requirements ISO 27002 Code of Practice for information security management ISO 27019 Information security management guidelines for process control systems used in the energy utility industry on the basis of ISO/IEC 27002 Critical Infrastructure Protection CIP 001-014 Executive Order EO 13636 improving Critical Infrastructure Cyber Security IoT Cybersecurity Improvement Act 2017 Network Information Security Directive Critical Infrastructure Protection Certification and Key Measures IEEE 1588 Precision Clock Synchronization IEEE C37.238 Profile for Use of IEEE 1588 PTP in Power System Applications IEEE 1686 Intelligent Electronic Devices Cyber Security Capabilities IT Security Act B3S Standards BNetzA Security Catalogue German Energy Act Cyber Essential Scheme Direct adaptation of European NIS Directive and GDPR (General Data Protection Regulation Note: the stated organizations and standards are just examples and are not complete Page 12

Guiding Principles for Implementing Industrial Security (1) Security-by-Design shall follow a risk-based approach Product and solution security has to consider the intended use and operational environment Distinction of roles and responsibilities is recommended according to the stakeholders involved Process-related certifications are better suited to address cybersecurity than product- or solution-related certifications Page 13

Guiding Principles for Implementing Industrial Security (2) Any regulation should refer to international standards and specifications Regulation supported by standards should be preferred over tight (national) frameworks or issuing of quality/security labels Security regulations should be independent from other regulations like safety regulations or privacy regulations Manufacturer's self-declaration in accordance to international standards is the preferred means to demonstrate conformity with security requirements Page 14

What should a potential future European Security Certification Framework consider?

Application of Guiding Principles Envisioned main characteristic of a European certification framework Targeting global acceptance of the intended European certification framework Based on internationally acknowledged industry standards Reference to technical requirements, i.e., no specific solution or component should be preferred. Preference for clearly formulated conformity assessment framework at European level, inspired by the conformity assessment modules contained in decision 768/2008/EG Allow manufacturer s self-declarations Dependence of security measures on the target operational environment Independence of security certifications or regulations from those in the areas of safety or privacy. Page 16

Contact Dr. Ralf Rammig Standards and Innovation Siemens AG E-mail: ralf.rammig@siemens.com Internet siemens.com/corporate-technology Page 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback