Protection Levels, Holistic Approach. ISA-99 WG 3 TG 3 Protection Levels

Similar documents
Industrial Security - Protecting productivity IEC INDA

Hvordan kommer man i gang med et Industrial Security-koncept?

Achilles System Certification (ASC) from GE Digital

Functional. Safety and. Cyber Security. Pete Brown Safety & Security Officer PI-UK

Security analysis and assessment of threats in European signalling systems?

Altius IT Policy Collection

IEC A cybersecurity standard approaching the Rail IoT

Siemens Research Cyber Security

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

locuz.com SOC Services

ISA99 - Industrial Automation and Controls Systems Security

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

Industrial Cyber Security. ICS SHIELD Top-down security for multi-vendor OT assets

Plant Security Services Protecting productivity in the digital era October

Industrial Security Getting Started

Industrial Defender ASM. for Automation Systems Management

Cybersecurity Auditing in an Unsecure World

Altius IT Policy Collection Compliance and Standards Matrix

Enabling Security Controls, Supporting Business Results

Cyber security for digital substations. IEC Europe Conference 2017

Water Information Sharing and Analysis Center

Continuous protection to reduce risk and maintain production availability

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

Cyber Security Standards Developments

Cyber security - why and how

Nebraska CERT Conference

Cyber Security for Process Control Systems ABB's view

CIP Cyber Security Configuration Management and Vulnerability Assessments

Altius IT Policy Collection Compliance and Standards Matrix

CompTIA Security+ Study Guide (SY0-501)

Protect Your Organization from Cyber Attacks

SECURITY SERVICES SECURITY

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Tech Advantage Benchmarking Your Cyber Security Program. March 5, 2014

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Standard CIP Cyber Security Systems Security Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Checklist: Credit Union Information Security and Privacy Policies

Just How Vulnerable is Your Safety System?

E-guide CISSP Prep: 4 Steps to Achieve Your Certification

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

EVALUATING HOW AN OPERATOR HAS EFFECTIVELY IMPLEMENTED CYBER- SECURITY POLICIES TO MANAGE AND ADMINISTER THE SYSTEM. Wurldtech Security Technologies

CIP Cyber Security Systems Security Management

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

NERC CIP: Fundamental Security Requirements of an Electronic Access Control and Monitoring System (EACMS) Requirements Mapping to ConsoleWorks

Pillar 4: Be Accountable: Implement your Privacy & Data Protection (PDP) Measures Legal Basis: Sec. 20.a-e, 22 and 24 of the DPA, Sections of

Education Network Security

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

CompTIA Mobility+ Certification

T22 - Industrial Control System Security

Standard CIP 007 4a Cyber Security Systems Security Management

Ensuring Your Plant is Secure Tim Johnson, Cyber Security Consultant

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

Security Audit What Why

GUIDE. MetaDefender Kiosk Deployment Guide

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

CIP Cyber Security Security Management Controls. A. Introduction

Certified Information Security Manager (CISM) Course Overview

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

TEL2813/IS2820 Security Management

Metso Automation Services. business solution. Safety and security. Securing business

CCISO Blueprint v1. EC-Council

Recommendations for Implementing an Information Security Framework for Life Science Organizations

RSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief

Cyber Security Solutions Mitigating risk and enhancing plant reliability

CompTIA A+ Certification ( ) Study Guide Table of Contents

EXAM PREPARATION GUIDE

E-guide Getting your CISSP Certification

Critical Cyber Asset Identification Security Management Controls

Digital Wind Cyber Security from GE Renewable Energy

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Security Management Models And Practices Feb 5, 2008

AUTHORITY FOR ELECTRICITY REGULATION

LESSONS LEARNED IN SMART GRID CYBER SECURITY

New Guidance on Privacy Controls for the Federal Government

Sirius Security Overview

Disaster Recovery and Business Continuity Planning (Mile2)

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

K12 Cybersecurity Roadmap

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Security

Standard Development Timeline

Cyber Criminal Methods & Prevention Techniques. By

IC32E - Pre-Instructional Survey

CISA Training.

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Security Automation & Orchestration That Won t Get You Fired. Syra Arif Advisory Security Solutions Architect November 2017

Alberta Reliability Standard Cyber Security Electronic Security Perimeter(s) CIP-005-AB-5

Standard CIP Cyber Security Systems Security Management

Transcription:

Protection Levels, Holistic Approach

Security is about technology, processes and people Policies and procedures Functional security measures Competency A holistic security protection concept has to include technology, processes and people

A holistic security concept is context dependent Onsite / project specific How is the automation solution operated and maintained? How has the automation solution been deployed? Protection Levels What is technically implemented and configured in the automation solution? How are people following the processes? Offsite / project independent How have the products been developed? Which capabilities are offered by a service provider? Capability Levels What are the functional security capabilities of the products? How are people following the processes?

A holistic security concept is context dependent Onsite / project specific Protection Levels Offsite / project independent Capability Levels

What are Protection Levels? Onsite / site specific Operational policies and procedures Maintenance policies and procedures Integration policies and procedures Functional security capabilities configured for the Automation Solution 2-1 2-4 3-3 Competency Protection Levels is a methodology to evaluate the protection of plants in operation The methodology includes the evaluation of technical capabilities AND the related processes in a combined evaluation Page 5

Protect Levels bridges two worlds Easy to handle, easy to communicate Level 1 Level 2 Easy to handle Level 3 Level 4 Common language Complex, multidimensional Role based access Network segmentation Firewalls Data encryption Certification Governmental acts Dashboard Protection of the plant Protection Levels Audit trail Data integrity Back-up / restore Patch management NON EXPERT Wireless Event management Asset Owner Insurance company Governmental body Insurance fees Authenticator management IEC 62443-2-1 IEC 62443-2-3 IEC 62443-3-3 IEC 62443-2-4 IEC 62443-4-1 Remote access IEC 62443-4-2

Usage of Protection Levels by the Asset Owner Easy to handle, easy to communicate Provide a consistent and repeatable way evaluate current security posture / achievement of Protection Levels Provide a consistent and repeatable way to define security targets for solution providers SOLUTION PROVIDER ASSET OWNER ASSET OWNER Protection Levels Methodology to differentiate the level of risk reduction provided by a security control class e.g. how effective is a given security control class in a specific application Provide a consistent and repeatable way to demonstrate security posture to governments, regulators, insurance companies, etc. GOVERNMENTS REGULATORS ASSET OWNER INSURANCE COMPANIES 7

Protection Levels combine the evaluation of technical and organizational measures Protection against cyber threats in operational phase Industrial Automation and Control System (IACS) Protection Levels Organizational measures Processes People Operational Maintenance Integration Technical measures of the Automation Solution

Protection Levels is based on slices of IEC 62443 grouped into Security Control Classes (SCCs)

Examples of potential SCCs IEC 62443-2-1 Protection Levels IEC 62443-2-4 IEC 62443-3-3 Capability Levels Products Malware Protection 4.3.4.3.8 Establish and document antivirus/malware management procedure SP 10.xx Malware protection SR 3.2 Malicious code protection CR 3.2 Malicious code protection Event Management 4.3.4.5.x Incident planning and response 4.3.2.5.x Business continuity plan SP 08.xx Event management SR 2.8 Auditable events SR 2.9 Audit storage capacity SR 2.10 Response to audit processing failures SR 2.11 Timestamps SR 6.1 Audit log accessibility CR 2.8 Auditable events CR 2.9 Audit storage capacity CR 2.11 Timestamps SR 6.2 Continuous monitoring 10

Examples of potential SCCs IEC 62443-2-1 Protection Levels IEC 62443-2-4 IEC 62443-3-3 Capability Levels Products Backup Restore 4.3.4.3.9 Establish backup and restoration procedure SP12.xx Backup/Restore SR 7.3 Control system backup SR 7.4 Control system recovery and reconstitution User Management And Access Control 4.3.3.5.x Access control Account administration 4.3.3.6.x Access control Authentication 4.3.3.7.x Access control Authorization SP 09.xx Account management SP 08 Event management FR 1 Identification and authentication control FR 2 Use control FR 1 Identification and authentication control FR 2 Use control 11

SCCs can have different granularity Easy to handle, easy to communicate Complex, multidimensional Views Security Control Classes (SCCs) NON EXPERT Asset Owner Insurance company Governmental body 12

Protection Level can have different use cases Level of protection of a plant in operation How secure is my IACS Level of risk reduction provided by a security control class How effective is a given security control class in a specific application NON EXPERT Asset Owner Insurance company Governmental body 13

Protection Levels link both worlds Easy to handle, easy to communicate Complex, multidimensional Protection Levels NON EXPERT Asset Owner Insurance company Governmental body 14

Each requirement is mapped to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional Each reqt mapped to one or several Each reqt mapped to one or several Each reqt mapped to one or several IEC 62443-2-1 IEC 62443-2-4 IEC 62443-3-3 Each reqt mapped to one or several Each reqt mapped to one or several Each reqt mapped to one or several NON EXPERT Asset Owner Insurance company Governmental body 15

Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional 4.3.3.6.x Access control Account administration IEC 62443-2-4 IEC 62443-3-3 NON EXPERT Asset Owner Insurance company Governmental body 16

Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC 62443-2-1 SP12.xx Backup/Restore IEC 62443-3-3 NON EXPERT Asset Owner Insurance company Governmental body 17

Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC 62443-2-1 IEC 62443-2-4 SR 1.2 Software process and device identification and authentication NON EXPERT Asset Owner Insurance company Governmental body 18

Examples of mapping to one or several SCCs Easy to handle, easy to communicate Complex, multidimensional IEC 62443-2-1 IEC 62443-2-4 SR 1.1 Human user identification and authentication NON EXPERT Asset Owner Insurance company Governmental body 19

Maturity Level Protection Levels cover security functionalities and processes Based on IEC 62443-3-3 Based on IEC 62443-2-1, ISO 27000 and on IEC 63443-2-4 Evaluation of security functionalities Evaluation of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Improved - Process measured, controlled and continuously improved Protection Levels Page 20 3 or 4 1 or 2 No PL according to this standard 1 2 3 4 Security Level PL 1 PL 2 PL 3 PL 4 Protection against casual or coincidental violation Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

Backup

Maturity Level Protection Levels cover security functionalities and processes Based on IEC 62443-3-3 Based on IEC 62443-2-1, ISO 27000 and on IEC 63443-2-4 Evaluation of security functionalities Evaluation of security processes SL 1 Capability to protect against casual or coincidental violation ML 1 Initial - Process unpredictable, poorly controlled and reactive. SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation ML 2 Managed - Process characterized, reactive SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation ML 3 Defined - Process characterized, proactive deployment SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 4 Improved - Process measured, controlled and continuously improved Protection Levels 4 PL 1 Protection against casual or coincidental violation Page 22 3 2 1 1 2 3 4 Security Level PL 2 PL 3 PL 4 Protection against intentional violation using simple means with low resources, generic skills and low motivation Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

Use of protection levels in the workflow described in part 3-2

Use of protection levels in the lifecycle described in part 1-1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback