2019-11-07 1 David Hanlon Secretary, IEC Conformity Assessment Board (CAB) UNECE WP.6 annual meeting UNOG, Geneva 22 nd November, 2019 UN CRO Guidelines for Cybersecurity • Draft version endorsed in November 2018 • Further developed during 2019 • Added sector examples (uncompleted) • Currently circulated for review • Endorsement of 2 nd draft expected Nov.2019 http://www.unece.org/tradewelcome/tradewp6/groups/ cybersecurity.html 1 st & 2nd draft versions available here 1 2
7
Embed
David Hanlon - UNECE€¦ · David Hanlon Secretary, IEC Conformity Assessment Board (CAB) UNECE WP.6 annual meeting UNOG, Geneva 22ndNovember, 2019 UN CRO Guidelines for Cybersecurity
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
2019-11-07
1
David HanlonSecretary, IEC ConformityAssessment Board (CAB)
UN CRO Guidelines for Cybersecurity • Draft version endorsed in November 2018• Further developed during 2019• Added sector examples (uncompleted)• Currently circulated for review• Endorsement of 2nd draft expected Nov.2019
UN CRO Guidelines for Cybersecurity • Draft version endorsed in November 2018• Further developed during 2019• Added sector examples (uncompleted)• Currently circulated for review• Endorsement of 2nd draft expected Nov.2019
Use appropriate CA at appropriate points according to risk.
Often forgotten in other frameworks,yet essential
3
4
2019-11-07
3
Systematic Methodology1) Map sector application to Generic Matrix Model (GMM)
2) Risk analysis of sector application map
o Identify and rate risk points
3) Determine appropriate level of CA for each risk point according to risk level rating
4) Identify requirements documents (standards)
o Determine what is available/appropriate standards gap analysis
o Determine how to fill the gaps ( standards development)
5) Apply appropriate CA to appropriate standards at each risk point
Revue, revise, renew (R3)
perio
dic
Components
Interconnections
Interventions SYST
EM M
ODEL
Products People Processes
OBJECTS OF CONFORMITY
product A, B, C…Product developmentProduct manufactureetc
Systems integration designSystems integration implementationetc / realisation
Asset owner operationSystems upgrades / patch managementVendor & service providersetc
Generic Matrix Model (GMM)Systematic Methodology
5
6
2019-11-07
4
Components
Interconnections
Interventions SYST
EM M
ODEL
Products People Processes
OBJECTS OF CONFORMITY
product A, B, C…Product developmentProduct manufactureetc
Systems integration designSystems integration implementationetc / realisation
Asset owner operationSystems upgrades / patch managementVendor & service providersetc
Testing Product design competency
Systems design competency
Manufacturing processes
Product manufacturing competency
Design processes
IT/OT competency
IT/OT competency
Systems build competency
Component selection processes
Design / realization processes
People selection processes
Supplier qualification processes
Service processes
Generic Matrix Model (GMM)Systematic Methodology
Components
Interconnections
Interventions SYST
EM M
ODEL
Products People Processes
OBJECTS OF CONFORMITY
product A, B, C…Product developmentProduct manufactureetc
Systems integration designSystems integration implementationetc / realisation
Asset owner operationSystems upgrades / patch managementVendor & service providersetc
Testing Product design competency
Systems design competency
Manufacturing processes
Product manufacturing competency
Design processes
IT/OT competency
IT/OT competency
Systems build competency
Component selection processes
Design / realization processes
People selection processes
Supplier qualification processes
Service processes
Generic Matrix Model (GMM)Systematic Methodology
Patch management
Testing
Supplier qualification processes
Product manufacturing competency
Manufacturing processesInteroperability
Product design competency
Design processes
IT/OT competency Service processes
Systems build competency
Component selection processes
7
8
2019-11-07
5
Generic Matrix Model (GMM)
Annex C - sector examples (uncompleted)http://www.unece.org/tradewelcome/tradewp6/groups/cybersecurity.html
9
10
2019-11-07
6
Annex C - sector examples (uncompleted)
• 8 sector examples o Corporate systemo Medical network systemo Banking systemo Railway systemo Traditional energy utility systemo Smart grid electrical systemo Active assisted living systemo Networked vehicles
Annex C - sector examples (uncompleted)
Each sector example has a GMM table indicating standards that can be used in the different phases and applications of the system.
The GMMs are not complete.
The uncompleted sector examples with GMMs areincluded in order to stimulate discussion.
11
12
2019-11-07
7
David HanlonSecretary, IEC ConformityAssessment Board (CAB)