Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System Cyber security

Quality Assurance: The 80% of Industrial Control Systems (ICS) Cybersecurity-Rabbani Syed

About me Rabbani Syed 27 years of wide range of experience in Defense, Manufacturing, Energy, Oil & Gas industries

Systems Analyst, IT Quality Management, Information Technology, Kuwait National Petroleum Company.

Previous: Systems Engineer – Kuwait Controls Co.◦ SCADA, DCS & Telemetry Systems for Ministry of Electricity & Water (MEW) – Kuwait.

Senior Engineer, Bharat Electronics (BEL-India)◦ Design & Development of Real Time Computer Systems for Electronic Warfare Systems (Anti-

Radar and Electronic Counter Measure Systems)

M. Engg. in ECE – Osmania University, B. Tech in ECE – JNTU, India

Certifications: PMP, CISSP, CISA, CISM, CGEIT

Certificates: ISO27001LA, ISA99 Cybersecurity Fundamentals Specialist

Quality Assurance: The 80% of Industrial Control Systems (ICS) Cybersecurity

Overview: 1. The ICS Context

2. The Challenges

3. Technology, People, Processes

4. Quality Assurance: ◦ Processes & Frameworks

Changes in the ICS Architecture• ICS now use commercial technology

• Highly connected to internet

• Offer remote access

In past few years, there has been an increase in number ofCyberattacks on ICS

The ICS Context ICS – Industrial Control Systems (SCADA, DCS, PLCs, Telemetry, Building Automation Systems etc.)

OT – Operational Technology

IT – Information Technology

The ICS Context

Inversion of importance in Core Security Goals:

Confidentiality

Integrity

AvailabilityConfidentiality

Integrity

Availability

IT

OT

The ICS Context, in Contrast with IT Context Differing Performance Requirements:

The ICS Context Differing Reliability Requirements:

IT Network ICS Network

Scheduled Operations Continuous Operations

Occasional Failures tolerated Outages Intolerable

Beta testing in field acceptable Thorough QC testing expected in non-production environment

Modifications possible with little paperwork

Formal Certifications may be required after any change

The ICS Context Differing Risk Management Approaches

The ICS Context Differing Security Architectures:

IT World ICS World

Critical Systems to Protect: Servers, Storage etc.– reside in Computer Room

Critical Systems to Protect: PLC and Smart Instruments – reside in the field

The ICS Challenges: 1. Multi-vendor EPC Contracts

2. Increasing Management Expectations

3. Over 20+ ICS Cybersecurity Standards

4. SIL Certification does not evaluate Cybersecurity

5. Hackers – No Experience required

6. Unintentional Security Incidents

7. Expanding depth and breadth of ICS Security Tasks

The Challenge: Multi-vendor EPC Contracts

The Challenge: Management Expectations

The Challenge: SIL Certification does not evaluate Cybersecurity• IEC 61508 Certification (SIL Certification)

does not evaluate Cybersecurity.

The ChallengesOver 20+ Standards

1. ISA 99 / IEC 62443 Cybersecurity Standard for ICS

2. NIST SP800-82 : Guide to Industrial Control Systems Security

3. NERC – CIP 002 through CIP -009

4. Oil & Gas Sector: API Standard 1164 – SCADA Security

5. Water & Waste Water Sector Standards

6. Chemical Sector Standards

7. ……

The Challenge: Hackers – No Experience requiredNessus plugins and Metasploit modules have been publically released enabling anyone to find and exploit these vulnerabilities.

The Challenge: Hackers – No Experience requiredwww.rapid7.com, www. shodan.com; Free code to crash PLCs available on internet.

The Challenge: Hackers – No Experience required

The Challenge: Unintentional incidents80% of actual control system security incidents were unintentional (www.risidata.com)

Addressing ICS Cybersecurity:

1. Should controls be taken away from Smart Instruments?

2. Why can’t we build secure systems?

3. Is 100% Cybersecurity ever possible?

Addressing ICS Cybersecurity:

Learning from History

Addressing ICS Cybersecurity:

Technology, People and Processes 1. Technology

◦ The Cost-Benefit Analysis

2. People◦ Is Cybersecurity awareness & training enough?

3. Processes◦ Where is the end?

Addressing ICS Cybersecurity: Technology, People and Processes

TECHNOLOGY

•Hardening Servers, Workstations, Networks, DCS Systems, PLCs, Instruments…•Implement technical monitoring & controls

PEO

PLE

•Awareness•Training•Cybersecurity drills

PRO

CESSES

•Implement Processes•Monitor Performance•Review•Improve

Addressing ICS Cybersecurity: Technology, People and Processes

TECHNOLOGY

•The Cost-Benefit Analysis•Constraint:•COST

PEO

PLE

•The Human Factor •The End: •TRUST

PRO

CESSES

•Quality Assurance•Sky is the Limit

Quality Assurance

1. QA/QC – Definitions

2. The Processes

3. Standards & Frameworks◦ The ICS Standards & Frameworks

◦ ISA99◦ …..

◦ The IT Standards & Frameworks◦ TOGAF◦ COBIT◦ ITIL◦ ….

ICS Standards & Frameworks ISA99 / IEC 62443

Relevant part to End-Users: ISA 62443-2 Series Policies & Procedures

ICS Standards & FrameworksISA99 / IEC 62443 – Zones & Conduits

IT Standards & Frameworks

1. ISO 27001

2. IT Governance - COBIT 5

2. IT Service Management - ITIL V3.1

3. Enterprise IT Architecture – TOGAF V9.1

The ContrastIT & ICS Standards & Frameworks

1. Technology Focus ICS

2. Business Enablement IT

TOGAF 9.1

1. Enterprise IT Architecture

2. Originated from TAFIM of early 1980s, developed by US Dept. of Defense

3. Provides an approach for designing, planning, implementing, and governing an enterprise Information Technology architecture.

COBIT 5

1. Governance & Management Framework for Enterprise IT – End to End

2. Building on 16 Year History

3. Provides Structure, Practices, Tools for:◦ Proactively deliver value◦ Manage Risk◦ Maximize ROI

ITIL V3.1

1. IT Service Management Framework

2. Originated in late 1980s by UK Govt’s CCTA

3. Focus on optimal service provisioning at justifiable cost

NIST Cybersecurity Framework

NIST Cybersecurity Framework

NIST Cybersecurity Framework

IT Frameworks : Enabling ICS Security

1. ICS Security - Purchase Specifications

2. ICS Security Portfolio Management

3. Business Justification

4. Compliance to Regulations

5. Business Risk Management

Quality Assurance: The 80% of ICS Cybersecurity

THANK YOU