1 / 16

Applying ISO 27001 in an industrial control environment

Applying ISO 27001 in an industrial control environment. Riemer Brouwer – Head IT Security ADCO rbrouwer@adco.ae. Doha , Febr uary 2014. A basic IT security principle is to follow a risk-based approach. …yet SCADA systems are often overlooked, despite their huge significance. SCADA

yoko
Télécharger la présentation

Applying ISO 27001 in an industrial control environment

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applying ISO 27001 in an industrial control environment Riemer Brouwer – Head IT Security ADCO rbrouwer@adco.ae Doha, February 2014

  2. A basic IT security principle is to follow a risk-based approach

  3. …yet SCADA systems are often overlooked, despite their huge significance SCADA Systems IT Security out of balance Corporate IT “Somehow risk assessment for SCADA went terribly wrong: Pantries are often better protected than control rooms”

  4. SCADA systems are used to control complex industries such as utility plants (water, electricity), oil & gas refineries etc.

  5. As a result, SCADA systems usually seem highly complex, and understanding them takes time and effort

  6. Yet….SCADA systems are actually quite basic in nature Start Cooling Above 23.0 Below 22.0 Start Heating Continuous Loop

  7. Industrial control systems have a few core elements that are critical to cybersecurity Set points: upper and lower limits that initiate action Start Cooling Start Heating Continuous Loop Sensors: in this case the thermometer Actuators: in this case the ventilator The network, connecting the sensors with the actuators Above 23.0 Below 22.0 Main Control Server, monitoring the sensors and controlling the actuators

  8. Some “reasons” for ignoring the IT security aspects of control systems, are the result of fundamental misconceptions 1. FALSE! • Misconception: “The SCADA system resides on a physically separate, standalone network.” • In reality, SCADA networks and corporate IT systems are often bridged through remote access which allows engineers to monitor and control the system from points on the corporate network. Also, many utilities have added connections to allow corporate decision makers to obtain instant access to critical data about the status of their operational systems 2. FALSE! • Misconception: “Connections between SCADA systems and other corporate networks are protected by strong access controls.” • Many of the interconnections between corporate networks and SCADA systems require the integration of systems with different communications standards. The complexity of integrating disparate systems often creates security risks that are not taken into account. 3. • Misconception: “SCADA systems require specialized knowledge, making them difficult for network intruders to access and control.” FALSE! • The above misconception assumes that all attackers of a SCADA system lack the ability to access information about their design and implementation. These assumptions are inappropriate given the changing nature of process system vulnerabilities in an interconnected environment. Also, most SCADA system providers publish their training on the internet, making it accessible to the general public.

  9. The most important reason for ignoring IT security in control systems is the impression that “hackers don’t care about us” FALSE! Target Attractiveness Examples of Recent Attacks Shamoon (2012) Saudi Aramco, the worlds largest oil producer, was targeted by hackers for the government’s supposed support of “oppressive measures” in the Middle East. Mahdi (2012) Trojan espionage attack designed to target Middle Eastern critical infrastructure firms, engineering students, financial services firms, and government embassies. Flame / FinSpy (2012) Highly advanced spyware kits mostly found in the Middle East that can intercept and record communications. Gauss (2012) One of the most sophisticated pieces of malware yet designed to monitor bank account information and the money flow for various Middle Eastern banks. Source: Booz Allen Hamilton

  10. ISO27001 provides an excellent framework to implement IT security controls and a risk management program Management Nature of controls Security Policy Organizational Technical Physical Organization of Information Security Compliance Information Security Incident Management Asset Management Physical and Environmental Security Communications and Operations Mgmt. Access Control Information System Acquisition, Development and Maintenance Human Resources Security Business Continuity Mgmt. Operations Figure: Areas covered by ISO27001/2

  11. ISO27001 provides an excellent framework to implement IT security controls and a risk management program Grouping resulted in 18 policies

  12. But…but…but… isn’t ISO27001 for corporate IT only?! ISO27001’s core objectives are to: Applicable to SCADA? Metrics to provide insight in current security posture In addition, using a well-renowned framework facilitates communication with senior management ISO27001 are not best practices, they are minimum practices

  13. SCADA environments present their own unique challenges to implementing IT security measures Liaise with Engineering team in charge of SCADA systems SCADA systems usually not under control of IT Include IT security updates in maintenance windows SCADA systems are “always on” Identify work-around solutions to mitigate the risks SCADA systems were never built with security in mind Physical security controls deserve full attention from IT security SCADA systems can be in remote areas Build partnership with vendors to obtain relevant information SCADA systems are not always well-documented and studied

  14. Key to a successful SCADA Security program is collaboration between all stakeholders within IT and related departments IT Security Team Engineering / Vendors • Establish and lead procedure development team • Invite ad-hoc specialists depending on the procedure • Responsible for effective review mechanism • Provide in-depth knowledge on IT systems and processes • Must be able to evaluate feasibility of proposed security procedures Operators • Ultimately responsible for following IT security policies • Essential to have security-minded contributors HR/Legal/Others • Other departments must be involved depending on topic • Main task is to ensure IT security procedures are aligned with policies/procedures Internal Audit • Responsible for IT security compliance review • Provide input on enforceability of suggest procedures

  15. Start In summary, an ISO27001 based SCADA security program leverages existing skills and technologies, supplemented with tailored considerations SCADA Security Roadmap to Success Become integrated part of security operations Towards a secure future Provide awareness training to SCADA staff and others Co-develop procedures with in-house SCADA staff Implement Policies & procedures Obtain support from senior management Develop procedures / Risk Management process Key to success is ensuring policies and procedures are realistic and doable Tailor corporate IT security policies Risk Management framework must be tailored, e.g., access rights and backup will most likely differ ISO 27001 – ISA 99 Roadmap

  16. Thank you

More Related