ics security management system
TRANSCRIPT
ICS Security Management System using ISO 27001 Standard as the
Strategic Management Foundation Integrated with NIST SP 800-82
Auditing Platform Final.pptxICS Security Management System “Using
ISO 27001 Standard as the Strategic Management Foundation
Integrated with NIST SP 800-82 Auditing Platform”
Presented by: Pedro Wirya IT and ICS Security Consultant – PECB Certified Trainer
PECB Webinar, October 28th, 2015
Pedro Putu Wirya, an IT and SCADA ICS Security Consultant with an extensive experience in Information Security Management System (ISMS) and Cyber Security Assurance
Pedro Putu Wirya Consultant
Summary
4
Background
incident (HSE risk)
perspective
Why ICS is IMPORTANT?
“One aspect that most likely being ignored in ICS engineering & operations is the ICS Cyber Security Assurance”
5
Background
The importance of Industrial Control System security Critical function that controls the plant, ensure the
safety operations and meet the business goal
o Critical industry
o Public infrastructure
HSE risk exposure vs. Financial
6
Background
The computerized ICS with open protocol dan open platform infrastructure Integration between ICS Network and Business
Network
Risk heritage from the common IT infrastructure that being adopted by ICS
Awareness level and Business Buy-In
Big gaps between IT security vs. ICS security
Threat and vulnerability vs. Risk -> Safety, Business, Environment -> tangible impact vs. investment
7
Background
Summary
9
Information Security Management System standard that cover the management system framework of full lifecycle of Information Security Assurance
An Industrial Control System security standard that cover the detail recommendation on how to design, develop, implement and ensure the ICS security assurance
Integration ISMS + Audit Framework
7 Clauses
5. Leadership
6. Planning
7. Support
8. Operation
Industrial Standard References
NIST SP 800-82 “Guideline to Industrial Control Systems (ICS) Security” Standard
Contain 6 Chapters I. Introduction
II. Overview of Industrial Control Systems
III. ICS Risk Management and Assessment
IV. ICS Security Program Development and Deployment
V. ICS Security Architecture
VI. Applying Security Controls to ICS
As summary, it has 23 categories that being concerned in correlation with ICS Security (based CSET 7.0 “Questions” method audit platform)
12
Content
Background
Summary
13
Information Security Assurance Lifecycle
The continual improvement process using PDCA concept is a requirement in ISO 27001:2005
In ISO 27001:2013 there is no longer required to use PDCA only, each organization can use their existing continual improvement process
Following description will still use PDCA as the continual improvement process for simplicity and general understanding purpose
14
Check Chapter 9.
Performance Evaluaon
Act Chapter 10.
Clause 7. Support Clause 5. Leadership
Annex A
ISO 27001 Standard Structure
16
PLAN “Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.”
DO “Implement and operate the ISMS policy, controls, processes, and procedures.”
CHECK “Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review.”
ACT “Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.”
17
Content
Background
Summary
18
ICS Security Auditing Platform
Auditing Tools platform that being used is CSET 7.0 by Department of Homeland Security
The Standard for Auditing Industrial Control System security is using NIST SP 800-82 Rev.2
The type of Auditing Method that being used in CSET 7.0 is “Questions” based method
19
Questions based
o Select “Questions” to answer simple question related to the selected standard(s)
Requirement based
o Select “Requirement” to utilize the exact text of a standard. This is particularly helpful for asset owner preparing for an audit against a particular standard
Cyber Security Framework
21
ICS Security Auditing Platform
NIST SP 800-82 Rev.2 Auditing Standard consist of 23 Categories of Concern (using Question Mode in CSET 7.0)
Total +/- 634 questions to be answered against the standard
The categories are as per displayed in the following slide:
27
Document Management Maintenance Monitoring & Malware
Organizational Personnel Physical Security Plans Policies Policies & Procedures General Portable/Mobile/Wireless Procedures Remote Access Control Risk Management and Assessment System and
Services Acquisition System Integrity System Protection Training
28
ICS Security Auditing Platform
The CSET audit using NIST SP 800-82 can be used to assess ICS security assurance in all phases of plant operations
o Design & Engineering
ICS Security Auditing Platform
Integration of NIST SP 800-82 Auditing Platform into ISO 27001 in order to capture the full lifecycle of Information Security Assurance
Mapping the PDCA cycle that reflected into ISO 27001 chapters, integrated with the NIST SP 800-82 auditing platform
The more detail of this concept will be described in the next content
30
Content
Background
Summary
31
Integrating NIST SP 800-82 into ISO 27001 Framework When to do ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82 standard)
When it comes to the “Operations Phase” only?
or is it recommended to perform the audit during the other plant lifecycle?
32
Integrating NIST SP 800-82 into ISO 27001 Framework When to do ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82 standard)
Design & Engineering
33
Integrating NIST SP 800-82 into ISO 27001 Framework When to do ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82 standard)
Plant Lifecycle ICS-SMS Audit Focus
Design & Engineering Phase Assess the design complianceagainst the ICS security standard
Explore some security holes and fix it prior to the next phase
Commissioning & Testing Phase Align the compliance from the previous phase when it comes to the implementation
As the bridge to the next phase, ensuring the security assurance are well in place
Operations Phase Assessing the real practice against the standard
Determine the real compliance in a long term window
Continuous improvement align with the plant life time
Post Operations Phase Ensuring the Information Credential is safe prior to disengagement
Final assessment prior to disengaged the system
34
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Assurance in NIST SP 800-82 Standard
6 Chapters, with 4 core contents related to ICS-SMS assurance
I. Introduction
IV. ICS Security Program Development and Deployment
V. ICS Security Architecture
35
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Risk Management and Assessment
The concept of ICS risk management and assessment is similar to ISO 27001
The main different is the object that being assessed
The ultimate exposure level (in common) is HSE, instead of Financial loss
Operations Technology vs. Information Technology
o Resources awareness, availability and capability
o Management buy-in, determination of risk appetite and risk acceptance level
o Tangible vs. Intangible risk exposure
o Some specific risk exposure scenario compare to common IT security, expertise and field experience are required
36
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Program Development and Deployment
Security as Business Case
37
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Architecture
ICS Network segmentation and segregation
ICS logical and physical separation
Boundary protection
Backup and restore management
Defense-in-Depth architecture
38
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Architecture
ICS security architecture recommended practice o Firewall policies for ICS (incl. rules for specific services)
o NAT
o AAA
o Incident detection, response and system recovery
39
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
The ICS security controls is categorized into three types:
Operational Control
Technical Control
System Management
Control
40
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
System Management Control: o Security Assessment and Authorization
o Planning
41
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
Operational Control: o Personnel Security
o Physical and Environmental Protection
o Contingency Planning
o Configuration Management
o Media Protection
o Incident Response
42
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
Technical Control: o Identification and Authentication
o Access Control
43
The Mapping between NIST SP 800-82 Standard into ISO
27001 ISMS Framework
Continual Improvement ISO 27001 NIST SP 800-82
The Umbrella Chapter 4. Context of the Organization
Chapter 5. Leadership Chapter 7. Support
PLAN Chapter 6. Planning Chapter 3. ICS Risk Management and Assessment
Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
DO Chapter 8. Operations Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
CHECK Chapter 9. Performance Evaluation
Auditing Platform using CSET 7.0 against NIST SP 800-82 Standard
ACT Chapter 10. Improvement Chapter 6. Applying Security Controls to ICS
Annex A. Control Objectives and Controls
45
ISMS Framework Integration NIST SP 800-82 into ISO 27001(Explanation)
Chapter 4. Context of the Organization
The Umbrella
Determining the scope of ICS Security Management System (ICS-SMS)
Establish, implement, maintain and continually improve ICS Security Management System (ICS-SMS)
Chapter 5. Leadership
Ensure that ICS Security Management System (ICS-SMS) is compatible with strategic orientation of the organization
Integrate ICS-SMS requirements into the organization’s related business processes
Resources support from Management
Chapter 7. Support
Coverage including the resources, awareness, competence of individual and team related to the ICS-SMS
Communication internally and externally to ensure the ICS-SMS assurance
Documented information
ISMS Framework
Explanation
Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
Team development, information gathering, define the scope of ICS security and object, guidance and reference (incl. strategize and development of ICS security manual/ policy/procedure), schedule and charter, asset Inventory and characterization (incl. asset criticality assessment), ICS security risk assessment (initial RA), ICS security campaign
Chapter 8. Operations
Chapter 5. ICS Security Architecture
ICS security campaign, ICS security risk assessment (operations phase – review/revision), controls catalog management, implementation of ICS security program into operations phase, deploy the policy and procedure, review and monitoring of ICS security assurance in periodic timing, ensure ICS security practice in align with the agreed references
Chapter 9. Performance Evaluation
Auditing Platform using CSET 7.0 against NIST SP 800-82 Standard
Audit of ICS security compliance against reference standard (NIST SP 800-82) by adhering to ISO 27001 ISMS framework, manage the gap findings and strategize the closure action, manage the audit result as per the priority, assign the responsible party and ECD, stewardship against the planned and completed activities
Chapter 10. Improvement
Annex A. Control Objectives and Controls
Implement the security controls to improve the ICS security assurance as per the audit recommendation, integrate ISO 27001 Annex A with Chapter 6 NIST SP 800-82 to have more robust solutions (risk analyze for affordability vs. compliance), controls catalog stewardship for continuous improvement, proper closure action/report/management
47
Content
Background
Summary
48
Summary
ISO 27001 has complete coverage to form the close cycle of ISMS and continual improvement
NIST SP 800-82 has more detail on covering the ICS security specific requirement
Integration NIST SP 800-82 platform (including auditing platform using CSET) into ISO 27001 will form better ICS- SMS framework that cover the full cycle of continual process and also detail specific requirement on ICS security assurance
ICS Security Assurance is required in each phases of the plant lifecycle (the depth of the detail is subject to local discretion and further analysis)
IT and SCADA ICS Security Courses ICS Cyber Security Management System
5 Day Course http://fedco.co.id/ics-cyber-security-management-system/
http://fedco.co.id/it-security-essentials/
Certified Lead SCADA Security Professional 4 Days Course + 1 Day Exam
http://fedco.co.id/certified-lead-scada-security-professional/
Certified ISO 27001 Lead Auditor 4 Days Course + 1 Day Exam
http://fedco.co.id/certified-iso-27001-lead-auditor/
IT Security Assurance Services
Presented by: Pedro Wirya IT and ICS Security Consultant – PECB Certified Trainer
PECB Webinar, October 28th, 2015
Pedro Putu Wirya, an IT and SCADA ICS Security Consultant with an extensive experience in Information Security Management System (ISMS) and Cyber Security Assurance
Pedro Putu Wirya Consultant
Summary
4
Background
incident (HSE risk)
perspective
Why ICS is IMPORTANT?
“One aspect that most likely being ignored in ICS engineering & operations is the ICS Cyber Security Assurance”
5
Background
The importance of Industrial Control System security Critical function that controls the plant, ensure the
safety operations and meet the business goal
o Critical industry
o Public infrastructure
HSE risk exposure vs. Financial
6
Background
The computerized ICS with open protocol dan open platform infrastructure Integration between ICS Network and Business
Network
Risk heritage from the common IT infrastructure that being adopted by ICS
Awareness level and Business Buy-In
Big gaps between IT security vs. ICS security
Threat and vulnerability vs. Risk -> Safety, Business, Environment -> tangible impact vs. investment
7
Background
Summary
9
Information Security Management System standard that cover the management system framework of full lifecycle of Information Security Assurance
An Industrial Control System security standard that cover the detail recommendation on how to design, develop, implement and ensure the ICS security assurance
Integration ISMS + Audit Framework
7 Clauses
5. Leadership
6. Planning
7. Support
8. Operation
Industrial Standard References
NIST SP 800-82 “Guideline to Industrial Control Systems (ICS) Security” Standard
Contain 6 Chapters I. Introduction
II. Overview of Industrial Control Systems
III. ICS Risk Management and Assessment
IV. ICS Security Program Development and Deployment
V. ICS Security Architecture
VI. Applying Security Controls to ICS
As summary, it has 23 categories that being concerned in correlation with ICS Security (based CSET 7.0 “Questions” method audit platform)
12
Content
Background
Summary
13
Information Security Assurance Lifecycle
The continual improvement process using PDCA concept is a requirement in ISO 27001:2005
In ISO 27001:2013 there is no longer required to use PDCA only, each organization can use their existing continual improvement process
Following description will still use PDCA as the continual improvement process for simplicity and general understanding purpose
14
Check Chapter 9.
Performance Evaluaon
Act Chapter 10.
Clause 7. Support Clause 5. Leadership
Annex A
ISO 27001 Standard Structure
16
PLAN “Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.”
DO “Implement and operate the ISMS policy, controls, processes, and procedures.”
CHECK “Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review.”
ACT “Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.”
17
Content
Background
Summary
18
ICS Security Auditing Platform
Auditing Tools platform that being used is CSET 7.0 by Department of Homeland Security
The Standard for Auditing Industrial Control System security is using NIST SP 800-82 Rev.2
The type of Auditing Method that being used in CSET 7.0 is “Questions” based method
19
Questions based
o Select “Questions” to answer simple question related to the selected standard(s)
Requirement based
o Select “Requirement” to utilize the exact text of a standard. This is particularly helpful for asset owner preparing for an audit against a particular standard
Cyber Security Framework
21
ICS Security Auditing Platform
NIST SP 800-82 Rev.2 Auditing Standard consist of 23 Categories of Concern (using Question Mode in CSET 7.0)
Total +/- 634 questions to be answered against the standard
The categories are as per displayed in the following slide:
27
Document Management Maintenance Monitoring & Malware
Organizational Personnel Physical Security Plans Policies Policies & Procedures General Portable/Mobile/Wireless Procedures Remote Access Control Risk Management and Assessment System and
Services Acquisition System Integrity System Protection Training
28
ICS Security Auditing Platform
The CSET audit using NIST SP 800-82 can be used to assess ICS security assurance in all phases of plant operations
o Design & Engineering
ICS Security Auditing Platform
Integration of NIST SP 800-82 Auditing Platform into ISO 27001 in order to capture the full lifecycle of Information Security Assurance
Mapping the PDCA cycle that reflected into ISO 27001 chapters, integrated with the NIST SP 800-82 auditing platform
The more detail of this concept will be described in the next content
30
Content
Background
Summary
31
Integrating NIST SP 800-82 into ISO 27001 Framework When to do ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82 standard)
When it comes to the “Operations Phase” only?
or is it recommended to perform the audit during the other plant lifecycle?
32
Integrating NIST SP 800-82 into ISO 27001 Framework When to do ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82 standard)
Design & Engineering
33
Integrating NIST SP 800-82 into ISO 27001 Framework When to do ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82 standard)
Plant Lifecycle ICS-SMS Audit Focus
Design & Engineering Phase Assess the design complianceagainst the ICS security standard
Explore some security holes and fix it prior to the next phase
Commissioning & Testing Phase Align the compliance from the previous phase when it comes to the implementation
As the bridge to the next phase, ensuring the security assurance are well in place
Operations Phase Assessing the real practice against the standard
Determine the real compliance in a long term window
Continuous improvement align with the plant life time
Post Operations Phase Ensuring the Information Credential is safe prior to disengagement
Final assessment prior to disengaged the system
34
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Assurance in NIST SP 800-82 Standard
6 Chapters, with 4 core contents related to ICS-SMS assurance
I. Introduction
IV. ICS Security Program Development and Deployment
V. ICS Security Architecture
35
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Risk Management and Assessment
The concept of ICS risk management and assessment is similar to ISO 27001
The main different is the object that being assessed
The ultimate exposure level (in common) is HSE, instead of Financial loss
Operations Technology vs. Information Technology
o Resources awareness, availability and capability
o Management buy-in, determination of risk appetite and risk acceptance level
o Tangible vs. Intangible risk exposure
o Some specific risk exposure scenario compare to common IT security, expertise and field experience are required
36
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Program Development and Deployment
Security as Business Case
37
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Architecture
ICS Network segmentation and segregation
ICS logical and physical separation
Boundary protection
Backup and restore management
Defense-in-Depth architecture
38
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Architecture
ICS security architecture recommended practice o Firewall policies for ICS (incl. rules for specific services)
o NAT
o AAA
o Incident detection, response and system recovery
39
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
The ICS security controls is categorized into three types:
Operational Control
Technical Control
System Management
Control
40
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
System Management Control: o Security Assessment and Authorization
o Planning
41
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
Operational Control: o Personnel Security
o Physical and Environmental Protection
o Contingency Planning
o Configuration Management
o Media Protection
o Incident Response
42
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security Controls
Technical Control: o Identification and Authentication
o Access Control
43
The Mapping between NIST SP 800-82 Standard into ISO
27001 ISMS Framework
Continual Improvement ISO 27001 NIST SP 800-82
The Umbrella Chapter 4. Context of the Organization
Chapter 5. Leadership Chapter 7. Support
PLAN Chapter 6. Planning Chapter 3. ICS Risk Management and Assessment
Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
DO Chapter 8. Operations Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
CHECK Chapter 9. Performance Evaluation
Auditing Platform using CSET 7.0 against NIST SP 800-82 Standard
ACT Chapter 10. Improvement Chapter 6. Applying Security Controls to ICS
Annex A. Control Objectives and Controls
45
ISMS Framework Integration NIST SP 800-82 into ISO 27001(Explanation)
Chapter 4. Context of the Organization
The Umbrella
Determining the scope of ICS Security Management System (ICS-SMS)
Establish, implement, maintain and continually improve ICS Security Management System (ICS-SMS)
Chapter 5. Leadership
Ensure that ICS Security Management System (ICS-SMS) is compatible with strategic orientation of the organization
Integrate ICS-SMS requirements into the organization’s related business processes
Resources support from Management
Chapter 7. Support
Coverage including the resources, awareness, competence of individual and team related to the ICS-SMS
Communication internally and externally to ensure the ICS-SMS assurance
Documented information
ISMS Framework
Explanation
Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
Team development, information gathering, define the scope of ICS security and object, guidance and reference (incl. strategize and development of ICS security manual/ policy/procedure), schedule and charter, asset Inventory and characterization (incl. asset criticality assessment), ICS security risk assessment (initial RA), ICS security campaign
Chapter 8. Operations
Chapter 5. ICS Security Architecture
ICS security campaign, ICS security risk assessment (operations phase – review/revision), controls catalog management, implementation of ICS security program into operations phase, deploy the policy and procedure, review and monitoring of ICS security assurance in periodic timing, ensure ICS security practice in align with the agreed references
Chapter 9. Performance Evaluation
Auditing Platform using CSET 7.0 against NIST SP 800-82 Standard
Audit of ICS security compliance against reference standard (NIST SP 800-82) by adhering to ISO 27001 ISMS framework, manage the gap findings and strategize the closure action, manage the audit result as per the priority, assign the responsible party and ECD, stewardship against the planned and completed activities
Chapter 10. Improvement
Annex A. Control Objectives and Controls
Implement the security controls to improve the ICS security assurance as per the audit recommendation, integrate ISO 27001 Annex A with Chapter 6 NIST SP 800-82 to have more robust solutions (risk analyze for affordability vs. compliance), controls catalog stewardship for continuous improvement, proper closure action/report/management
47
Content
Background
Summary
48
Summary
ISO 27001 has complete coverage to form the close cycle of ISMS and continual improvement
NIST SP 800-82 has more detail on covering the ICS security specific requirement
Integration NIST SP 800-82 platform (including auditing platform using CSET) into ISO 27001 will form better ICS- SMS framework that cover the full cycle of continual process and also detail specific requirement on ICS security assurance
ICS Security Assurance is required in each phases of the plant lifecycle (the depth of the detail is subject to local discretion and further analysis)
IT and SCADA ICS Security Courses ICS Cyber Security Management System
5 Day Course http://fedco.co.id/ics-cyber-security-management-system/
http://fedco.co.id/it-security-essentials/
Certified Lead SCADA Security Professional 4 Days Course + 1 Day Exam
http://fedco.co.id/certified-lead-scada-security-professional/
Certified ISO 27001 Lead Auditor 4 Days Course + 1 Day Exam
http://fedco.co.id/certified-iso-27001-lead-auditor/
IT Security Assurance Services