Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010

148
views

Published on

ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010 in Orlando, FL. …

ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010 in Orlando, FL.
What Stimulates Cyber Security Activity?
For Industrial Control Systems (ICS)
􀂍 Risk Management
• Business: Safety, Environmental, Reliability, Financial …
• National: Terrorism, Rapidly emerging “Cyber Warfare”
􀂍 Regulation & Compliance (Must Do)
• Government, Customers, Partners, Suppliers …
􀂍 Cost Reduction
• People & Infrastructure
• Skills & Practices
Cyber Security is a National, Business and Personal Issue

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
148
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Rethinking Cyber Security forIndustrial Control Systems (ICS)Rethinking Cyber Security forIndustrial Control Systems (ICS)Industrial Control Systems (ICS)Industrial Control Systems (ICS)Bob MickVP Emerging TechnologiesARC Advisory Group1© ARC Advisory Groupy pbmick@arcweb.com
  • 2. Rethinking Cyber SecurityWe Now Have Years of Experience - Security is ComplexRethinking Cyber SecurityWe Now Have Years of Experience - Security is ComplexAre we on the Right Track?2© ARC Advisory GroupWhat are the Emerging Opportunities?Are We Investing in the Right Security Activities?
  • 3. IntroductionIntroductionCyber Security ServicesCertification and TestingCertification and TestingPanel (30 minutes) BreakEnergy Industry RoadmapChemical Industry Roadmap3© ARC Advisory GroupPanel (30 Minutes)
  • 4. What Stimulates Cyber Security Activity?For Industrial Control Systems (ICS)What Stimulates Cyber Security Activity?For Industrial Control Systems (ICS)Risk Management• Business: Safety, Environmental, Reliability, Financial …• National: Terrorism, Rapidly emerging “Cyber Warfare”Regulation & Compliance (Must Do)• Government Customers Partners Suppliers• Government, Customers, Partners, Suppliers …Cost Reduction• People & Infrastructure• Skills & PracticesCyber Security is a4© ARC Advisory GroupNational, Business and Personal Issue
  • 5. Risk Management - A Fundamental DriverRisk Escalation is Real and ContinuingRisk Management - A Fundamental DriverRisk Escalation is Real and ContinuingCyberWarfareViruses …DiverseSophisticatedCombinationAttacksWarfareCriminals&“Insider”Th tMore IntegrationMore ConnectivityAttacks Threats5© ARC Advisory GroupBusinesses Will Get More Help in Defining Risk
  • 6. Address National Level RisksUS Department of Homeland Security and FriendsAddress National Level RisksUS Department of Homeland Security and FriendsSector SpecificSector SpecificAgenciesChemical SSA NERC CIPEnergy6© ARC Advisory GroupDHS is Driving Industry Specific Activities
  • 7. The Penalty for Not Complying (in the US)Required Practices, Reporting, Responding, Violations …The Penalty for Not Complying (in the US)Required Practices, Reporting, Responding, Violations …EnergyChemicals~$750,000/MonthS CFATS Mi tUp to $25,000/dayGood Cyber Security Practices are NotSource: CFATS Minutes7© ARC Advisory Groupy yOptional for Critical Infrastructure Industries
  • 8. Security Is Not a One-time InvestmentPractices are Maturing - It Is Difficult – Skills Shortage?Security Is Not a One-time InvestmentPractices are Maturing - It Is Difficult – Skills Shortage?AuditNew …• Business InitiativesAssessNew …• Vulnerabilities• Acquisitions• Partners• Regulations• Cost PressuresDesignTestMonitorMitigate• Vulnerabilities• Threats• Patches• People• Organizations• Applications• Systems• …MitigateAdapt• Organizations• Governments• …New …• TechnologiesArchitectures Renovate• Architectures• Practices• …8© ARC Advisory GroupCyber Security is a Very Dynamic ActivityContinued Investment is Required
  • 9. The Cost of Cyber Security is SignificantVarious IT Analysts Estimates of “Global IT Spend”The Cost of Cyber Security is SignificantVarious IT Analysts Estimates of “Global IT Spend”$1 5 3 trillionGlobal IT SpendBusiness Systems Remote Users$1.5-3 trillion~$120 billionSecurity (3-6%) OperationsManagementEngineeringManufacturing and Utilities$120 billionLaboratoriesAutomation$600 billionIncludesHardware Servers, networking, security appliances, laptops, desktops …Software Applications, technology platform, monitoring …Services Consulting, design …For All Corporate IT and some of Engineering, Labs, OperationsManufacturing and UtilitiesSecurityDoes not IncludeHardware Control Systems, embedded system …Software Automation software, DCS, PLC, HMI, SCADA …Services Systems Integration, consulting, managed services ... for Industrial Control Systemsy~$25 billion9© ARC Advisory GroupBig IT Spend – Big Security Spend – Big Losses
  • 10. Explore a Few of Today’s OpportunitiesARC Advisory Group Forum 2010Explore a Few of Today’s OpportunitiesARC Advisory Group Forum 2010ARC Advisory Group Forum 2010This afternoons TopicsARC Advisory Group Forum 2010This afternoons Topics10© ARC Advisory GroupDay 2 - Tuesday Afternoon - Track 4
  • 11. Opportunity: Utilize Security ServicesExternal ResourcesOpportunity: Utilize Security ServicesExternal ResourcesObjectives• Cut costs, Cut risks, Improve Security …AuditActivity Practices for ICSAssessments Help readily availableDesign Commonly outsourcedRenovation Commonly outsourcedAssessMonitor Renovation Commonly outsourcedOperation Seldom outsourcedAuditing Should be outsourcedDesignMonitorMitigateAdaptRenovate11© ARC Advisory GroupTom Good, DuPont Perspective
  • 12. Security Certification and TestingKnow That You Are Secure – And Remain SecureSecurity Certification and TestingKnow That You Are Secure – And Remain SecureObjective• Improve Security, Avoid Deterioration …• Strengthen ICS Components• Verify System EffectivenessActivity Practices for ICSDefine Standards Standards bodiesCertification Independent OrganizationsRobustness Testing Test Tools and ServicesSystems Testing Penetration Testingh bl fPatch Testing Problem of Timing12© ARC Advisory GroupJohan Nye, ExxonMobil Perspective
  • 13. Opportunity: Cross Industry SharingIndustry Activities, Government Activities …Opportunity: Cross Industry SharingIndustry Activities, Government Activities …Objectives• Leverage practices andexperiences• Accelerate progress andavoid duplication of effortspi h ffKeith Stouffer, NISTEric Cosman, Dow18 Critical InfrastructureIndustries13© ARC Advisory Group
  • 14. Let’s Get StartedLet’s Get StartedFor more information, contact bmick@arcweb.comor visit www.arcweb.com14© ARC Advisory Group
  • 15. Security In Manufacturing, Utilities …Business, Engineering, Laboratories …Security In Manufacturing, Utilities …Business, Engineering, Laboratories …Business SystemsERP, SCM, CRM, EAM, BI …Lab Systems, Engineering SystemsOperations Management NetworksRemote AccessNetworking SoftwareServersBusiness Systems Remote Usersp gIntelligences, Analytics, IntegrationHistorians, Recipe Management,“User Interface” NetworksHMI … DCS … Trending … SCADAOperationsManagementEngineeringAutomation Systems NetworkUnit Controllers, PLCs, Devices …LaboratoriesAutomationNetwork Model Security Zone ModelSimple Operations-Centric Perspectiveo od u y o od15© ARC Advisory GroupSimple Operations-Centric Perspective