Critical Infrastructure                                              Protection (CIP)                 Chuan-Wei Hoo, CISSP...
Agenda                             •          Introduction                             •          Current State Of Play   ...
CIP – Introduction*                        Click to edit Master title style                                              E...
Current State Of Play – Recent Failures                        Click to edit Master title style                           ...
Current State Of Play – Past Failures                        Click to edit Master title style                      Even in...
…Possible causes                       •        Lack of segregation of duties?                       •        Complacency?...
Back To Basics                        • CIP                           – The preparedness and response to serious          ...
Practical Approach                      • “Outside-in” versus “Inside-out”                                                ...
Outside-in                • Explore all possible threats to the asset; no                  breakdown of the asset         ...
Inside-out                • Identify the asset; classification and categorization                • Explore all possible th...
Minimum Controls                             • Executive management support                             • Thorough underst...
…Management wise                       •        So what should we do?                                 – Top-down; get the ...
Key Messages              • There’s no silver bullet to the problem, only mitigating                controls to minimize t...
Thank you!                        Click to edit Master title style                                                        ...
Upcoming SlideShare
Loading in...5
×

Chuan weihoo_IISF2011

520

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
520
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
100
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Chuan weihoo_IISF2011

  1. 1. Critical Infrastructure Protection (CIP) Chuan-Wei Hoo, CISSP, CISA, CFE, BCCE Volunteer Speaker, (ISC)² Click Architect at Business Continuity & Security Security to edit Master title style Governance, BritishTelecom Global Services www.isc2.org #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  2. 2. Agenda • Introduction • Current State Of Play • Back To Basics • Practical Approach • Minimum Controls • Q&A Click to edit Master title style #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  3. 3. CIP – Introduction* Click to edit Master title style Entertaining, funny or scary ??? * Source from Youtube.com #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  4. 4. Current State Of Play – Recent Failures Click to edit Master title style #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  5. 5. Current State Of Play – Past Failures Click to edit Master title style Even in the movie - Jurassic Park , the risk of internal threat was clearly demonstrated by the character - Dennis Nedry, the Park’s chief computer programmer who designed the system which ran the island. He was suffering from unspecified financial problems and felt disgruntled when he was not paid as much as he wanted for his job. Dennis turned traitor and secretly for a sizable sum, agreed to smuggle embryos of all 15 dinosaur species off the island. He shut down all the safety systems so as to avoid the electric fences and spying security cameras. With the power gone, the dinosaurs began escaping from their pens and started killing people. #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  6. 6. …Possible causes • Lack of segregation of duties? • Complacency? …contended self-satisfaction • Lack of visibility? • Lack of privileged access management? • Single-point-of-failure (SPOF) • Ineffective patch management? Click to edit Master title style #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  7. 7. Back To Basics • CIP – The preparedness and response to serious incidents that involves critical infrastructure (CI) e.g. airports, service providers (electric power, water, telecommunication, etc) – Some CI are SCADA (supervisory control and data acquisition), computer systems that monitor and control industrial, infrastructure, Click to edit Master title style or facility-based processes. #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  8. 8. Practical Approach • “Outside-in” versus “Inside-out” Physical Physical Asset (sub- Technology Asset Logical Technology components) Logical Click to edit Master title style Procedural Procedural #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  9. 9. Outside-in • Explore all possible threats to the asset; no breakdown of the asset • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Solution tends to be overly engineered and can be costly. Might fail to address some peculiar threats. #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  10. 10. Inside-out • Identify the asset; classification and categorization • Explore all possible threats to each categorization • Access the potential impact and likelihood of each threat • Determine the mitigating control to each threat • Design and build the controls for protection Click to edit Master title style Outcome: Engineered solutions are targeted to the respective threats and vulnerabilities of each categorization. A more comprehensive approach. #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  11. 11. Minimum Controls • Executive management support • Thorough understanding/knowledge – Business – IT (full inventory - everything) – Operations (supported by IT) • Regular comprehensive review – Identify SPOF Click to edit Master title style • Continuous self assessment – Applicable control for tomorrow’s threats #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  12. 12. …Management wise • So what should we do? – Top-down; get the executive management to push down the compliance need (must-do even when it is difficult to reach the right people) – Bottom-up, work the ground to get the co-operation of the key stakeholders (lots of PR) – Acquire the necessary training (training, certification) – Define detail SOP (framework, standards e.g. ISO/IEC27001:2005) – Governance review committee (you chair the committee, using Click to edit Master title style reference from a reputable source) – Put in measurements (measureable): • Key risk indicators • Key performance indicators #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  13. 13. Key Messages • There’s no silver bullet to the problem, only mitigating controls to minimize the risk. • Know where are your asset; information & infrastructure (was and is). • Review and enhance your existing design and plans. • Review and enhance your existing controls to protect your Click to edit Master title style information asset. • Continue to educate the end-users and raise awareness (most critical). #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  14. 14. Thank you! Click to edit Master title style #IISF2011© Copyright 1989 – 2011, (ISC)2 All Rights Reserved
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×