SlideShare a Scribd company logo

Industrial Security.pdf

A
AhmedRKhan

ICS IEC controls for OT Security

Technology
1 of 39
Download to read offline
Unrestricted © Siemens A/S siemens.com/industrial security Industrial Security Getting Started…
So… how do we start?
Caught between regulation, requirements, and standards Unrestricted © Siemens A/S 2018
The all-encompassing Industrial Security Standard Provides greater clarity by clearly defining the roles and responsibilities Unrestricted © Siemens A/S 2018
IEC 62443 gives us the ability to communicate In an unambiguous way Unrestricted © Siemens A/S 2018
IEC 62443 addresses the Defense in Depth concept Unrestricted © Siemens A/S 2018 Network Security • Cell protection, DMZ, and remote maintenance • Firewall and VPN • Segmentation • Asset and Network Management System integrity • System hardening • Authentication and user administration • Patch management • Logging and Monitoring • Detection of attacks Plant Security • Physical access protection • Processes and guidelines • Security service protecting production plants
IEC 62443 focus on the interfaces between all stakeholders Unrestricted © Siemens A/S 2018 Operator, Integrator, and Manufacturer
IEC 62443 from machines to corporates Unrestricted © Siemens A/S 2018 It is scalable
IEC 62443 provides a complete Cyber Security Management System Unrestricted © Siemens A/S 2018 Risk based approach That covers the setup of: Risk analysis Addressing risk security organization and security processes security countermeasures and Implementation Monitoring and improving
IEC 62443 from the beginning to the end Unrestricted © Siemens A/S 2018 It addresses the entire life cycle
Cybersecurity Life Cycle Unrestricted © Siemens A/S 2018 Maintain phase Assess phase Develop & implement phase
Cybersecurity Life Cycle Unrestricted © Siemens A/S 2018 Getting started Assess phase High-level Cyber Risk Assessment Allocation of IACS Assets to Zones or Conduits Detailed Cyber Risk Assessment Develop & implement phase Cybersecurity Requirements Specification Design and Engineering of countermeasures or other means of risk reduction Installation, commissioning, and validation of countermeasures Maintain phase Maintenance, Monitoring and Management of change Incident Response and Recovery Maintain phase Assess phase Develop & implement phase
Assess phase Unrestricted © Siemens A/S 2018 Risk Assessment Risk = Likelihood x Consequence Where: Likelihood = Threat x Vulnerability
Assess phase Risk methods and frameworks The Information Security Forum (ISF) National Institute of Standards and Technology (NIST) and… … Unrestricted © Siemens A/S 2018 More info: https://www.ncsc.gov.uk/guidance/summary-risk-methods-and-frameworks A good overview
Assess phase Unrestricted © Siemens A/S 2018 Segmentation of TI and OT
Assess phase Unrestricted © Siemens A/S 2018 Trusted/Untrusted Zones and Conduits PL1 PL2 Zone Control #1 PL3 Zone Control #2 Conduit Zone Enterprise Network Zone Plant
Assess phase Unrestricted © Siemens A/S 2018 Risk based development of security levels Evaluate Business Risk to determine Criticality Assign Target Protection Levels Evaluate Protection Levels Achieved Protection Levels Security Assessment Consequence
But… how specific is the IEC 62443?
What is the structure of IEC 62443? Unrestricted © Siemens A/S 2018 1-1 General Terminology, concepts and models 2-1 Policies and procedures Establishing an IACS security program 3-1 System Security technologies for IACS 4-1 Component Product development requirements 1-2 General Master glossary of terms and abbreviations 2-2 Policies and procedures Operating an IACS security program 3-2 System Security assurance levels for zones and conduits 4-2 Component Technical sec. requirements for IACS products 1-3 General 2-3 Policies and procedures 3-3 System System security compliance metrics Patch management in the IACS environment System sec. requirements and security assurance levels 1-4 General IACS sec. life cycle and use case 2-4 Policies and procedures Certification of IACS supplier security policies 1-5 General IACS protection levels Functional requirements Processes / procedures Definition and metrics
Phases in product and IACS life cycles Unrestricted © Siemens A/S 2018 Product life cycle Product Supplier Commercialization / maintenance Control Systems Embedded devices Network components Host devices Applications IACS life cycle Asset Owner System Integrator Automation solution Project application Asset Owner (Service provider) Automation solution Security measures and settings Configuration, User Management Security measures and settings Operational policies and procedures Specification Asset Owner Automation solution Decommissioning policies and procedures Decommissioning Operation / Maintenance Integration / Commissioning Security targets Phase Out Design Specification
Phases in product and IACS life cycles Unrestricted © Siemens A/S 2018 Product life cycle Product Supplier Commercialization / maintenance 2-3 3-3 4-1 4-2 IACS life cycle Asset Owner System Integrator Automation solution Project application Asset Owner (Service provider) Automation solution Security measures and settings 2-1 Specification Configuration, User Management Security measures and settings 2-3 3-2 2-4 3-3 2-1 2-3 Operational policies and procedures 2-4 3-2 3-3 Asset Owner Automation solution Decommissioning policies and procedures 2-1 2-4 Decommissioning Operation / Maintenance Integration / Commissioning Security targets Phase Out Design Specification Control Systems Embedded devices Network components Host devices Applications
Protection Levels Unrestricted © Siemens A/S 2018 Page 30 SL 1 Capability to protect against casual or coincidental violation SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 1 Initial - Process unpredictable, poorly controlled, and reactive. ML 2 Managed - Process characterized, reactive ML 3 Defined - Process characterized, proactive deployment ML 4 Optimized - Process measured, controlled, and continuously improved 4 3 2 1 4 3 2 1 Cover security functionalities and processes Security functionalities Security processes Protection Levels Security Level Maturity Level PL 1 Protection against casual or coincidental violation PL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation PL 3 Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation PL 4 Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
IEC 62443 Security measures Unrestricted © Siemens A/S 2018 It is unambiguous … Secure Physical Access Organize Security Secure Solution Design Secure Operations Secure Lifecycle management Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Dual approval for critical actions Firewalls with Fail Close (e.g. Next Generation Firewall) Monitoring of all device activities Online security functionality verification … Revolving doors with card reader No Email, No WWW, etc. in Secure Cell 2 PCs (Secure Cell/outside) Monitoring of all human interactions Automated backup / recovery … … … Remote access with cRSP or equivalent Doors with card reader Persons responsible for security within own organization Mandatory security education Physical network segmentation or equivalent (e.g. SCALANCE S) Continuous monitoring (e.g. SIEM) … Backup verification Remote access restriction (e.g. need to connect principle) Locked building/doors with keys Awareness training (e.g. Operator Aware. training) Mandatory rules on USB sticks (e.g. Whitelisting) Network segmentation (e.g. VLAN) Security logging on all systems … Backup / recovery system + PL 3 + PL 2 + PL 1 PL 4
Protection Levels Cover security functionalities and processes Unrestricted © Siemens A/S 2018
IEC 62443-3-3 Unrestricted © Siemens A/S 2018 7 Foundational Requirements FR 1 – Identification and authentication control FR 2 – Use control FR 3 – System integrity FR 4 – Data confidentiality FR 5 – Restricted data flow FR 6 – Timely response to events FR 7 – Resource availability Defines security requirements for industrial control systems
FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 System Requirement Overview (Part 1) SRs und REs SL 1 SL 2 SL 3 SL 4 SR 1.1 – Human user identification and authentication     SR 1.1 RE 1 – Unique identification and authentication    SR 1.1 RE 2 – Multifactor authentication for untrusted networks   SR 1.1 RE 3 – Multifactor authentication for all networks  SR 1.2 – Software process and device identification and authentication    SR 1.2 RE 1 – Unique identification and authentication   SR 1.3 – Account management     SR 1.3 RE 1 – Unified account management   SR 1.4 – Identifier management     SR 1.5 – Authenticator management     SR 1.5 RE 1 – Hardware security for software process identity credentials   SR 1.6 – Wireless access management     SR 1.6 RE 1 – Unique identification and authentication   
FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 SR 1.1 – Human user identification and authentication 5.3 SR 1.1 – Human user identification and authentication 5.3.1 Requirement The control system shall provide the capability to identify and authenticate all human users. This capability shall enforce such identification and authentication on all interfaces which provide human user access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. 5.3.2 Rationale and supplemental guidance All human users need to be identified and authenticated for all access to the control system. Authentication of the identity of these users should be accomplished by using methods such as passwords, tokens, biometrics or, in the case of multifactor authentication, some combination thereof. The geographic location of human users can also be used as part of the authentication process…….
FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 System Requirement Overview (Part 2) SRs und REs SL 1 SL 2 SL 3 SL 4 SR 1.7 – Strength of password-based authentication     SR 1.7 RE 1 – Password generation and lifetime restrictions for human users   SR 1.7 RE 2 – Password lifetime restrictions for all users  SR 1.8 – Public key infrastructure certificates    SR 1.9 – Strength of public key authentication    SR 1.9 RE 1 – Hardware security for public key authentication   SR 1.10 – Authenticator feedback     SR 1.11 – Unsuccessful login attempts     SR 1.12 – System use notification     SR 1.13 – Access via untrusted networks     SR 1.13 RE 1 – Explicit access request approval   
FR 2 – Use control System Requirement Overview (Part 37 ) Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 2.1 – Authorization enforcement     SR 2.1 RE 1 – Authorization enforcement for all users    SR 2.1 RE 2 – Permission mapping to roles    SR 2.1 RE 3 – Supervisor override   SR 2.1 RE 4 – Dual approval  SR 2.2 – Wireless use control     SR 2.2 RE 1 – Identify and report unauthorized wireless devices   SR 2.3 – Use control for portable and mobile devices     SR 2.3 RE 1 – Enforcement of security status of portable and mobile devices   SR 2.4 – Mobile code     SR 2.4 RE 1 – Mobile code integrity check   SR 2.5 – Session lock    
FR 2 – Use control System Requirement Overview (Part 38 ) Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 2.6 – Remote session termination    SR 2.7 – Concurrent session control   SR 2.8 – Auditable events     SR 2.8 RE 1 – Centrally managed, system-wide audit trail   SR 2.9 – Audit storage capacity     SR 2.9 RE 1 – Warn when audit record storage capacity threshold reached   SR 2.10 – Response to audit processing failures     SR 2.11 – Timestamps    SR 2.11 RE 1 – Internal time synchronization   SR 2.11 RE 2 – Protection of time source integrity  SR 2.12 – Non-repudiation   SR 2.12 RE 1 – Non-repudiation for all users 
FR 3 – System integrity System Requirement Overview U SRs und REs SL 1 SL 2 SL 3 SL 4 SR 3.1 – Communication integrity     SR 3.1 RE 1 – Cryptographic integrity protection   SR 3.2 – Malicious code protection     SR 3.2 RE 1 – Malicious code protection on entry and exit points    SR 3.2 RE 2 – Central management and reporting for malicious code protection   SR 3.3 – Security functionality verification     SR 3.3 RE 1 – Automated mechanisms for security functionality verification   SR 3.3 RE 2 – Security functionality verification during normal operation  SR 3.4 – Software and information integrity    SR 3.4 RE 1 – Automated notification about integrity violations   SR 3.5 – Input validation     SR 3.6 – Deterministic output     SR 3.7 – Error handling    SR 3.8 – Session integrity    SR 3.8 RE 1 – Invalidation of session IDs after session termination   SR 3.8 RE 2 – Unique session ID generation   SR 3.8 RE 3 – Randomness of session IDs  SR 3.9 – Protection of audit information    SR 3.9 RE 1 – Audit records on write-once media nrestricted © Siemens A/S 2018 
FR 4 – Data confidentiality System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 4.1 – Information confidentiality     SR 4.1 RE 1 – Protection of confidentiality at rest or in transit via untrusted networks    SR 4.1 RE 2 – Protection of confidentiality across zone boundaries  SR 4.2 – Information persistence    SR 4.2 RE 1 – Purging of shared memory resources   SR 4.3 – Use of cryptography    
FR 5 – Restricted data flow System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 5.1 – Network segmentation     SR 5.1 RE 1 – Physical network segmentation    SR 5.1 RE 2 – Independence from non-control system networks   SR 5.1 RE 3 – Logical and physical isolation of critical networks  SR 5.2 – Zone boundary protection     SR 5.2 RE 1 – Deny by default, allow by exception    SR 5.2 RE 2 – Island mode   SR 5.2 RE 3 – Fail close   SR 5.3 – General purpose person-to-person communication restrictions     SR 5.3 RE 1 – Prohibit all general purpose person-to-person communications   SR 5.4 – Application partitioning    
FR 6 – Timely response to events System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 6.1 – Audit log accessibility     SR 6.1 RE 1 – Programmatic access to audit logs   SR 6.2 – Continuous monitoring   
FR 7 – Resource availability System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 7.1 – Denial of service protection     SR 7.1 RE 1 – Manage communication loads    SR 7.1 RE 2 – Limit DoS effects to other systems or networks   SR 7.2 – Resource management     SR 7.3 – Control system backup     SR 7.3 RE 1 – Backup verification    SR 7.3 RE 2 – Backup automation   SR 7.4 – Control system recovery and reconstitution     SR 7.5 – Emergency power     SR 7.6 – Network and security configuration settings     SR 7.6 RE 1 – Machine-readable reporting of current security settings   SR 7.7 – Least functionality     SR 7.8 – Control system component inventory   
Recap - System Security Levels Unrestricted © Siemens A/S 2018 Plant environment Automation solution Control System as a combination of Independent of plant environment Control System capabilities Capability SLs Risk assessment System Integrator Asset Owner Product supplier Target SLs Achieved SLs Embedded devices Network components Host devices Applications IEC 62443 2-1 Establishing an IACS security program 3-2 Security risk assessment and system design 2-4 Certification of IACS supplier security policies 3-3 System security requirements and Security levels 4-1 Product development requirements 4-2 Technical security requirements for IACS products Contributions of the stakeholders
A piece of a bigger picture Unrestricted © Siemens A/S 2018 ISO 27001 The Functional Safety standard Risk assessment framework IEC 62443 NIST 800-30 Well known IT- security standard The OT-security standard
Recap… Act now Everyoneis a target – also small and medium sized plants IEC62443 is a Risk based framework that can help you getting started in a very structured way Define your Risk… Define your organization Define your Protection level Define your Zones and Conduits
Security information Unrestricted © Siemens A/S 2018 Page 49 Thank You for your attention

Recommended

Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_SecurityWillianMachadoFonsec
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
 
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...TI Safe
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Information security
Information security Information security
Information securityJin Castor
 

Recommended

Industrial_Cyber_Security
Industrial_Cyber_SecurityIndustrial_Cyber_Security
Industrial_Cyber_SecurityWillianMachadoFonsec
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
 
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...TI Safe
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber Security[Bucharest] From SCADA to IoT Cyber Security
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
 
Information security
Information security Information security
Information securityJin Castor
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Understanding SASE
Understanding SASE Understanding SASE
Understanding SASE Haris Chughtai
 
Soc
SocSoc
SocMukesh Chaudhari
 
Information security
Information securityInformation security
Information securityMustahid Ali
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadCristian Garcia G.
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine LearningSiemplify
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammond10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammondPROFIBUS and PROFINET InternationaI - PI UK
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBMerlin Govender
 

More Related Content

What's hot

Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss PreventionReza Kopaee
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Radar Cyber Security
 
Information security
Information securityInformation security
Information securityMustahid Ali
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review ChecklistEberly Wilson
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadCristian Garcia G.
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine LearningSiemplify
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 

What's hot (20)

ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Information security
Information securityInformation security
Information security
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
Understanding SASE
Understanding SASE Understanding SASE
Understanding SASE
 
Soc
SocSoc
Soc
 
Information security
Information securityInformation security
Information security
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 Presentation
 
Network Architecture Review Checklist
Network Architecture Review ChecklistNetwork Architecture Review Checklist
Network Architecture Review Checklist
 
Reducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridadReducción efectiva del riesgo de ciberseguridad
Reducción efectiva del riesgo de ciberseguridad
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine Learning
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 

Similar to Industrial Security.pdf

SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBMerlin Govender
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver NarrTI Safe
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesMuhammad Mudassar
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsSchneider Electric
 
Cyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO DayCyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO DaySymantec
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance EnergyTech2015
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security SessionSplunk
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityAbdul Jaleel
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementAleksey Lukatskiy
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4CrispnCrunch
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersJiri Danihelka
 

Similar to Industrial Security.pdf (20)

10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammond10. industrial networks safety and security tom hammond
10. industrial networks safety and security tom hammond
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr
 
Ooredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20ServicesOoredoo%20Security%20Managed%20Services
Ooredoo%20Security%20Managed%20Services
 
Skybox security
Skybox security Skybox security
Skybox security
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
Cyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO DayCyber Security in the market place: HP CTO Day
Cyber Security in the market place: HP CTO Day
 
Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session.conf Go Zurich 2022 - Security Session
.conf Go Zurich 2022 - Security Session
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
ICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness MeasurementICS Cyber Security Effectiveness Measurement
ICS Cyber Security Effectiveness Measurement
 
Securing control systems v0.4
Securing control systems v0.4Securing control systems v0.4
Securing control systems v0.4
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 

Recently uploaded

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Industrial Security.pdf

  • 1. Unrestricted © Siemens A/S siemens.com/industrial security Industrial Security Getting Started…
  • 3. Caught between regulation, requirements, and standards Unrestricted © Siemens A/S 2018
  • 4. The all-encompassing Industrial Security Standard Provides greater clarity by clearly defining the roles and responsibilities Unrestricted © Siemens A/S 2018
  • 5. IEC 62443 gives us the ability to communicate In an unambiguous way Unrestricted © Siemens A/S 2018
  • 6. IEC 62443 addresses the Defense in Depth concept Unrestricted © Siemens A/S 2018 Network Security • Cell protection, DMZ, and remote maintenance • Firewall and VPN • Segmentation • Asset and Network Management System integrity • System hardening • Authentication and user administration • Patch management • Logging and Monitoring • Detection of attacks Plant Security • Physical access protection • Processes and guidelines • Security service protecting production plants
  • 7. IEC 62443 focus on the interfaces between all stakeholders Unrestricted © Siemens A/S 2018 Operator, Integrator, and Manufacturer
  • 8. IEC 62443 from machines to corporates Unrestricted © Siemens A/S 2018 It is scalable
  • 9. IEC 62443 provides a complete Cyber Security Management System Unrestricted © Siemens A/S 2018 Risk based approach That covers the setup of: Risk analysis Addressing risk security organization and security processes security countermeasures and Implementation Monitoring and improving
  • 10. IEC 62443 from the beginning to the end Unrestricted © Siemens A/S 2018 It addresses the entire life cycle
  • 11. Cybersecurity Life Cycle Unrestricted © Siemens A/S 2018 Maintain phase Assess phase Develop & implement phase
  • 12. Cybersecurity Life Cycle Unrestricted © Siemens A/S 2018 Getting started Assess phase High-level Cyber Risk Assessment Allocation of IACS Assets to Zones or Conduits Detailed Cyber Risk Assessment Develop & implement phase Cybersecurity Requirements Specification Design and Engineering of countermeasures or other means of risk reduction Installation, commissioning, and validation of countermeasures Maintain phase Maintenance, Monitoring and Management of change Incident Response and Recovery Maintain phase Assess phase Develop & implement phase
  • 13. Assess phase Unrestricted © Siemens A/S 2018 Risk Assessment Risk = Likelihood x Consequence Where: Likelihood = Threat x Vulnerability
  • 14. Assess phase Risk methods and frameworks The Information Security Forum (ISF) National Institute of Standards and Technology (NIST) and… … Unrestricted © Siemens A/S 2018 More info: https://www.ncsc.gov.uk/guidance/summary-risk-methods-and-frameworks A good overview
  • 15. Assess phase Unrestricted © Siemens A/S 2018 Segmentation of TI and OT
  • 16. Assess phase Unrestricted © Siemens A/S 2018 Trusted/Untrusted Zones and Conduits PL1 PL2 Zone Control #1 PL3 Zone Control #2 Conduit Zone Enterprise Network Zone Plant
  • 17. Assess phase Unrestricted © Siemens A/S 2018 Risk based development of security levels Evaluate Business Risk to determine Criticality Assign Target Protection Levels Evaluate Protection Levels Achieved Protection Levels Security Assessment Consequence
  • 19. What is the structure of IEC 62443? Unrestricted © Siemens A/S 2018 1-1 General Terminology, concepts and models 2-1 Policies and procedures Establishing an IACS security program 3-1 System Security technologies for IACS 4-1 Component Product development requirements 1-2 General Master glossary of terms and abbreviations 2-2 Policies and procedures Operating an IACS security program 3-2 System Security assurance levels for zones and conduits 4-2 Component Technical sec. requirements for IACS products 1-3 General 2-3 Policies and procedures 3-3 System System security compliance metrics Patch management in the IACS environment System sec. requirements and security assurance levels 1-4 General IACS sec. life cycle and use case 2-4 Policies and procedures Certification of IACS supplier security policies 1-5 General IACS protection levels Functional requirements Processes / procedures Definition and metrics
  • 20. Phases in product and IACS life cycles Unrestricted © Siemens A/S 2018 Product life cycle Product Supplier Commercialization / maintenance Control Systems Embedded devices Network components Host devices Applications IACS life cycle Asset Owner System Integrator Automation solution Project application Asset Owner (Service provider) Automation solution Security measures and settings Configuration, User Management Security measures and settings Operational policies and procedures Specification Asset Owner Automation solution Decommissioning policies and procedures Decommissioning Operation / Maintenance Integration / Commissioning Security targets Phase Out Design Specification
  • 21. Phases in product and IACS life cycles Unrestricted © Siemens A/S 2018 Product life cycle Product Supplier Commercialization / maintenance 2-3 3-3 4-1 4-2 IACS life cycle Asset Owner System Integrator Automation solution Project application Asset Owner (Service provider) Automation solution Security measures and settings 2-1 Specification Configuration, User Management Security measures and settings 2-3 3-2 2-4 3-3 2-1 2-3 Operational policies and procedures 2-4 3-2 3-3 Asset Owner Automation solution Decommissioning policies and procedures 2-1 2-4 Decommissioning Operation / Maintenance Integration / Commissioning Security targets Phase Out Design Specification Control Systems Embedded devices Network components Host devices Applications
  • 22. Protection Levels Unrestricted © Siemens A/S 2018 Page 30 SL 1 Capability to protect against casual or coincidental violation SL 2 Capability to protect against intentional violation using simple means with low resources, generic skills and low motivation SL 3 Capability to protect against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation SL 4 Capability to protect against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation ML 1 Initial - Process unpredictable, poorly controlled, and reactive. ML 2 Managed - Process characterized, reactive ML 3 Defined - Process characterized, proactive deployment ML 4 Optimized - Process measured, controlled, and continuously improved 4 3 2 1 4 3 2 1 Cover security functionalities and processes Security functionalities Security processes Protection Levels Security Level Maturity Level PL 1 Protection against casual or coincidental violation PL 2 Protection against intentional violation using simple means with low resources, generic skills and low motivation PL 3 Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation PL 4 Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation
  • 23. IEC 62443 Security measures Unrestricted © Siemens A/S 2018 It is unambiguous … Secure Physical Access Organize Security Secure Solution Design Secure Operations Secure Lifecycle management Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Dual approval for critical actions Firewalls with Fail Close (e.g. Next Generation Firewall) Monitoring of all device activities Online security functionality verification … Revolving doors with card reader No Email, No WWW, etc. in Secure Cell 2 PCs (Secure Cell/outside) Monitoring of all human interactions Automated backup / recovery … … … Remote access with cRSP or equivalent Doors with card reader Persons responsible for security within own organization Mandatory security education Physical network segmentation or equivalent (e.g. SCALANCE S) Continuous monitoring (e.g. SIEM) … Backup verification Remote access restriction (e.g. need to connect principle) Locked building/doors with keys Awareness training (e.g. Operator Aware. training) Mandatory rules on USB sticks (e.g. Whitelisting) Network segmentation (e.g. VLAN) Security logging on all systems … Backup / recovery system + PL 3 + PL 2 + PL 1 PL 4
  • 24. Protection Levels Cover security functionalities and processes Unrestricted © Siemens A/S 2018
  • 25. IEC 62443-3-3 Unrestricted © Siemens A/S 2018 7 Foundational Requirements FR 1 – Identification and authentication control FR 2 – Use control FR 3 – System integrity FR 4 – Data confidentiality FR 5 – Restricted data flow FR 6 – Timely response to events FR 7 – Resource availability Defines security requirements for industrial control systems
  • 26. FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 System Requirement Overview (Part 1) SRs und REs SL 1 SL 2 SL 3 SL 4 SR 1.1 – Human user identification and authentication     SR 1.1 RE 1 – Unique identification and authentication    SR 1.1 RE 2 – Multifactor authentication for untrusted networks   SR 1.1 RE 3 – Multifactor authentication for all networks  SR 1.2 – Software process and device identification and authentication    SR 1.2 RE 1 – Unique identification and authentication   SR 1.3 – Account management     SR 1.3 RE 1 – Unified account management   SR 1.4 – Identifier management     SR 1.5 – Authenticator management     SR 1.5 RE 1 – Hardware security for software process identity credentials   SR 1.6 – Wireless access management     SR 1.6 RE 1 – Unique identification and authentication   
  • 27. FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 SR 1.1 – Human user identification and authentication 5.3 SR 1.1 – Human user identification and authentication 5.3.1 Requirement The control system shall provide the capability to identify and authenticate all human users. This capability shall enforce such identification and authentication on all interfaces which provide human user access to the control system to support segregation of duties and least privilege in accordance with applicable security policies and procedures. 5.3.2 Rationale and supplemental guidance All human users need to be identified and authenticated for all access to the control system. Authentication of the identity of these users should be accomplished by using methods such as passwords, tokens, biometrics or, in the case of multifactor authentication, some combination thereof. The geographic location of human users can also be used as part of the authentication process…….
  • 28. FR 1 – Identification and authentication control Unrestricted © Siemens A/S 2018 System Requirement Overview (Part 2) SRs und REs SL 1 SL 2 SL 3 SL 4 SR 1.7 – Strength of password-based authentication     SR 1.7 RE 1 – Password generation and lifetime restrictions for human users   SR 1.7 RE 2 – Password lifetime restrictions for all users  SR 1.8 – Public key infrastructure certificates    SR 1.9 – Strength of public key authentication    SR 1.9 RE 1 – Hardware security for public key authentication   SR 1.10 – Authenticator feedback     SR 1.11 – Unsuccessful login attempts     SR 1.12 – System use notification     SR 1.13 – Access via untrusted networks     SR 1.13 RE 1 – Explicit access request approval   
  • 29. FR 2 – Use control System Requirement Overview (Part 37 ) Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 2.1 – Authorization enforcement     SR 2.1 RE 1 – Authorization enforcement for all users    SR 2.1 RE 2 – Permission mapping to roles    SR 2.1 RE 3 – Supervisor override   SR 2.1 RE 4 – Dual approval  SR 2.2 – Wireless use control     SR 2.2 RE 1 – Identify and report unauthorized wireless devices   SR 2.3 – Use control for portable and mobile devices     SR 2.3 RE 1 – Enforcement of security status of portable and mobile devices   SR 2.4 – Mobile code     SR 2.4 RE 1 – Mobile code integrity check   SR 2.5 – Session lock    
  • 30. FR 2 – Use control System Requirement Overview (Part 38 ) Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 2.6 – Remote session termination    SR 2.7 – Concurrent session control   SR 2.8 – Auditable events     SR 2.8 RE 1 – Centrally managed, system-wide audit trail   SR 2.9 – Audit storage capacity     SR 2.9 RE 1 – Warn when audit record storage capacity threshold reached   SR 2.10 – Response to audit processing failures     SR 2.11 – Timestamps    SR 2.11 RE 1 – Internal time synchronization   SR 2.11 RE 2 – Protection of time source integrity  SR 2.12 – Non-repudiation   SR 2.12 RE 1 – Non-repudiation for all users 
  • 31. FR 3 – System integrity System Requirement Overview U SRs und REs SL 1 SL 2 SL 3 SL 4 SR 3.1 – Communication integrity     SR 3.1 RE 1 – Cryptographic integrity protection   SR 3.2 – Malicious code protection     SR 3.2 RE 1 – Malicious code protection on entry and exit points    SR 3.2 RE 2 – Central management and reporting for malicious code protection   SR 3.3 – Security functionality verification     SR 3.3 RE 1 – Automated mechanisms for security functionality verification   SR 3.3 RE 2 – Security functionality verification during normal operation  SR 3.4 – Software and information integrity    SR 3.4 RE 1 – Automated notification about integrity violations   SR 3.5 – Input validation     SR 3.6 – Deterministic output     SR 3.7 – Error handling    SR 3.8 – Session integrity    SR 3.8 RE 1 – Invalidation of session IDs after session termination   SR 3.8 RE 2 – Unique session ID generation   SR 3.8 RE 3 – Randomness of session IDs  SR 3.9 – Protection of audit information    SR 3.9 RE 1 – Audit records on write-once media nrestricted © Siemens A/S 2018 
  • 32. FR 4 – Data confidentiality System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 4.1 – Information confidentiality     SR 4.1 RE 1 – Protection of confidentiality at rest or in transit via untrusted networks    SR 4.1 RE 2 – Protection of confidentiality across zone boundaries  SR 4.2 – Information persistence    SR 4.2 RE 1 – Purging of shared memory resources   SR 4.3 – Use of cryptography    
  • 33. FR 5 – Restricted data flow System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 5.1 – Network segmentation     SR 5.1 RE 1 – Physical network segmentation    SR 5.1 RE 2 – Independence from non-control system networks   SR 5.1 RE 3 – Logical and physical isolation of critical networks  SR 5.2 – Zone boundary protection     SR 5.2 RE 1 – Deny by default, allow by exception    SR 5.2 RE 2 – Island mode   SR 5.2 RE 3 – Fail close   SR 5.3 – General purpose person-to-person communication restrictions     SR 5.3 RE 1 – Prohibit all general purpose person-to-person communications   SR 5.4 – Application partitioning    
  • 34. FR 6 – Timely response to events System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 6.1 – Audit log accessibility     SR 6.1 RE 1 – Programmatic access to audit logs   SR 6.2 – Continuous monitoring   
  • 35. FR 7 – Resource availability System Requirement Overview Unrestricted © Siemens A/S 2018 SRs und REs SL 1 SL 2 SL 3 SL 4 SR 7.1 – Denial of service protection     SR 7.1 RE 1 – Manage communication loads    SR 7.1 RE 2 – Limit DoS effects to other systems or networks   SR 7.2 – Resource management     SR 7.3 – Control system backup     SR 7.3 RE 1 – Backup verification    SR 7.3 RE 2 – Backup automation   SR 7.4 – Control system recovery and reconstitution     SR 7.5 – Emergency power     SR 7.6 – Network and security configuration settings     SR 7.6 RE 1 – Machine-readable reporting of current security settings   SR 7.7 – Least functionality     SR 7.8 – Control system component inventory   
  • 36. Recap - System Security Levels Unrestricted © Siemens A/S 2018 Plant environment Automation solution Control System as a combination of Independent of plant environment Control System capabilities Capability SLs Risk assessment System Integrator Asset Owner Product supplier Target SLs Achieved SLs Embedded devices Network components Host devices Applications IEC 62443 2-1 Establishing an IACS security program 3-2 Security risk assessment and system design 2-4 Certification of IACS supplier security policies 3-3 System security requirements and Security levels 4-1 Product development requirements 4-2 Technical security requirements for IACS products Contributions of the stakeholders
  • 37. A piece of a bigger picture Unrestricted © Siemens A/S 2018 ISO 27001 The Functional Safety standard Risk assessment framework IEC 62443 NIST 800-30 Well known IT- security standard The OT-security standard
  • 38. Recap… Act now Everyoneis a target – also small and medium sized plants IEC62443 is a Risk based framework that can help you getting started in a very structured way Define your Risk… Define your organization Define your Protection level Define your Zones and Conduits
  • 39. Security information Unrestricted © Siemens A/S 2018 Page 49 Thank You for your attention