John Cusimano, CFSE, CISSP, GICSP, profile picture
Uploaded byJohn Cusimano, CFSE, CISSP, GICSP
1,170 views

Building Cybersecurity into a Greenfield ICS Project

This document discusses integrating cybersecurity into the lifecycle of a new industrial control system (ICS) project. It recommends conducting a cybersecurity risk assessment early using ISA 62443 methodology. This informs developing cybersecurity requirements and reviewing designs to ensure requirements are met. It also recommends cybersecurity acceptance testing before commissioning to verify secure configurations and robustness. Maintaining security management processes is key after system handover to operations. Benefits include a common understanding of risks addressed and better preparation to manage security long-term. Critical success factors include having achievable goals and clear roles/responsibilities.

Embed presentation

1 2017 ICSJWG Spring Meeting John Cusimano & Steve Stock aeSolutions Building Cybersecurity into a Greenfield ICS Project
2 Agenda • Project justification • Business challenges • Integrating cybersecurity into the ICS project lifecycle • Benefits • Critical Success Factors
3 Project Justification • Cybersecurity top priority for company • Recognize the relationship between process safety and OT cybersecurity • Operate critical infrastructure • Desire to be compliant with industry best practices and standards • Desire to Build Security In (i.e. “Stop the bleeding”) Integrating cybersecurity into the project is far superior to adding security after the fact and will cost less
4 Business Challenges • Buy in from senior management • Buy in from project management • Support from EPC, Vendor, SI’s, operations • Minimal impact project schedule
5 Typical ICS cybersecurity lifecycle for existing systems Vulnerability / Gap Assessment Risk Assessment Mitigation Plan Implement Maintain & Audit
6 Integrating Cybersecurity into the ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain CyberPHA Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response
7 ICS Cybersecurity Risk Assessment (Cyber PHA) • Systematic approach • Process defined in ISA 62443-3-2 “Security Risk Assessment and System Design” • Similar to a PHA / HAZOP • Start by partitioning the system into zones and conduits
8 ICS Cybersecurity Risk Assessment (Cyber PHA) • Each zone/conduit is assessed to identify threats, vulnerabilities, consequences and risk • Additional countermeasures are defined to address unacceptable risk • Prioritize activities and resources • Document and justify decisions • Risk register and risk profile • Prioritized recommendations and plan • Training and awareness • Successfully applied at numerous PSM regulated companies
9 Integrating Cybersecurity into the ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain CyberPHA Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response
10 Cybersecurity Requirements Specification • A set of requirements for the system based upon the results of the cybersecurity risk assessment and industry best practices/standards – General security requirements for entire system – Identification of security zones and conduits – Identification of the IACS assets assigned to each zone/conduit – Requirements for how zones/conduit boundaries will be monitored and secured – Requirements for how networks will be monitored and secured – Requirements for how various types of end-points (e.g. operating systems, applications, embedded devices, etc.) will be hardened – Requirements for security management • Organization can have a general ICS cybersecurity specification but a unique spec should be developed for each unique ICS 10
11 Security Management Requirements • ICS Asset Management • Access Control • Malware Prevention (antivirus and/or whitelisting) • Patch Management • System Backups • Configuration/Change Management • Network monitoring and intrusion detection • Security incident and event management (SIEM) • Information & Documentation Management
12 Integrating Cybersecurity into the ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain CyberPHA Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response
13 ICS Cybersecurity Design Review • Review of design with key stakeholders (e.g. Asset Owner, EPC, System Integrator, etc.) • Review and discuss how cybersecurity requirements are satisfied • Document issues (i.e. gaps) that need to be addressed • Ideally performed following conceptual design and again following detailed design 13
14 Integrating Cybersecurity into the ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response CyberPHA
15 Cybersecurity Acceptance Testing The cyber security of a system should be tested and accepted by the operating company prior to delivery and prior to startup • Cybersecurity Factory Acceptance Testing (CFAT) – Performed at the FAT site (e.g. vendor or system integrator) – Performed after functional testing of the system is complete • Cybersecurity Site Acceptance Testing (CSAT) – Performed onsite at the location where the system will be operated – Performed after operational testing is complete – Prior to releasing the system to operations
16 Cybersecurity Acceptance Testing • Verification of cybersecurity requirements – Verify security settings were properly configured • OS • Applications/Databases • Network Devices • ICS Devices • Antivirus software – Access controls have been properly established – Security components (e.g. firewalls) were installed and properly configured – Detection systems are operational and able to identify and report events • Cybersecurity robustness testing – Testing designed to discover and identify the weaknesses or vulnerabilities in a system – Test resilience to network attacks (e.g. storms, fuzzing) – Vulnerability scanning – Intrusion testing to verify firewall configuration
17 Cybersecurity Acceptance Testing Best Practices • Define the System-Under-Test • Develop a verification and test plan • Collaborate with process FAT/SAT teams • Verify cyber security configuration settings • Perform robustness testing • Document results (i.e. punchlist)
19 Integrating Cybersecurity into the ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response CyberPHA
20 Security Management Processes must be Developed and Maintained • ICS Asset Management • Access Control • Malware Prevention (antivirus and/or whitelisting) • Patch Management • System Backups • Change Management • Network monitoring and intrusion detection • Security incident and event management (SIEM) • Information & Documentation Management
22 Incident Response • The incident response lifecycle • Incident analysis / forensics • Planning • Incident Prevention • Detection • Containment • Remediation • Recovery & Restoration
23 Benefits of Integrating Cybersecurity into the ICS Project Lifecycle 23 • Common understanding of cyber risk • Common understanding of what needs to be done to secure system and why its important • Verification that security is properly implemented • Operations staff security aware and trained prior to startup • Technically and procedurally better prepared to manage, monitor and respond to security incidents Front-end Engineering Detailed Engineering Construction Commission Run & Maintain Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response CyberPHA
24 Critical Success factors • Have realistic and achievable goals – Demonstrating success is critical for future projects – Have a clear vision on what success looks like • Define roles and responsibilities • Assign an ICS Cybersecurity Lead for the duration of the project • Independent from EPC, vendors, system integrators • Frequent communications with all stakeholders 24

More Related Content

PPTX
Cyber Defense Matrix: Revolutions
bySounil Yu
 
PDF
Shift Left Security - The What, Why and How
byDevOps.com
 
PDF
Nist 800 82 ICS Security Auditing Framework
byMarcoAfzali
 
PDF
Secure Systems Security and ISA99- IEC62443
byYokogawa1
 
PPT
Security policy
byDhani Ahmad
 
PDF
Splunk
bySimstream
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PDF
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 
Cyber Defense Matrix: Revolutions
bySounil Yu
 
Shift Left Security - The What, Why and How
byDevOps.com
 
Nist 800 82 ICS Security Auditing Framework
byMarcoAfzali
 
Secure Systems Security and ISA99- IEC62443
byYokogawa1
 
Security policy
byDhani Ahmad
 
Splunk
bySimstream
 
Next-Gen security operation center
byMuhammad Sahputra
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
byTuan Phan
 

What's hot

PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Enterprise Security Architecture
byKris Kimmerle
 
PDF
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
PDF
Governance of security operation centers
byBrencil Kaimba
 
PDF
OT Security Architecture & Resilience: Designing for Security Success
byaccenture
 
PPT
Roadmap to IT Security Best Practices
byGreenway Health
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PDF
Unidirectional Security, Andrew Ginter of Waterfall Security
byDigital Bond
 
PDF
Nist 800 82
bymajolic
 
PPTX
Domain 6 - Security Assessment and Testing
byMaganathin Veeraragaloo
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PPTX
NIST CSF Overview
byPriyanka Aash
 
PDF
DEF CON 23 - NSM 101 for ICS
byChris Sistrunk
 
PDF
Cissp actual exam
bydannykirk1221
 
PPTX
Got SIEM? Now what? Getting SIEM Work For You
byAnton Chuvakin
 
PDF
SingHealth Cyber Attack (project)
byJames Neo
 
PPTX
Zero trust deck 2020
byGuido Marchetti
 
PPTX
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
byCisco Security
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
byParishSummer
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Enterprise Security Architecture
byKris Kimmerle
 
Building a Next-Generation Security Operations Center (SOC)
bySqrrl
 
Governance of security operation centers
byBrencil Kaimba
 
OT Security Architecture & Resilience: Designing for Security Success
byaccenture
 
Roadmap to IT Security Best Practices
byGreenway Health
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
Unidirectional Security, Andrew Ginter of Waterfall Security
byDigital Bond
 
Nist 800 82
bymajolic
 
Domain 6 - Security Assessment and Testing
byMaganathin Veeraragaloo
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
NIST CSF Overview
byPriyanka Aash
 
DEF CON 23 - NSM 101 for ICS
byChris Sistrunk
 
Cissp actual exam
bydannykirk1221
 
Got SIEM? Now what? Getting SIEM Work For You
byAnton Chuvakin
 
SingHealth Cyber Attack (project)
byJames Neo
 
Zero trust deck 2020
byGuido Marchetti
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
byCisco Security
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
byParishSummer
 

Similar to Building Cybersecurity into a Greenfield ICS Project

PDF
Cybersecurity Practices for Industrial Control Systems
byholloworangutanxjej
 
PDF
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
PDF
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
PPTX
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
bysaniyagadekar12
 
PPTX
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
byEric Andresen
 
PDF
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
PPTX
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
bypromediakw
 
DOCX
Tonight, March 5th – Class 7 (last class) your test” on ICS.docx
byturveycharlyn
 
PDF
CNIT 152: 3 Pre-Incident Preparation
bySam Bowne
 
PDF
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
byARC Advisory Group
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
PDF
Management CyperSecurity Risk - Management CyperSecurity Risk
bybellinipolla
 
PDF
Endpoint Protection Platform Invent Youself/tutorialoutletdotcom
byapjk220
 
PDF
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
byHoneywell
 
PDF
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
PPTX
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
byJim Gilsinn
 
PDF
Cybersecurity Framework - What are Pundits Saying?
byJim Meyer
 
PPTX
cybersecurity_framework_webinar_2017.pptx
byMuhammadAbdullah311866
 
PPTX
CompTIA Cybersecurity Analyst Certification Tips and Tricks
byJoseph Holbrook, Chief Learning Officer (CLO)
 
PPTX
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Cybersecurity Practices for Industrial Control Systems
byholloworangutanxjej
 
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
Introduction to NIST Cybersecurity Framework
byTuan Phan
 
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
bysaniyagadekar12
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
byEric Andresen
 
Nist cybersecurity framework isc2 quantico
byTuan Phan
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
bypromediakw
 
Tonight, March 5th – Class 7 (last class) your test” on ICS.docx
byturveycharlyn
 
CNIT 152: 3 Pre-Incident Preparation
bySam Bowne
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
byARC Advisory Group
 
Today's Cyber Challenges: Methodology to Secure Your Business
byJoAnna Cheshire
 
Management CyperSecurity Risk - Management CyperSecurity Risk
bybellinipolla
 
Endpoint Protection Platform Invent Youself/tutorialoutletdotcom
byapjk220
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
byHoneywell
 
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
byEnterpriseGRC Solutions, Inc.
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
byJim Gilsinn
 
Cybersecurity Framework - What are Pundits Saying?
byJim Meyer
 
cybersecurity_framework_webinar_2017.pptx
byMuhammadAbdullah311866
 
CompTIA Cybersecurity Analyst Certification Tips and Tricks
byJoseph Holbrook, Chief Learning Officer (CLO)
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 

Recently uploaded

PDF
Fluid Mechanics, Heat Transfer, and Mass Transfer_ Chemical Engineering Pract...
bynikptl09
 
PPTX
Applications of cloud computing in education
byhatimunwala5
 
PDF
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
PDF
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 2.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PPTX
Top 3 winning teams announcement - TechSprint
bybajpaitusharoffon678
 
PPTX
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
PDF
ERTMS-conference-WS8_Presentations_v0.pdf
byEduardo147194
 
PDF
A Newbie’s Journey: Hidden MySQL Pain Points That Vitess Quietly Solves
byIgor Donchovski
 
PDF
ME25C05 RE-ENGINEERING FOR INNOVATION LAB.pdf
byVinothkumarM60
 
PDF
TechRush Hackathon 2026: A Platform for Innovation, Learning, and Real-World ...
byreshmi7103
 
PPT
Introduction to Concord Decorator by Stolle.ppt
bymorachatgpt123
 
PPTX
UNIT 2 - Electronics Device - EC25C01 - PN Junction Diodes
byMathavan N
 
PPTX
WOWVerse Workshop: Agentic AI & LLM Workshop
byram27belitkar
 
PDF
Chip Designer's Code - Linux Terminal Part 7.1 - Text Processing
byAmr Adel
 
PDF
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
PPTX
What TPM Looks Like When You’re Short-Staffed and Still Make It Work | Lean T...
byMaintWiz Technologies Private Limited
 
PPTX
820656155-Unit-III-Univariate-Analysis.pptx
bykalaimugill
 
PPTX
UNIT 2 _8051.pptx ,INSTRUCTION SET OF 8051,EXAMPLES OF ARITHMETIC,LOGICAL.BRA...
byrekhabalaji2607
 
PDF
EDIH TRAINING AI FOR COMPANIES: MODULE 4
byHristian Daskalov
 
Fluid Mechanics, Heat Transfer, and Mass Transfer_ Chemical Engineering Pract...
bynikptl09
 
Applications of cloud computing in education
byhatimunwala5
 
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
JVM in the Age of AI: 2026 Edition - Deep Dive
byArtur Skowroński
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 2.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
Top 3 winning teams announcement - TechSprint
bybajpaitusharoffon678
 
The Half-Life of Preventive Maintenance: Why PM Compliance Fails & How to Res...
byMaintWiz Technologies Private Limited
 
ERTMS-conference-WS8_Presentations_v0.pdf
byEduardo147194
 
A Newbie’s Journey: Hidden MySQL Pain Points That Vitess Quietly Solves
byIgor Donchovski
 
ME25C05 RE-ENGINEERING FOR INNOVATION LAB.pdf
byVinothkumarM60
 
TechRush Hackathon 2026: A Platform for Innovation, Learning, and Real-World ...
byreshmi7103
 
Introduction to Concord Decorator by Stolle.ppt
bymorachatgpt123
 
UNIT 2 - Electronics Device - EC25C01 - PN Junction Diodes
byMathavan N
 
WOWVerse Workshop: Agentic AI & LLM Workshop
byram27belitkar
 
Chip Designer's Code - Linux Terminal Part 7.1 - Text Processing
byAmr Adel
 
FPGA Fabric and Synthesis All Parts Combined
byAmr Adel
 
What TPM Looks Like When You’re Short-Staffed and Still Make It Work | Lean T...
byMaintWiz Technologies Private Limited
 
820656155-Unit-III-Univariate-Analysis.pptx
bykalaimugill
 
UNIT 2 _8051.pptx ,INSTRUCTION SET OF 8051,EXAMPLES OF ARITHMETIC,LOGICAL.BRA...
byrekhabalaji2607
 
EDIH TRAINING AI FOR COMPANIES: MODULE 4
byHristian Daskalov
 

Building Cybersecurity into a Greenfield ICS Project

  • 1.
    1 2017 ICSJWG SpringMeeting John Cusimano & Steve Stock aeSolutions Building Cybersecurity into a Greenfield ICS Project
  • 2.
    2 Agenda • Project justification •Business challenges • Integrating cybersecurity into the ICS project lifecycle • Benefits • Critical Success Factors
  • 3.
    3 Project Justification • Cybersecuritytop priority for company • Recognize the relationship between process safety and OT cybersecurity • Operate critical infrastructure • Desire to be compliant with industry best practices and standards • Desire to Build Security In (i.e. “Stop the bleeding”) Integrating cybersecurity into the project is far superior to adding security after the fact and will cost less
  • 4.
    4 Business Challenges • Buyin from senior management • Buy in from project management • Support from EPC, Vendor, SI’s, operations • Minimal impact project schedule
  • 5.
    5 Typical ICS cybersecuritylifecycle for existing systems Vulnerability / Gap Assessment Risk Assessment Mitigation Plan Implement Maintain & Audit
  • 6.
    6 Integrating Cybersecurity intothe ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain CyberPHA Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response
  • 7.
    7 ICS Cybersecurity RiskAssessment (Cyber PHA) • Systematic approach • Process defined in ISA 62443-3-2 “Security Risk Assessment and System Design” • Similar to a PHA / HAZOP • Start by partitioning the system into zones and conduits
  • 8.
    8 ICS Cybersecurity RiskAssessment (Cyber PHA) • Each zone/conduit is assessed to identify threats, vulnerabilities, consequences and risk • Additional countermeasures are defined to address unacceptable risk • Prioritize activities and resources • Document and justify decisions • Risk register and risk profile • Prioritized recommendations and plan • Training and awareness • Successfully applied at numerous PSM regulated companies
  • 9.
    9 Integrating Cybersecurity intothe ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain CyberPHA Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response
  • 10.
    10 Cybersecurity Requirements Specification •A set of requirements for the system based upon the results of the cybersecurity risk assessment and industry best practices/standards – General security requirements for entire system – Identification of security zones and conduits – Identification of the IACS assets assigned to each zone/conduit – Requirements for how zones/conduit boundaries will be monitored and secured – Requirements for how networks will be monitored and secured – Requirements for how various types of end-points (e.g. operating systems, applications, embedded devices, etc.) will be hardened – Requirements for security management • Organization can have a general ICS cybersecurity specification but a unique spec should be developed for each unique ICS 10
  • 11.
    11 Security Management Requirements •ICS Asset Management • Access Control • Malware Prevention (antivirus and/or whitelisting) • Patch Management • System Backups • Configuration/Change Management • Network monitoring and intrusion detection • Security incident and event management (SIEM) • Information & Documentation Management
  • 12.
    12 Integrating Cybersecurity intothe ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain CyberPHA Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response
  • 13.
    13 ICS Cybersecurity DesignReview • Review of design with key stakeholders (e.g. Asset Owner, EPC, System Integrator, etc.) • Review and discuss how cybersecurity requirements are satisfied • Document issues (i.e. gaps) that need to be addressed • Ideally performed following conceptual design and again following detailed design 13
  • 14.
    14 Integrating Cybersecurity intothe ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response CyberPHA
  • 15.
    15 Cybersecurity Acceptance Testing Thecyber security of a system should be tested and accepted by the operating company prior to delivery and prior to startup • Cybersecurity Factory Acceptance Testing (CFAT) – Performed at the FAT site (e.g. vendor or system integrator) – Performed after functional testing of the system is complete • Cybersecurity Site Acceptance Testing (CSAT) – Performed onsite at the location where the system will be operated – Performed after operational testing is complete – Prior to releasing the system to operations
  • 16.
    16 Cybersecurity Acceptance Testing •Verification of cybersecurity requirements – Verify security settings were properly configured • OS • Applications/Databases • Network Devices • ICS Devices • Antivirus software – Access controls have been properly established – Security components (e.g. firewalls) were installed and properly configured – Detection systems are operational and able to identify and report events • Cybersecurity robustness testing – Testing designed to discover and identify the weaknesses or vulnerabilities in a system – Test resilience to network attacks (e.g. storms, fuzzing) – Vulnerability scanning – Intrusion testing to verify firewall configuration
  • 17.
    17 Cybersecurity Acceptance Testing BestPractices • Define the System-Under-Test • Develop a verification and test plan • Collaborate with process FAT/SAT teams • Verify cyber security configuration settings • Perform robustness testing • Document results (i.e. punchlist)
  • 18.
    19 Integrating Cybersecurity intothe ICS Project Lifecycle Front-end Engineering Detailed Engineering Construction Commission Run & Maintain Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response CyberPHA
  • 19.
    20 Security Management Processesmust be Developed and Maintained • ICS Asset Management • Access Control • Malware Prevention (antivirus and/or whitelisting) • Patch Management • System Backups • Change Management • Network monitoring and intrusion detection • Security incident and event management (SIEM) • Information & Documentation Management
  • 20.
    22 Incident Response • Theincident response lifecycle • Incident analysis / forensics • Planning • Incident Prevention • Detection • Containment • Remediation • Recovery & Restoration
  • 21.
    23 Benefits of IntegratingCybersecurity into the ICS Project Lifecycle 23 • Common understanding of cyber risk • Common understanding of what needs to be done to secure system and why its important • Verification that security is properly implemented • Operations staff security aware and trained prior to startup • Technically and procedurally better prepared to manage, monitor and respond to security incidents Front-end Engineering Detailed Engineering Construction Commission Run & Maintain Cyber Req Spec Design Review(s) Cyber FAT Cyber SAT Security Management, Monitoring and Incident Response CyberPHA
  • 22.
    24 Critical Success factors •Have realistic and achievable goals – Demonstrating success is critical for future projects – Have a clear vision on what success looks like • Define roles and responsibilities • Assign an ICS Cybersecurity Lead for the duration of the project • Independent from EPC, vendors, system integrators • Frequent communications with all stakeholders 24

Editor's Notes

  • #2 The original title of this presentation was “Cybersecurity Acceptance Testing”. However, as I was developing this presentation I decided to broader the topic to discuss the benefits and challenges of integrating cybersecurity into a greenfield ICS project.
  • #3 We have been supporting the CISO of a midstream O&G company for several years in the development of their Corporate Cybersecurity Management Program which covers both IT and OT. We are also in the process of helping them perform cyber assessments of their existing infrastructure. In the meantime, the company is involved in a very large capital project to build a NGL facility. So this presentation is a bit of a case study on that project but also presents some general information on integrating cybersecurity into greenfield ICS project based on our experience in doing so.
  • #7 Add resource plan (roles and responsibilities) Involve Operations early
  • #8 The standards I mentioned say you have to perform ICS cybersecurity risk assessments but until recently didn’t say “how”. The new 62443-3-2 draft standard documents a process that has been successfully applied by numerous corporations in the process industries – particularly those impacted by PSM regulations. The process is a modification of the HAZOP process hazard analysis methodology. It is a systematic approach that breaks down the ICS system(s) into units and nodes and analyzes the threats, vulnerabilities and consequences to estimate risk using the corporation’s standard risk matrix. Numerous benefits include:
  • #9 The standards I mentioned say you have to perform ICS cybersecurity risk assessments but until recently didn’t say “how”. The new 62443-3-2 draft standard documents a process that has been successfully applied by numerous corporations in the process industries – particularly those impacted by PSM regulations. The process is a modification of the HAZOP process hazard analysis methodology. It is a systematic approach that breaks down the ICS system(s) into units and nodes and analyzes the threats, vulnerabilities and consequences to estimate risk using the corporation’s standard risk matrix. Numerous benefits include:
  • #10 Add resource plan (roles and responsibilities) Involve Operations early
  • #13 Add resource plan (roles and responsibilities) Involve Operations early
  • #15 Add resource plan (roles and responsibilities) Involve Operations early
  • #20 Add resource plan (roles and responsibilities) Involve Operations early