IEC and cyber security (June 2018)
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Slideshows for you (20)
Similar to Introduction to Industrial Cybersecurity for Water and Waste Water Operators (20)
Recently uploaded (20)
Introduction to Industrial Cybersecurity for Water and Waste Water Operators
- 1. #EOCP2020 www.icieng.com/eocp2020 Intro to Industrial Cybersecurity and ISA/IEC 62443 for Operators EOCP OPERATOR CONFERENCE SEPTEMBER 16, 2020 Introduction to Industrial Cybersecurity concepts based around ISA/IEC 62443 and a look at what the Defense in Depth strategy looks like in Critical Infrastructure for Water and Wastewater Operators.
- 2. #EOCP2020 www.icieng.com/eocp2020 About Presenters Sean R. Bouchard, P.Eng. • ISA/IEC 62443 – CFS Bill McMillan, AScT • Kootenay Utility Services Kootenay Utility Solutions ensures the safe operation of small water and wastewater systems for First Nations and non-First Nations alike. If we can make it safer, why not? Engineering and Securing Industrial Automation and Control Systems
- 3. #EOCP2020 www.icieng.com/eocp2020 Presentation Activity! • Crossword puzzle based on the content of this presentation available with the slide package or on our website (along with answer key) at www.icieng.com/eocp2020
- 4. #EOCP2020 www.icieng.com/eocp2020 Cybersecurity in BC • National Cyber Security Strategy • https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt- strtg/index-en.aspx • Reporting an Incident • https://cyber.gc.ca/en/cyber-incidents • RCMP • Privacy Acts (Be aware of additional acts when collecting data) • FOIPPA (Information Privacy & Security) • FIPPA, Privacy Act (Federal), Access to Information Act (Federal) • https://www2.gov.bc.ca/gov/content/governments/services-for- government/policies-procedures/foippa-manual • CSA Staff Notice on Cybersecurity
- 5. #EOCP2020 www.icieng.com/eocp2020 Threat Landscape – 5 Common Myths, Recap • Five Common Myths about Industrial Cybersecurity • 1. We don't connect to the internet • 2. Our control systems are behind a firewall • 3. Hackers don't understand control systems • 4. Our facility is not a target • 5. Our safety systems will protect us • Want more? Visit www.icieng.com/eocp2020 for details from Cybersecurity Demonstration Presentation yesterday (Darren & Rob @ ICI)
- 6. #EOCP2020 www.icieng.com/eocp2020 ISA/IEC 62443 Standard What is it? • An Informative Standard • International • Provides a framework to address and mitigate current and future security vulnerabilities in Operational Technology • Includes guidelines for identification and management of cybersecurity risks. • Assessments (high-level and detailed) • Gap Analysis • Documentation (Change Management, etc) ISA International Society of Automation IEC International Electrotechnical Commission IAC S Industrial Automation and Control Systems OT Operational Technology
- 7. #EOCP2020 www.icieng.com/eocp2020 IT and OT
- 8. #EOCP2020 www.icieng.com/eocp2020 ISA/IEC 62443 Standard IT and OT • Maturity of systems: IT, CSMS, Engineering, OQM • Confidentiality vs Availability • Risks: Financial, Information Loss vs. Health, Safety, Environment • Different Protocols • Life Span • IT: 3-5 Years • OT: ~20 Years
- 9. #EOCP2020 www.icieng.com/eocp2020 Pitfalls • Continuous Improvement and Failure Analysis • Communication • Training (and training fatigue) • Integration with HSE is required, but training should be separated. • Documentation (or lack thereof) • Starting detailed Cybersecurity implementation without a rationale • Addressing only one component of an IACS • Management support (or lack thereof)
- 10. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth (DiD) • A layered approach to applying countermeasures or defensive mechanisms • Not symmetrical – some categories require more attention than others • Dependencies • Detection-in-Depth (5D’s) • Accountability • What is your organizations “Risk- Tolerance”?
- 11. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth Physical Security • Location, location, location. • Physical access to a system or equipment is a vulnerability.
- 12. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth Policies & Procedures Initiate CSMS High Level Risk Assessment Detailed Risk Assessment High Level Risk Assessment Establish Policy Organization/ Awareness Select and Implement Counter- measures Maintain CSMS • A component of a Cyber-Security Management System (CSMS) established from a Risk Assessment
- 13. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth Zones & Conduits Flat Network Example WAN / INTERNET
- 14. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth Zones & Conduits Flat Network Example – Single Device Compromised WAN / INTERNET
- 15. #EOCP2020 www.icieng.com/eocp2020 I/O ZONE PLANT ZONE ENGINEERING ZONE SCADA ZONE ENTERPRISE ZONEEnterprise Firewall Office Phone Office Printer OT Controller (PLC) WAN / INTERNET DMZ Firewall Process IO Device Email Workstation Operator Interface Engineering Workstation SCADA Server OT Firewall OT Firewall CONDUIT CONDUIT CONDUIT CONDUIT
- 16. #EOCP2020 www.icieng.com/eocp2020 I/O ZONE PLANT ZONE ENGINEERING ZONE SCADA ZONE ENTERPRISE ZONEEnterprise Firewall Office Phone Office Printer OT Controller (PLC) WAN / INTERNET DMZ Firewall Process IO Device Email Workstation Operator Interface Engineering Workstation SCADA Server OT Firewall OT Firewall CONDUIT CONDUIT CONDUIT CONDUIT
- 17. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth Malware Prevention • Reduce the risk and impact of Malware • Internal sources • External Sources • Control systems are custom solutions and conventional anti-virus systems cannot be deployed on embedded systems such as a PLC. • Training!
- 18. #EOCP2020 www.icieng.com/eocp2020 Defense In Depth Access Controls • Authentication • Authorization • Audit
- 19. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth Monitoring & Detection • Host or Network based detection. • Collecting information does NOT do any good unless you can detect and act on it.
- 20. #EOCP2020 www.icieng.com/eocp2020 Defense in Depth Patching
- 21. #EOCP2020 www.icieng.com/eocp2020 What you can do today • Passwords • Physical Security • Firewalls (anything default?) • Keyswitch on PLC – Run vs. Program? • Remote Access Defense in Depth (DiD) 1. Physical Security 2. Policies & Procedures 3. Zone & Conduits 4. Malware Prevention 5. Access Controls 6. Monitoring & Detection 7. Patching
- 22. #EOCP2020 www.icieng.com/eocp2020 Learning More Resources & Groups • Public Safety Canada • https://www.publicsafety.gc.ca/cnt/ntnl-scrt/crtcl- nfrstrctr/index-en.aspx • Canadian Center for Cybersecurity https://cyber.gc.ca/en/ • (USA) ICS-CERT https://us-cert.cisa.gov/ics • (USA) Cybersecurity and Infrastructure Security Agency • ISA99 Committee • https://www.isa.org/standards-and-publications/isa-standards/isa- standards-committees/isa99 • Get involved – Canadian Youth Cyber Education Initiative: • https://www.cybertitan.ca/ • Reminder – Further references to material in these slides can be found on our website at www.icieng.com/eocp2020
- 23. #EOCP2020 www.icieng.com/eocp2020 Q&A Bill McMillan Kootenay Utility Services wjamcmillan@gmail.com 250-687-1889 Sean R. Bouchard, P.Eng. ICI Electrical Engineering srb@icieng.com 778-220-7269 Twitter: @seanrbouchard For more information, see our website: www.icieng.com/eocp2020
