Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 compliance

DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 and ICS Security IEC62443 standards

  • Login to see the comments

DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 compliance

  1. 1. Crypto-Flow Segmentation / Encryption - Compliance Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK
  2. 2. • ISO27001:2013 • PCI-DSS v3 • IEC-62443 (SCADA) • NESA • Cloud Security Alliance Crypto-Flow and Compliance
  3. 3. Crypto-Flow / ISO27001:2013 • On mobile devices such as laptops and Smartphones • For authorised use of removable media such as USB memory sticks • Where classified data is transmitted across communications lines that extend beyond the boundaries of the organization e.g. over the Internet, Extranet…
  4. 4. Crypto-Flow / ISO27001:2013 Process/Situation Technique Specific Guidance E-Commerce transactions over the Internet Symmetric encryption using SSL/TLS (Asymmetric techniques used to share session key) RSA to be used for public key cryptography. Certificates to be obtained from Thawte Protection of data on removable media Symmetric encryption using TrueCrypt AES-256 encryption to be used where available Protection of passwords on systems All passwords must be hashed MD5 hashing to be used where available Email Security Symmetric/asymmetric encryption using S/MIME Features available in MS Outlook should be used to simplify the process Remote Access Virtual Private Network (VPN) using SSL A SSL VPN may be used where permitted by the Network Security Policy
  5. 5. Crypto-Flow / ISO27001:2013 Testing and Validation of Implemented Control Objectives; Once deployed, it is critical that the security of the encryption be tested under as realistic conditions as possible in order to identify any weaknesses. Such testing should cover the use of: • commonly-available software tools to try to break the encryption • social engineering methods to try to discover the key • interception of encrypted data at various points in its transmission
  6. 6. Crypto-Flow / ISO27001:2013 Key Management • Key generation (HSM Integration) • Distribution of keys to point of use • Storage at point of use • Backup as protection against loss • Recovery in the event of loss • Updating keys once expired • Revoking if compromised • Archiving once expired • Destroying when no longer required • Logging and auditing of key management related activities
  7. 7. Crypto-Flow / PCI-DSS v3 • Internet • 3G / LTE • MPLS • VPLS • VSAT • IoT / M2M
  8. 8. Crypto-Flow / PCI-DSS v3 Cypto-Flow Network Segmentation (helps reduce the scope of PCI-DSS)
  9. 9. Crypto-Flow / PCI-DSS v3 • Encryption Overlay Network • Not the rip-replace but re-engineer existing networks to isolate CDE • Ease of Deployment – Managed Encryption with a simple GUI-based policies and key management server • Certes Networks uses strong cryptography and simple and flexible policies to isolate areas of the network without changing the physical or logical network topology. • This protection is stronger than traditional firewall-based approaches because it isolates the network using encryption rather than relying only on the packet headers.
  10. 10. Crypto-Flow / IEC62443 (SCADA)
  11. 11. Security Zone Definition • “Security zone: grouping of logical or physical assets that share common security requirements”. [ANSI/ISA- 99.01.01–2007- 3.2.116] – A zone has a clearly defined border (either logical or physical), which is the boundary between included and excluded elements. HMI Zone PLC Zone
  12. 12. Conduits • A conduit is a path for the flow of data between two zones. – can provide the security functions that allow different zones to communicate securely. – Any communications between zone must have a conduit. HMI Zone PLC Zone Conduit
  13. 13. Protecting the Network with Zones and Conduits • A firewall in each conduit will allow only the MINIMUM network traffic necessary for correct plant operation HMI Zone PLC Zone Firewall
  14. 14. Shared SCADA Network • Firewalls • Deployed with equipment • Inspects network traffic • Challenges • No integrity protection of data • No protection against data replay, injection, or modification • Hard to dynamically adjust policies to allow zone based access – static configuration • One deployed – Retained Firewalls: Current Attempt at Security
  15. 15. Shared SCADA Network VLAN 123 • VLAN • Defined across Shared ICS Network • Terminates at individual network ports • High cost per managed port • Challenges • Security configuration embedded in core network • Secure perimeter - no internal security • Security through Switching • No visibility by users • Change management is difficult VLANs: Current Attempt at Isolation
  16. 16. Certes TrustNet Manager Certes™ Encryptors Shared SCADA Network Isolation and Flexibility, Simultaneously Certes: Crypto Flow HMI PLC
  17. 17. The Purdue Model – Secure Architecture Level 4 Level 3 Level 2 Level 1 Business Network UPS Clients Level 3.5DMZ & Firewalls PHD Shadow Server Data Collector EPKS Server DCS Servers Data is given to the Users (PHD Clients) from the Shadow Server PHD Buffer Server Collects the Data from the Experion or DCS Servers Collects the Data from Controllers, pumps, valves etc. Clients from the network cannot request data from the Data Collector Directly
  18. 18. Crypto-Flow / NESA
  19. 19. Crypto-Flow / NESA
  20. 20. Cloud Security Alliance Cloud Security Alliance Guide v3 • Domain 11 • Encryption and Key Management • Some Key Points; • Data in Motion (not at Rest) • Content Aware Encryption • User Aware Encryption • Format Preservation • Common Use Cases; • Cloud Hosting Provider (Public or Private Usage) • vCEP Deployment • User Aware Encryption • A Virtual Encrypted Overlay from your DC to cloud
  21. 21. Shah H Sheikh – Sr. Security Solutions Consultant MEng CISSP CISA CISM CRISC CCSK