Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sdl deployment in ics

Secure Development Lifecycle Deployment in Industrial Control System

  • Be the first to comment

  • Be the first to like this

Sdl deployment in ics

  1. 1. SDL Deployment in Industrial Control Systems Mayur Mehta
  2. 2. 2
  3. 3. Cyber Incidents
  4. 4. Cyber Threats Emerged Over Time Source: MITRE Sophistication Decades
  5. 5. 0 20 40 60 80 100 120 RowCount Vendors • The NIST CVE database - 71,500+ vulnerabilities. • Chart based on ICS 408 CVE Source: Recorded Future
  6. 6. SHODAN
  7. 7. NORSE View
  8. 8. Cost of Security Lapse • After release, it costs 30 times more than the fix done in design phase ( As per National Institute of Standards and Technology) • Goodwill Loss - Customer’s productivity and confidence. 2.5x 5x 10x 15x 30x 0 5 10 15 20 25 30 35 Requirement/ Architecture Coding Integration/Component Testing System/ Acceptance Testing Production/ Post Release
  9. 9. SDL – “Secure Development Lifecycle” SDL helps us reduce Products maintenance costs and increase reliability of software concerning Security related issues.
  10. 10. Training
  11. 11. .. • Bare minimum knowledge • Role Based knowledge
  12. 12. Requirements
  13. 13. .. • Evaluate requirements • Access Control (Authentication), • Use Control (Authorization), • Logging (Auditing), • Confidentiality, • Integrity, • Availability. • Standards • IEC-62443 • IEC-62351 • NIST 800-82/800-53 • NERC CIP
  14. 14. Design
  15. 15. .. Step1 Perform Threat Modeling Security design practice Step2 Produce a Mitigation Action Plan STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) & DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability). Step3 Perform Attack Surface Analysis & Reduction Step4 Conduct a Secure Architecture Design Review
  16. 16. Implementation
  17. 17. .. Step1 Implement Security features Step2 Use approved tools Step3 Secure Coding practices  Review Source Code – top 10 to top 100 best secure coding practices  Perform Static Analysis – using Klocwork, FxCop, Fortify etc.  Analyze & Fix security issues
  18. 18. Verification
  19. 19. Step1 Penetration test plan - Attack surface and Security requirements. Step2 Test security requirement against attack vectors. Step3 Manual and/or automated vulnerability assessment. Step4 Penetration attempts. Step5 Remove false positives. Step6 Final report with evidence(s).
  20. 20. Release
  21. 21. Step1 Results vs goals Step2 Security features & settings in documentation
  22. 22. Response
  23. 23. • Incident response • Providing fixes on zero day vulnerability • Forensics Analysis • Binary Vulnerability Scanning • Responsible Disclosure
  24. 24. • Security is not a goal that can be reached • New vulnerabilities are discovered daily • Threats continue to evolve • Weak points in the system change, becoming new points of attack • Security is a process and an attitude SDL – “Secure Development Lifecycle”
  25. 25. Reference •http://nvlpubs.nist.gov/ •NIST 800-82 Guide to Industrial Control Systems (ICS) Security •Microsoft SDL •www.recordedfuture.com •http://www.isasecure.org/ •NERC - North American Electric Reliability Corporation •IEC 62443 (formerly ISA-99) •ISO 27001 and 27002 •OWASP - www.owasp.org/ •SE PSO wiki The key to successful cyber defence is preparation... Thank you.

×