This document discusses cybersecurity protections for industrial control systems and critical infrastructures. It introduces Enzo M. Tieghi, the managing director of ServiTecno, who has over 30 years of experience in industrial software and over 10 years in security. Tieghi is involved with several associations focused on industrial cybersecurity standards. The document then outlines various industrial infrastructure systems and networks that require protection, and references common cybersecurity standards used, including ISA99, IEC 62443, NIST 800-53 and 800-82, NERC CIP, ISO 27001, and the SANS 20 critical security controls.

1. AIIC Associazione Italiana
Esperti Infrastrutture Critiche
Proteggiamo da incidenti cyber reti e Sistemi
di controllo e automazione nell’industria e
nelle infrastrutture
Enzo M. Tieghi - etieghi@servitecno.it
em.tieghi@infrastrutturecritiche.it
www.servitecno.it Dott. Enzo Maria Tieghi

2. …ad esempio…chi conosce già SUKI?
(video)
2
www.servitecno.it

3. Enzo Maria Tieghi
3
 Amministratore Delegato di ServiTecno
(oltre 30 anni Software Industriale, oltre 10 anni Security)
 Consigliere AIIC, attivo in Associazioni e gruppi di studio per la
cyber security industriale (ISA99 info-member)
 In Advisory Board, gruppi e progetti internazionali su Industrial
Security e CIP (Critical Infrastructure Protection)
 Co-autore ed autore pubblicazioni, articoli e memorie
 http://it.linkedin.com/in/etieghi
www.servitecno.it

4. Dove sono i sistemi da proteggere?
4
Ovunque: Industrial, Processes,
Buildings, Manufacturing &
Infrastructures
www.servitecno.it

5. Definiamo il “perimetro”…
5
IT Security & Control System Protection: dove?
www.servitecno.it

6. ANSI/ISA95 Functional Hierarchy
Level 4
Level 3
Level 2
Level 1
Business Planning
& Logistics
Plant Production Scheduling,
Operational Management, etc
Manufacturing
Operations Management
Dispatching Production, Detailed Production
Scheduling, Reliability Assurance, ...
Batch
Control
Discrete
Control
Continuous
Control
4 - Establishing the basic plant schedule -
production, material use, delivery, and
shipping. Determining inventory levels.
Time Frame
Months, weeks, days
3 - Work flow / recipe control to produce the
desired end products. Maintaining records
and optimizing the production process.
Time Frame
Days, Shifts, hours, minutes, seconds
2 - Monitoring, supervisory control and
automated control of the production process
1 - Sensing the production process,
manipulating the production process
Level 0 0 - The actual production process
6
www.servitecno.it

7. Dove sono questi sistemi?
7
www.servitecno.it

8. Source:
8
Source: Klaus.Kursawe@ENCS.EU - SANS ICS 2014 Amsterdam

9. A SANS - Feb.2013 survey
9
www.servitecno.it

10. Survey Participants:
10
www.servitecno.it

11. Participants, size
11
www.servitecno.it

12. Threats, concerns
12
www.servitecno.it

13. Used Standards
www.servitecno.it
13

14. ISO 2700x family (ISMS)
14
www.servitecno.it

15. NIST: SP800-53 & SP800-82
15
www.servitecno.it

16. NERC, CIP v5 001-009…
16
CIP-010: Cyber Security Configuration
Management and Vulnerability
Assessment
CIP-011: Information Protection Critical
Control
www.servitecno.it
…

17. ISA99-IEC62443
17
www.servitecno.it

18. ISA99-IEC62443
18
www.servitecno.it

19. Network/System Segmentation
19
 Limit the ingress and egress points
through zone boundaries
 Protect the connections between
zones
 Zones & conduits are logical
 For practical purposes, match zones
to network architecture as much as
possible
www.servitecno.it

20. 20
Network/System Segmentation
www.servitecno.it

21. SANS 20 Critical Security Controls
21
www.servitecno.it

22. ENISA Documents
22
www.servitecno.it

23. ISO27k vs ISA99 vs 61508-511: Security vs Safety
23
www.servitecno.it

24. Industrial Ethernet vs Industrial Bus
24
www.servitecno.it

25. 25
Industrial Ethernet: which one?
www.servitecno.it

26. Per maggiori informazioni?
26
www.servitecno.it
26

27. 27
Domande? Dubbi?
Enzo M. Tieghi: etieghi@servitecno.it
em.tieghi@infrastrutturecritiche.it
www.servitecno.it