The document discusses cyber security standards, solutions, and challenges for industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. There are too many security standards for different industries that can complement technical solutions, but no single standard covers everything, adding to complexity. Choosing the right standard is key, as there is no single solution. General challenges include overlapping standards, varying definitions, growing compliance complexity, and limited compliant ICS/SCADA suppliers.

1. Cyber Security Standards, Solution Tips & Challenges
Ahmed M. Al Enizy
IT Security Manager
International Systems Engineering

2.  In the era of Cyber War, securing ICS and SCADA systems
helps in protecting national infrastructure thus preserving
steady national economic growth. But deploying the right
technical and/or physical solutions is not enough.
 There are too many Security Standards for each industry
that can complement Technical Solutions.
 There is no single Standard that covers everything.
 This adds to the increasing complexity of ICS/SCADA
Management, Governance, and Compliance.
2 10/3/2012

3.  Difference between
Standards, Frameworks, and Best Practices
 ICS/SCADA Security Standards
 Which One is Good?
 Solution Tips
 How Does ISO 27001 Works?
 General Challenges
3 10/3/2012

4. Act
Legal
Regulation
Standard
Technical Framework
Best Practice
4 10/3/2012

5.  14 different standard for different
Infrastructure Sectors (Energy and
Power, Oil, Chemical, Defense, Wate
r Treatment, Emergency
Services, IT, Communications)
 API - American Petroleum Institute
 IEC - International Electrotechnical
Commission
 IEEE - Institute of Electrical and
Electronic Engineers
 ISA – Instrumentation, Systems, and
Automation Society
 ISO - International Organization for
Standardization
 NERC - North American Electric
Reliability Council
 NIST - National Institute of
Standards and Technology
5 10/3/2012

6.  Good standard
◦ Incorporates the Plan-Do-Check-Act approach.
◦ Mature and stable.
◦ Not contradicting or in conflict with corporate or
international standards.
◦ Clear and easy to understand.
◦ Systematic.
◦ Realistic and practical.
◦ Solves all parts of the problem.
◦ Well structured and organized.
◦ Measurable.
◦ Has a clear accreditation and certification process.
◦ Widely followed and adapted.
6 10/3/2012

7.  There is no “silver bullet”, and definitely there is no single
solution.
 Avoid reinventing the wheel, we are using their
technologies therefor it is best to use their standards and
conceder consultation.
 It is a result of collaborative efforts through shared
responsibilities supported by commitment, resources, and
consultation.
 The right starting point is choosing the right standard.
 You can consider Corporate GRC program to adapt the
security standard you have chosen.
 GRC market solutions provide technical assistance and
automation in managing GRC program vertically and
horizontally.
7 10/3/2012

8. 8 10/3/2012

9. Compliance
Flexibility Integration
Process
Support
Authority
Psychological Awareness Cost
Factors
People Tech.
Commitment
Limitation
Cultures
Complexity
9 10/3/2012

10.  Overlapping and intersection between
standards.
 Overlapping and varying abbreviations and
definitions.
 Growing complexity of compliance both
vertical and horizontal.
 Limited compliant ICS/SCADA suppliers with
Security Standards.
10 10/3/2012

11. 11 10/3/2012