7th Kuwait Info Security Forum 2015

1. Quality Assurance:
The 80% of Industrial Control
Systems Cybersecurity
-Rabbani Syed

2. Quality Assurance: The 80% of ICS Security
1. The ICS Context
2. The Challenges
3. Technology, People, Processes
4. Quality Assurance Processes & Frameworks

3. About me
Rabbani Syed
Systems Analyst, IT Quality Management, Information Technology, KNPC
Previous: Systems Engineer – Kuwait Controls Co.
◦ SCADA, DCS & Telemetry Systems for MEW
Senior Engineer, Bharat Electronics (BEL-India)
◦ Design & Development of Real Time Computer Systems for Electronic
Warfare Systems (Anti-Radar and Electronic Counter Measure Systems)
M. Engg. in ECE – Osmania University, B. Tech in ECE – JNTU, India
Certifications: PMP, CISSP, CISA, CISM, CGEIT
Certificates: ISO27001LA, ISA99 Cybersecurity Fundamentals Specialist

4. The ICS Context
ICS – Industrial Control
Systems (SCADA, DCS, PLCs,
Telemetry, Building Automation
Systems etc.)
OT – Operational Technology
IT – Information Technology

5. The ICS Context
Confidentiality
Integrity
Availability
Confidentiality
Integrity
Availability
IT
OT

6. The ICS Context
Differing Performance Requirements:

7. The ICS Context
Differing Reliability Requirements:

8. The ICS Context
Differing Risk Management Approaches

9. The Challenges:
1. Changes in the ICS Architecture
2. Multi-vendor EPC Contracts
3. Management Expectations
4. Over 20+ Standards
5. SIL Certification does not evaluate Cybersecurity
6. Hackers – No Experience required
7. Unintentional Security Incidents
8. The depth and breadth of ICS Security Tasks

10. The Challenge:
Changes in the ICS Architecture
• ICS now use commercial technology
• Highly connected to internet
• Offer remote access

11. The Challenge:
Multi-vendor EPC Contracts

12. The Challenge:
Management Expectations

13. The Challenge:
SIL Certification does not evaluate Cybersecurity
• IEC 61508 Certification (SIL Certification)
does not evaluate security.

14. The Challenges
Over 20+ Standards
1. ISA 99 / IEC 62443 Cybersecurity Standard for ICS
2. NIST SP800-82 : Guide to Industrial Control Systems Security
3. NERC – CIP 002 through CIP -009
4. Oil & Gas Sector: API Standard 1164 – SCADA Security
5. Water & Waste Water Sector Standards
6. Chemical Sector Standards
7. ……

15. The Challenge:
Hackers – No Experience required
Nessus plugins and Metasploit modules have been publically released enabling anyone to find and
exploit these vulnerabilities.

16. The Challenge:
Hackers – No Experience required
www.rapid7.com, www. shodan.com; Free code to crash PLCs available on internet.

17. The Challenge:
Hackers – No Experience required

18. The Challenge:
Unintentional incidents
80% of actual control system security incidents were unintentional (www.risidata.com)

19. ISA99 / IEC 62443

20. ISA99 / IEC 62443 – Zones & Conduits

21. Technology, People and Processes
1. Technology
◦ The Cost-Benefit Analysis
2. People
◦ Is security awareness enough?
3. Processes
◦ The 80% of ICS Security

22. Quality Assurance
1. Quality Assurance
2. The Processes
3. Frameworks

23. IT Frameworks
1. IT Governance - COBIT 5
2. IT Service Management - ITIL V3.1
3. Enterprise IT Architecture – TOGAF V9.1

24. TOGAF 9.1
1. Enterprise IT Architecture
2. Originated from TAFIM of
early 1980s, developed by US
Dept. of Defense
3. Provides an approach for
designing, planning,
implementing, and governing
an enterprise Information
Technology architecture.

25. COBIT 5
1. Governance & Management
Framework for Enterprise IT –
End to End
2. Building on 16 Year History
3. Provides Structure, Practices,
Tools for:
◦ Proactively deliver value
◦ Manage Risk
◦ Maximize ROI

26. ITIL V3.1
1. IT Service Management
Framework
2. Originated in late 1980s by
UK Govt’s CCTA
3. Focus on optimal service
provisioning at justifiable cost

27. NIST Cybersecurity Framework

28. NIST Cybersecurity Framework

29. NIST Cybersecurity Framework

30. Quality Assurance Processes & Frameworks:
The 80% of ICS Cybersecurity
THANK YOU