2. Quality Assurance: The 80% of ICS Security
1. The ICS Context
2. The Challenges
3. Technology, People, Processes
4. Quality Assurance Processes & Frameworks
3. About me
Rabbani Syed
Systems Analyst, IT Quality Management, Information Technology, KNPC
Previous: Systems Engineer – Kuwait Controls Co.
◦ SCADA, DCS & Telemetry Systems for MEW
Senior Engineer, Bharat Electronics (BEL-India)
◦ Design & Development of Real Time Computer Systems for Electronic
Warfare Systems (Anti-Radar and Electronic Counter Measure Systems)
M. Engg. in ECE – Osmania University, B. Tech in ECE – JNTU, India
Certifications: PMP, CISSP, CISA, CISM, CGEIT
Certificates: ISO27001LA, ISA99 Cybersecurity Fundamentals Specialist
4. The ICS Context
ICS – Industrial Control
Systems (SCADA, DCS, PLCs,
Telemetry, Building Automation
Systems etc.)
OT – Operational Technology
IT – Information Technology
9. The Challenges:
1. Changes in the ICS Architecture
2. Multi-vendor EPC Contracts
3. Management Expectations
4. Over 20+ Standards
5. SIL Certification does not evaluate Cybersecurity
6. Hackers – No Experience required
7. Unintentional Security Incidents
8. The depth and breadth of ICS Security Tasks
10. The Challenge:
Changes in the ICS Architecture
• ICS now use commercial technology
• Highly connected to internet
• Offer remote access
13. The Challenge:
SIL Certification does not evaluate Cybersecurity
• IEC 61508 Certification (SIL Certification)
does not evaluate security.
14. The Challenges
Over 20+ Standards
1. ISA 99 / IEC 62443 Cybersecurity Standard for ICS
2. NIST SP800-82 : Guide to Industrial Control Systems Security
3. NERC – CIP 002 through CIP -009
4. Oil & Gas Sector: API Standard 1164 – SCADA Security
5. Water & Waste Water Sector Standards
6. Chemical Sector Standards
7. ……
15. The Challenge:
Hackers – No Experience required
Nessus plugins and Metasploit modules have been publically released enabling anyone to find and
exploit these vulnerabilities.
16. The Challenge:
Hackers – No Experience required
www.rapid7.com, www. shodan.com; Free code to crash PLCs available on internet.
21. Technology, People and Processes
1. Technology
◦ The Cost-Benefit Analysis
2. People
◦ Is security awareness enough?
3. Processes
◦ The 80% of ICS Security
23. IT Frameworks
1. IT Governance - COBIT 5
2. IT Service Management - ITIL V3.1
3. Enterprise IT Architecture – TOGAF V9.1
24. TOGAF 9.1
1. Enterprise IT Architecture
2. Originated from TAFIM of
early 1980s, developed by US
Dept. of Defense
3. Provides an approach for
designing, planning,
implementing, and governing
an enterprise Information
Technology architecture.
25. COBIT 5
1. Governance & Management
Framework for Enterprise IT –
End to End
2. Building on 16 Year History
3. Provides Structure, Practices,
Tools for:
◦ Proactively deliver value
◦ Manage Risk
◦ Maximize ROI
26. ITIL V3.1
1. IT Service Management
Framework
2. Originated in late 1980s by
UK Govt’s CCTA
3. Focus on optimal service
provisioning at justifiable cost