Uploaded byWillianMachadoFonsec
PDF, PPTX548 views

Industrial_Cyber_Security

The document outlines the IEC 62443 cybersecurity standards applicable to industrial control systems (ICS), emphasizing a risk management approach that aligns with various regulations and frameworks. It details the multi-layered defense strategies required for securing systems, including risk assessments, security levels, and lifecycle management, aimed at minimizing potential threats to operations and assets. Furthermore, it highlights the significance of a consistent methodology for communication and compliance among stakeholders involved in designing, managing, and securing ICS.

Embed presentation

Download as PDF, PPTX
So… How do we start?
Caught between regulation, requirements, and standards IEC 62443 ISO 27032 ISA 99 NIST ANSSI NERC CIP BDSG WIB NIS directive
IACS Cybersecurity Standards Cybersecurity Standards Deliver: ✓ Common Industry Language and Terminology ✓ Standardized Methodology ✓ Guidance on how to answer: What is my current risk? What would be a more acceptable level of risk for my organization? How do I get to that more acceptable level?
IEC 62443
IEC 62443 gives us the ability to communicate in an unambiguous way
Align with industry framework Compliance & standards Applies to those responsible for designing, manufacturing, implementing or managing industrial control systems: • End-users (i.e. asset owner) • System integrators • Security practitioners • ICS product/systems vendors ISA/IEC 62443: Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). *Equivalence to ISO 27001 and NIST Cybersecurity Framework
based on a holistic Defense in depth concept IEC 62443
A secure application depends on multiple layers of diverse protection and industrial security must be implemented as a system Defense-in-Depth Deploying Network Security ▪ Defense in Depth ▪ Shield targets behind multiple levels of diverse security countermeasures to reduce risk ▪ Openness ▪ Consideration for participation of a variety of vendors in our security solutions ▪ Flexibility ▪ Able to accommodate a customer’s needs, including policies & procedures ▪ Consistency ▪ Solutions that align with Government directives and Standards Bodies DURING BEFORE AFTER
Plant security Network security System integrity Defense in depth IEC 62443
provides system design guidelines IEC 62443
Addresses the entire life cycle IEC 62443
provides a complete Cyber Security Management System IEC 62443
The IEC62443/ISO27001 based method Identification and Business Impact Assessment Definition of Target Level Risk Assessment Development and Implementation of Protection Concept Definition of Scope Getting started
What’s at risk? ▪ Loss of Life ▪ Stolen Intellectual Property ▪ Production Loss ▪ Unscheduled Downtime ▪ Damaged Equipment ▪ Environmental Impact
Business rationale Risk identification classification and assessment Risk analysis Conformance Review, improve and maintain the CSMS Monitoring and improving the CSMS
Understanding Risk High-Level Security Risk Assessments 62443 3-2 What is your current level of risk? Impact Remote Unlikely Possible Likely Certain Trivial 1 2 3 4 5 Minor 2 4 6 8 10 Moderate 3 6 9 12 15 Major 4 8 12 16 20 Critical 5 10 18 20 25
“A good overview” More info: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/understanding-component-driven-risk-management Risk methods and frameworks
NIST Cybersecurity Framework Detect Organization understands what the current state and risk is to systems, assets, and data Implement safeguards to ensure delivery of critical infrastructure services Implement appropriate activities to identify a cybersecurity event Implement activities to take action regarding a detected cybersecurity event Implement activities to maintain plans for resilience and to restore capabilities
The… Standard
1-1 Terminology, concepts and models 2-1 Security program requirements for IACS asset owners 4-1 Secure product development lifecycle requirements 3-1 Security technologies for IACS 1-2 Master glossary of terms and abbreviations 2-2 IACS security program ratings 4-2 Technical security requirements for IACS components 3-2 Security risk assessment and system design 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 2-4 Security program requirements for IACS service providers General Policies and procedures System Compo- nents Definition and metrics Processes / procedures Functional requirements 1-4 IACS security lifecycle and use- cases The structure of IEC 62443?
Protection Level (PL) • Based on IEC 62443-2-4 and ISO27001 • Maturity Level 1 - 4 Security process Security functions • Based on IEC 62443-3-3 • Security Level 1 - 4 Protection Levels are the key criteria and cover security functionalities and processes
Protection Levels are the key criteria and cover security functionalities and processes Maturity Level 4 3 2 1 PL 2 PL 3 PL 4 PL 1 Security Level
Understanding Risk High-Level Security Risk Assessment What is your Target Security Level (SL-T)? Protect Against Intentional Unauthorized Access by Entities using Sophisticated Means with Extend Resources, IACS specific Skills & High Motivation Security Level 4 Protect Against Intentional Unauthorized Access by Entities Using Sophisticated Skills with Moderate Resources, IACS specific skills & Moderate Motivation Security Level 3 Protect Against Intentional Unauthorized Access by Entities Using Simple Means with Low Resources, Generic Skills, & Low Motivation Security Level 2 Protect Against Casual or Incidental Access by Unauthorized Entities Security Level 1
Consequences – Some randomly selected points PL 2 A distributed Firewalls concept has to be implemented Inventory and Network Management are mandatory Capability to automate the backup are mandatory … Even way more… Even more… PL 3 PL 4 PL 1 Use of VLAN, network hardening, managed switches and capability to backup are mandatory …
IEC 62443 Security measures It is unambiguous … PL 1 PL 2 PL 3 PL 4 Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Revolving doors with card reader Doors with card reader Locked building/doors with keys Awareness training (e.g. Operator Aware. training) Network segmentation (e.g. VLAN) Security logging on all systems Backup / recovery system Mandatory rules on USB sticks (e.g. Whitelisting) … … Automated backup / recovery No Email, No WWW, etc. in Secure Cell … 2 PCs (Secure Cell/outside) … Remote access with cRSP or equivalent Monitoring of all human interactions Dual approval for critical actions Firewalls with Fail Close(e.g. Next Generation Firewall) Monitoring of all device activities Online security functionality verification … Persons responsible for security within own organization Continuous monitoring (e.g. SIEM) Backup verification Mandatory security education … Physical network segmentation or equivalent (e.g. SCALANCE S) Remote access restriction (e.g. need to connect principle) + Organize Security Secure Solution Design Secure Operations Secure Lifecycle management Secure Physical Access + + Page 25
Cybersecurity Essentials Equipment built with security in mind Network Design & Segmentation Asset Inventory Vulnerability Identification Patch Management Password Management Phishing Identification Training Disaster Recovery Upgrade Aging Infrastructure Limiting Privileges
IEC62443 ISO27001 NIST 800-30 Well known IT- security standard The OT-security standard Risk assessment framework A piece of a bigger picture The Functional Safety standard
IEC 62443 3-3 System security requirements and Security levels 3-2 Security risk assessment and system design 4-2 Technical security requirements for IACS products 4-1 Product development requirements Achieved SLs Target SLs Automation solution Capability SLs Product supplier System Integrator Asset Owner Recap- Contributions of the stakeholders Control System capabilities
IEC 62443-3-2 Generic Blueprint
IEC62443-3-2 Zones and Conduits Zone Enterprise Network Zone Plant Zone Control #1 Conduit Zone Control #2 PL3 PL2 PL1 Trusted/Untrusted
IEC62443-3-2 Examples Small Site OT is Air gaped
IEC62443-3-2 Examples Medium sized Site OT and IT are connected Via one Conduit..
IEC62443-3-2 Examples Large Site OT and IT are connected Via DMZ..
Spørgsmål?

More Related Content

PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
byJiunn-Jer Sun
 
PDF
Secure Systems Security and ISA99- IEC62443
byYokogawa1
 
PPTX
IEC62443.pptx
by233076
 
PPTX
ISA/IEC 62443: Intro and How To
byJim Gilsinn
 
PPTX
OT_Security.pptx
byNandan Dutta
 
PDF
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
PDF
Nist 800 82
bymajolic
 
PPTX
ICS Security 101 by Sandeep Singh
byOWASP Delhi
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
byJiunn-Jer Sun
 
Secure Systems Security and ISA99- IEC62443
byYokogawa1
 
IEC62443.pptx
by233076
 
ISA/IEC 62443: Intro and How To
byJim Gilsinn
 
OT_Security.pptx
byNandan Dutta
 
Active Directory in ICS: Lessons Learned From The Field
byDigital Bond
 
Nist 800 82
bymajolic
 
ICS Security 101 by Sandeep Singh
byOWASP Delhi
 

What's hot

PPTX
Security operation center (SOC)
byAhmed Ayman
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
PPTX
Security Operation Center - Design & Build
bySameer Paradia
 
PDF
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PPTX
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
PDF
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PPTX
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
PDF
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
byEdureka!
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PPSX
Next-Gen security operation center
byMuhammad Sahputra
 
PPTX
PCI DSS 4.0 Webinar Final.pptx
byControlCase
 
PPTX
Optimizing Security Operations: 5 Keys to Success
bySirius
 
PPTX
Iso iec 27001 foundation training course by interprom
byMart Rovers
 
PDF
Strategy considerations for building a security operations center
byCMR WORLD TECH
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Building an effective Information Security Roadmap
byElliott Franklin
 
Security operation center (SOC)
byAhmed Ayman
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
byReZa AdineH
 
Security Operation Center - Design & Build
bySameer Paradia
 
ISO 27001:2022 What has changed.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
SOC Architecture Workshop - Part 1
byPriyanka Aash
 
Cybersecurity Tools | Popular Tools for Cybersecurity Threats | Cybersecurity...
byEdureka!
 
NIST cybersecurity framework
byShriya Rai
 
Next-Gen security operation center
byMuhammad Sahputra
 
PCI DSS 4.0 Webinar Final.pptx
byControlCase
 
Optimizing Security Operations: 5 Keys to Success
bySirius
 
Iso iec 27001 foundation training course by interprom
byMart Rovers
 
Strategy considerations for building a security operations center
byCMR WORLD TECH
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Building an effective Information Security Roadmap
byElliott Franklin
 

Similar to Industrial_Cyber_Security

PDF
Industrial Security.pdf
byAhmedRKhan
 
PPTX
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
PPTX
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
PDF
Cloud Security Demystified
byMichael Torres
 
PDF
Cervone uof t - nist framework (1)
byStephen Abram
 
PDF
Industrial networks safety & security - e+h june 2018 ben murphy
byPROFIBUS and PROFINET InternationaI - PI UK
 
PDF
10. industrial networks safety and security tom hammond
byPROFIBUS and PROFINET InternationaI - PI UK
 
PPTX
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
bysaniyagadekar12
 
PPTX
Cloud Security.pptx
byBinod Rimal
 
PPTX
Stay Ahead of Threats with Advanced Security Protection - Fortinet
byMarcoTechnologies
 
PDF
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
byCohesive Networks
 
PDF
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
byCohesive Networks
 
PDF
Cyber security for manufacturers umuc cadf-ron mcfarland
byHighervista
 
PDF
Management CyperSecurity Risk - Management CyperSecurity Risk
bybellinipolla
 
PPTX
Cyber Risks Implementation on an IP MPLS Network
byGabriel E Ozique
 
PDF
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
PDF
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
byCohesive Networks
 
DOCX
Policy InformationPolicy Name __________________________ ID _.docx
bystilliegeorgiana
 
PDF
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
byJames W. De Rienzo
 
PPT
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 
Industrial Security.pdf
byAhmedRKhan
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
byJohn D. Johnson
 
Cybersecurity Frameworks and You: The Perfect Match
byMcKonly & Asbury, LLP
 
Cloud Security Demystified
byMichael Torres
 
Cervone uof t - nist framework (1)
byStephen Abram
 
Industrial networks safety & security - e+h june 2018 ben murphy
byPROFIBUS and PROFINET InternationaI - PI UK
 
10. industrial networks safety and security tom hammond
byPROFIBUS and PROFINET InternationaI - PI UK
 
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
bysaniyagadekar12
 
Cloud Security.pptx
byBinod Rimal
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
byMarcoTechnologies
 
Dwight Koop's Chicago ECFT talk "The Chicago School of Cybersecurity Thinking...
byCohesive Networks
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
byCohesive Networks
 
Cyber security for manufacturers umuc cadf-ron mcfarland
byHighervista
 
Management CyperSecurity Risk - Management CyperSecurity Risk
bybellinipolla
 
Cyber Risks Implementation on an IP MPLS Network
byGabriel E Ozique
 
NIST critical_infrastructure_cybersecurity.pdf
byssuserb3094b
 
CircleCity Con 2017 - Dwight Koop's talk Cybersecurity for real life: Using t...
byCohesive Networks
 
Policy InformationPolicy Name __________________________ ID _.docx
bystilliegeorgiana
 
Job aid framework-for-improving-critical-infrastructure-cybersecurity-core-jwd
byJames W. De Rienzo
 
What CIOs and CFOs Need to Know About Cyber Security
byPhil Agcaoili
 

Recently uploaded

PDF
Yes, we put AI agents in production. No, don't try this at home
byMarie-Alice Blete
 
PPTX
Unit I – Introduction to Devops Deployment Pipeline & Design Options Deploym...
byvenkadeshr123
 
PDF
Learn Linux in your Android Phone (Learn on the Go)
byNarendran Solai Sridharan
 
PPTX
HVAC_Design_Course_Mech_Engineering.pptx
bysabermona665
 
PDF
Finite Automata With Output - Moore and Mealy Machines definitions and Solved...
byNileshPardeshi28
 
PDF
Deterministic Finite Automata to Regular Expression Conversion.pdf
byNileshPardeshi28
 
PPTX
Biological Oxygen Demand (BOD) Numericals-2026.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
PDF
Performance Benchmarking Strategies for AI/HPC/EdgeAI
byDanny Jiang
 
PDF
Branches of AI – perception, reasoning, learning, and action.pdf
byVyankateshBhaurkar1
 
PDF
Flexibility Matrix Method of Analysis- Part B
byDr. Nitin Naik
 
PPTX
Why Hydraulic Flushing Should Never Be Skipped Before Commissioning
byNeometrix_Engineering_Pvt_Ltd
 
PPTX
Atlassian for the New Age: Efficiency, Alignment & Collaboration at Scale
byAnanyaBanerjee57
 
PDF
Foundations of AI and ML - Mechanical Engineering Perspectives.pdf
byVyankateshBhaurkar1
 
PPT
5.1 Basic concept and hierarchy.ppt1234564
byChetansingh768231
 
PPTX
1.1 Structure of Materials_Material science.pptx
byDr. Sandip Thorat
 
PPTX
Solar PV An Essential Requirement in renewable energy based sources Industria...
byshilpashukla2025
 
PDF
graph graph graph theory Graph presentation .pdf
bygeekcooder2020
 
PPT
OMRS for Railway people of Mechanical department
byArun Kumar Sharma
 
PPTX
High Voltage Direct Current Circuit Breakers.pptx
byJawadAmjad16
 
PPTX
Ortho Graphic Projections for civil engineering.pptx
byUmairAli575718
 
Yes, we put AI agents in production. No, don't try this at home
byMarie-Alice Blete
 
Unit I – Introduction to Devops Deployment Pipeline & Design Options Deploym...
byvenkadeshr123
 
Learn Linux in your Android Phone (Learn on the Go)
byNarendran Solai Sridharan
 
HVAC_Design_Course_Mech_Engineering.pptx
bysabermona665
 
Finite Automata With Output - Moore and Mealy Machines definitions and Solved...
byNileshPardeshi28
 
Deterministic Finite Automata to Regular Expression Conversion.pdf
byNileshPardeshi28
 
Biological Oxygen Demand (BOD) Numericals-2026.pptx
byChemical Engineering Dept. NIT Rourkela-769008, Odisha, India
 
Performance Benchmarking Strategies for AI/HPC/EdgeAI
byDanny Jiang
 
Branches of AI – perception, reasoning, learning, and action.pdf
byVyankateshBhaurkar1
 
Flexibility Matrix Method of Analysis- Part B
byDr. Nitin Naik
 
Why Hydraulic Flushing Should Never Be Skipped Before Commissioning
byNeometrix_Engineering_Pvt_Ltd
 
Atlassian for the New Age: Efficiency, Alignment & Collaboration at Scale
byAnanyaBanerjee57
 
Foundations of AI and ML - Mechanical Engineering Perspectives.pdf
byVyankateshBhaurkar1
 
5.1 Basic concept and hierarchy.ppt1234564
byChetansingh768231
 
1.1 Structure of Materials_Material science.pptx
byDr. Sandip Thorat
 
Solar PV An Essential Requirement in renewable energy based sources Industria...
byshilpashukla2025
 
graph graph graph theory Graph presentation .pdf
bygeekcooder2020
 
OMRS for Railway people of Mechanical department
byArun Kumar Sharma
 
High Voltage Direct Current Circuit Breakers.pptx
byJawadAmjad16
 
Ortho Graphic Projections for civil engineering.pptx
byUmairAli575718
 

Industrial_Cyber_Security

  • 1.
  • 2.
    Caught between regulation, requirements,and standards IEC 62443 ISO 27032 ISA 99 NIST ANSSI NERC CIP BDSG WIB NIS directive
  • 3.
    IACS Cybersecurity Standards CybersecurityStandards Deliver: ✓ Common Industry Language and Terminology ✓ Standardized Methodology ✓ Guidance on how to answer: What is my current risk? What would be a more acceptable level of risk for my organization? How do I get to that more acceptable level?
  • 4.
  • 5.
    IEC 62443 gives usthe ability to communicate in an unambiguous way
  • 6.
    Align with industryframework Compliance & standards Applies to those responsible for designing, manufacturing, implementing or managing industrial control systems: • End-users (i.e. asset owner) • System integrators • Security practitioners • ICS product/systems vendors ISA/IEC 62443: Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). *Equivalence to ISO 27001 and NIST Cybersecurity Framework
  • 7.
    based on aholistic Defense in depth concept IEC 62443
  • 8.
    A secure applicationdepends on multiple layers of diverse protection and industrial security must be implemented as a system Defense-in-Depth Deploying Network Security ▪ Defense in Depth ▪ Shield targets behind multiple levels of diverse security countermeasures to reduce risk ▪ Openness ▪ Consideration for participation of a variety of vendors in our security solutions ▪ Flexibility ▪ Able to accommodate a customer’s needs, including policies & procedures ▪ Consistency ▪ Solutions that align with Government directives and Standards Bodies DURING BEFORE AFTER
  • 9.
    Plant security Network security Systemintegrity Defense in depth IEC 62443
  • 10.
  • 11.
    Addresses the entirelife cycle IEC 62443
  • 12.
    provides a complete CyberSecurity Management System IEC 62443
  • 13.
    The IEC62443/ISO27001 basedmethod Identification and Business Impact Assessment Definition of Target Level Risk Assessment Development and Implementation of Protection Concept Definition of Scope Getting started
  • 14.
    What’s at risk? ▪Loss of Life ▪ Stolen Intellectual Property ▪ Production Loss ▪ Unscheduled Downtime ▪ Damaged Equipment ▪ Environmental Impact
  • 15.
    Business rationale Riskidentification classification and assessment Risk analysis Conformance Review, improve and maintain the CSMS Monitoring and improving the CSMS
  • 16.
    Understanding Risk High-Level SecurityRisk Assessments 62443 3-2 What is your current level of risk? Impact Remote Unlikely Possible Likely Certain Trivial 1 2 3 4 5 Minor 2 4 6 8 10 Moderate 3 6 9 12 15 Major 4 8 12 16 20 Critical 5 10 18 20 25
  • 17.
    “A good overview” Moreinfo: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/understanding-component-driven-risk-management Risk methods and frameworks
  • 18.
    NIST Cybersecurity Framework Detect Organization understands whatthe current state and risk is to systems, assets, and data Implement safeguards to ensure delivery of critical infrastructure services Implement appropriate activities to identify a cybersecurity event Implement activities to take action regarding a detected cybersecurity event Implement activities to maintain plans for resilience and to restore capabilities
  • 19.
  • 20.
    1-1 Terminology, concepts andmodels 2-1 Security program requirements for IACS asset owners 4-1 Secure product development lifecycle requirements 3-1 Security technologies for IACS 1-2 Master glossary of terms and abbreviations 2-2 IACS security program ratings 4-2 Technical security requirements for IACS components 3-2 Security risk assessment and system design 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 2-4 Security program requirements for IACS service providers General Policies and procedures System Compo- nents Definition and metrics Processes / procedures Functional requirements 1-4 IACS security lifecycle and use- cases The structure of IEC 62443?
  • 21.
    Protection Level (PL) • Basedon IEC 62443-2-4 and ISO27001 • Maturity Level 1 - 4 Security process Security functions • Based on IEC 62443-3-3 • Security Level 1 - 4 Protection Levels are the key criteria and cover security functionalities and processes
  • 22.
    Protection Levels arethe key criteria and cover security functionalities and processes Maturity Level 4 3 2 1 PL 2 PL 3 PL 4 PL 1 Security Level
  • 23.
    Understanding Risk High-Level SecurityRisk Assessment What is your Target Security Level (SL-T)? Protect Against Intentional Unauthorized Access by Entities using Sophisticated Means with Extend Resources, IACS specific Skills & High Motivation Security Level 4 Protect Against Intentional Unauthorized Access by Entities Using Sophisticated Skills with Moderate Resources, IACS specific skills & Moderate Motivation Security Level 3 Protect Against Intentional Unauthorized Access by Entities Using Simple Means with Low Resources, Generic Skills, & Low Motivation Security Level 2 Protect Against Casual or Incidental Access by Unauthorized Entities Security Level 1
  • 24.
    Consequences – Some randomlyselected points PL 2 A distributed Firewalls concept has to be implemented Inventory and Network Management are mandatory Capability to automate the backup are mandatory … Even way more… Even more… PL 3 PL 4 PL 1 Use of VLAN, network hardening, managed switches and capability to backup are mandatory …
  • 25.
    IEC 62443 Securitymeasures It is unambiguous … PL 1 PL 2 PL 3 PL 4 Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Revolving doors with card reader Doors with card reader Locked building/doors with keys Awareness training (e.g. Operator Aware. training) Network segmentation (e.g. VLAN) Security logging on all systems Backup / recovery system Mandatory rules on USB sticks (e.g. Whitelisting) … … Automated backup / recovery No Email, No WWW, etc. in Secure Cell … 2 PCs (Secure Cell/outside) … Remote access with cRSP or equivalent Monitoring of all human interactions Dual approval for critical actions Firewalls with Fail Close(e.g. Next Generation Firewall) Monitoring of all device activities Online security functionality verification … Persons responsible for security within own organization Continuous monitoring (e.g. SIEM) Backup verification Mandatory security education … Physical network segmentation or equivalent (e.g. SCALANCE S) Remote access restriction (e.g. need to connect principle) + Organize Security Secure Solution Design Secure Operations Secure Lifecycle management Secure Physical Access + + Page 25
  • 26.
    Cybersecurity Essentials Equipment built withsecurity in mind Network Design & Segmentation Asset Inventory Vulnerability Identification Patch Management Password Management Phishing Identification Training Disaster Recovery Upgrade Aging Infrastructure Limiting Privileges
  • 27.
    IEC62443 ISO27001 NIST 800-30 Well knownIT- security standard The OT-security standard Risk assessment framework A piece of a bigger picture The Functional Safety standard
  • 28.
    IEC 62443 3-3 Systemsecurity requirements and Security levels 3-2 Security risk assessment and system design 4-2 Technical security requirements for IACS products 4-1 Product development requirements Achieved SLs Target SLs Automation solution Capability SLs Product supplier System Integrator Asset Owner Recap- Contributions of the stakeholders Control System capabilities
  • 29.
  • 30.
    IEC62443-3-2 Zones andConduits Zone Enterprise Network Zone Plant Zone Control #1 Conduit Zone Control #2 PL3 PL2 PL1 Trusted/Untrusted
  • 31.
  • 32.
    IEC62443-3-2 Examples Medium sizedSite OT and IT are connected Via one Conduit..
  • 33.
    IEC62443-3-2 Examples Large Site OTand IT are connected Via DMZ..
  • 34.