The document discusses achieving information and cyber security (ICS/SC) compliance through a risk-based approach. It begins by outlining the end state of having a holistic management system for regular compliance reporting and improvement. It then addresses identifying the current "as-is" security state, establishing a leadership model, and using compliance and risk assessments to prioritize controls. The document emphasizes that compliance is just the beginning and that risk management should inform decision making to balance security, compliance, and business needs. It concludes that compliance alone is not sufficient and a phased, governance-based approach is needed to deal with complex environments.

1. ICS Security Compliance -
Ensuring the rubber hits the road
Head Cyber Security Strategy
Mohammed Zumla

2. Agenda
1. The Future (back to the..)
2. The Beginning
3. The Journey
4. The End…?
2

3. 1. Back to the future…
3

4. End state for compliance
Management System
• Regular reporting BAU
• Holistic (Wide and deep in key areas)
4
Objectives
v Policy metrics for conformance, driving course changes
v Assurance to management, board, authority and regulator
v Annual improvement programme to improve maturity
v Risk based approach with enhanced control sets ‘enabling business’
So…how to get there….?

5. Agenda
2. The Beginning
5

6. Reality check…
6

7. Identify ‘as-is’ (rule 101)
Biggest challenge..why?
• Reluctance
• Undocumented
• Outdated/incomplete documentation
• Unverified state
• Cross-functional domain
7
How to address?
ü Build up trust internally
ü Build templates
ü Build 80% view and move on

8. Establish leadership model
Centralized Decentralized
Ø Less responsive to users
Ø No BU ownership
Ø No BU cost control
Ø Doesn’t meet everyone’s
needs
Ø More costly
Ø Variable security
competencies
Ø Reinventing the wheel
Ø Lack of synergy
BU
ownership
User
priority
Standardize
Right skills
Functional leadership
Enterprise perspective
Pooled resources
Synergy

9. Top level Information Security Policy
ICS Policy
ICS Standards
ICS Procedures
ICS Guidelines
TG05
Framework
9

10. Agenda
3. The Journey
10

11. Garbage in…
11

12. Summary Compliance & Risk
12
• Important not to be ‘rule followers’ but instead become ‘risk
leaders’
• Security should state YES, but..
• Compliance should state NO, but..
• Adopt a risk based approach that works for your company
• Just doing compliance or doing risk assessment alone
doesn’t work
• Focus on risk assessment and compliance will follow suit

13. Pre-empting worst case
• Attackers Goals:
– Search, access, copy, alter, delete sensitive
information
– Steal passwords and take screen capture
– Turn on camera and microphone to eavesdrop
– Issue commands masquerading as
authenticated device/user
• Attackers Motivation:
– Impact state economy
– Gain competitive edge
– Social/Political agenda
– Personal revenge

14. Echoes from the past…
14

15. ICT Security
Strategic -
Develop a segmentation model for
additional items. Reprioritize where
required
Ø Logging & monitoring
Ø Business continuity arrangements
Ø Re-architecture
Ø Additional layers defense
Context
• Been around for some time, F/W, IDS/IPS, A/V etc
• Plethora of new technologies, but which ones to adopt?
• Deal with media hype, audits, incidents - Prepare a list of prioritized
controls and take the ‘big ticket’ items for approval first
Tactical -
Limit the attack surface and
spreading capabilities
Ø Minimum assurance level of
operational environment
Ø Third party connectivity
Ø Desktops/Laptops/Mobile devices,
(services, connectivity, media etc.)
Ø Remote access 15

16. ICS/SCADA
Context
• Traditionally segregated from corporate networks
• Scope creep over time
• Operations managing their own ICT (ICT team not trusted)
• ‘Air gap’ not always feasible, especially with Digital Oil Field
Tactical -
Segregate wherever possible
Ø Get in new projects FIRST and build
in from the outset (FEED, EPIC…)
Ø Look for ‘quick wins’ in compliance
(Minimal resistance, high impact)
Strategic-
Partner with business and get them to
own their risks
Ø Recruit/identify those with a balance
of ICT, OT skillset and empower
Ø If doing assurance role DON’T get
involved in implementation
Ø Be seen as helping address their
risks and compliance issues

17. Agenda
4. The End?
17

18. • Work is being done to meet timeframe ONLY to satisfy the audit
rather than addressing issues at hand
• Dominate decision making - impede ability to innovate, perform or
prioritize programs accordingly
• Allows for ambiguity in large documents sets or worse if it’s in
foreign language
• Doesn’t provide a view on effectiveness of controls in relation to
the CURRENT environmental landscape, ie Audit Universe for 1 or
2 years
• Provides a false sense of security if no major concerns brought
up. (If the auditors are not trained up or experienced in the
specialized field then big items may be missed.)
Compliance is the beginning
18

19. End state for compliance
Typical
• Address FUD surrounding public incidents
• Knee-jerk reaction to an in-house incident/near-miss
• Perceived as trustworthy internally/externally
• Compliance with regulatory environment
(Gartner CEO survey, #1 concern)
Reality
v To be a business enabler (extend corporate boundaries)
v Allow steady increase in usage and exploitation of information
v Inform there’s a paradigm shift in determination of attackers
v Ensure continuity of business and plan for the unthinkable
19

20. Science..not fiction!
20

21. Balancing Compliance & Risks
• Compliant but not necessarily secure (ISO/IEC 27001 does
NOT require the use of evaluated products)
• Secure at a point in time but not compliant (Information Security
Awareness)
• What’s needed is informed decision making- flexibility for
unique environment, situations, enable business to meet
objectives.
• So… having an established risk management program will lead
to being compliant
21

22. Risk Based Approach
• Adopt and refine a Methodology, appropriate for the business
• Are the controls commensurate with risk profile?
Maybe, but only at a particular time. After an incident the
controls may not be deemed enough
• Subjective if not normalized centrally
• Tendency to make it purely math based
• May not want to disclose issues to other parts of the business
Impact Levels
Risk Tolerance Levels
Baseline Control Set
Criteria to assess the
effectiveness of Controls
Risk Treatment Plans
Risk remediation
Prioritization of remediation
Risk acceptance
Etc.
22

23. Summary
23
• Compliance only goes so far – use it to keep the finger on the pulse,
but don’t get hung up!
• Risk assessment should qualify your intuition - use it to gain Senior
Management attention and prioritize remediation programs
• Don’t rely only on traditional control set – introduce a security
capability model and develop tactical and strategic plans
• Break mentality that it’s just a sole departmental issue – build up
awareness and reinforce that everyone is responsible
• Adopt a phased approach for dealing with
complex environment - but most importantly if
you are leading, gain trust of operational
managers and drive with GOVERNANCE!

24. Questions and Answers
Thank
you
24