With the recent publication of ANSI/ISA-62443-3-3-2013, it is possible for end-users, system integrators, and vendors to qualify the capabilities of their systems from an ICS cyber security perspective. This process is not as simple as it may seem, though. In many cases, the capabilities of individual components of a system can be determined from specifications and manuals. The capabilities of the system also needs to be evaluated as a whole to determine how those individual components work together. Component-level and System-level certifications are common practice in the safety environment, and will eventually become common in the ICS cyber security environment as well. Certification bodies, like the ISA Security Compliance Institute (ISCI), have begun the process to develop certification efforts around ISA-62443-3-3. Until many more groups of components and systems have been officially certified, third-party assessments and evaluations will be common. This presentation will discuss an example of how Kenexis Consulting has evaluated a particular vendor’s components and systems to determine compliance with ISA-62443-3-3. The presentation will go through the evaluation methodology used and describe how Kenexis used the evaluation to develop a series of real-world use-cases of the components and system in the ICS environment.
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
• Why An Industrial Cybersecurity Standard
• What Is IEC 62443 About
• How It Impacts On You - The Security Lifecycle
• IEC 62443 Certificates
• Reference: Some Ongoing Projects
• Summary
Presented: September 21, 2017
At: CS2AI, Washington, DC
A decade ago, ISA99 published the first standard in what is now the ISA/IEC 62443 series. Since then, the series has coalesced into the current form consisting of 13 individual documents in various stages of completion, publication, and/or revision. Printing out all of the existing standards and drafts can easily use up more than a ream of paper. It can be a daunting task to try to apply it to an organization. So, what are you supposed to do? How are you supposed to proceed? In this talk, I’ll go over some of the lessons I’ve learned from helping customers develop and evaluate security programs within their organization.
Secure Systems Security and ISA99- IEC62443Yokogawa1
With the new Industrial Network standards like ISA-IEC62443 companies are evolving their IT and OT networks to face evolving threats. This presentation will cover industrial networking best practices, secure architectures and segregation techniques that can be used by all businesses to prevent a minor business network breach from becoming an industrial catastrophe.
Topics Covered in this Seminar Include:
Overview Of Cyber Threat
Introduction - ISA IEC Industrial Control Security Standards
An Example - Advanced Persistent Threat (APT)
ISA/IEC 62443-3-2 Network Separation - An APT countermeasure
The next step in APT defenses System Certification to ISA/IEC 62443 Cybersecurity Standards
ISA/IEC 62443 Cybersecurity Standards Current Efforts
The Future of ISA/IEC 62443 Cybersecurity Standards
Standard IEC 62443, Series of standards that define procedures for
implementing electronically secure Industrial Automation and Control
Systems (IACS). *Equivalence to ISO 27001 and NIST Cybersecurity Framework.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
The objectives of the present document are :
* To provide the certified clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
* To provide the future clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
* To provide the certified clients with the necessary steps for moving forward with the Transition of the Certification
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
• Why An Industrial Cybersecurity Standard
• What Is IEC 62443 About
• How It Impacts On You - The Security Lifecycle
• IEC 62443 Certificates
• Reference: Some Ongoing Projects
• Summary
Presented: September 21, 2017
At: CS2AI, Washington, DC
A decade ago, ISA99 published the first standard in what is now the ISA/IEC 62443 series. Since then, the series has coalesced into the current form consisting of 13 individual documents in various stages of completion, publication, and/or revision. Printing out all of the existing standards and drafts can easily use up more than a ream of paper. It can be a daunting task to try to apply it to an organization. So, what are you supposed to do? How are you supposed to proceed? In this talk, I’ll go over some of the lessons I’ve learned from helping customers develop and evaluate security programs within their organization.
Secure Systems Security and ISA99- IEC62443Yokogawa1
With the new Industrial Network standards like ISA-IEC62443 companies are evolving their IT and OT networks to face evolving threats. This presentation will cover industrial networking best practices, secure architectures and segregation techniques that can be used by all businesses to prevent a minor business network breach from becoming an industrial catastrophe.
Topics Covered in this Seminar Include:
Overview Of Cyber Threat
Introduction - ISA IEC Industrial Control Security Standards
An Example - Advanced Persistent Threat (APT)
ISA/IEC 62443-3-2 Network Separation - An APT countermeasure
The next step in APT defenses System Certification to ISA/IEC 62443 Cybersecurity Standards
ISA/IEC 62443 Cybersecurity Standards Current Efforts
The Future of ISA/IEC 62443 Cybersecurity Standards
Standard IEC 62443, Series of standards that define procedures for
implementing electronically secure Industrial Automation and Control
Systems (IACS). *Equivalence to ISO 27001 and NIST Cybersecurity Framework.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
The objectives of the present document are :
* To provide the certified clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
* To provide the future clients of ISONIKE Ltd with the necessary information on the Transition Arrangements from
ISO/IEC 27001:2013 to ISO/IEC 27001:2022 certification.
* To provide the certified clients with the necessary steps for moving forward with the Transition of the Certification
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
To protect your organization from cyber attacks, you need to implement a robust information security management system (ISMS) and business continuity management system (BCMS) based on international standards, such as ISO/IEC 27001 and ISO 22301.
Amongst others, the webinar covers:
• Why we need a cyber response plan to protect business operations
• Introduction to ISO/IEC 27001 and ISO 22301
• What do we need for a cyber security response plan?
• How do we develop a cyber security response plan?
Presenters:
Nick Frost
Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.
Simon Lacey
Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.
Date: April 26, 2023
Find out more about ISO training and certification services
Training: https://bit.ly/3AyoyYF
https://bit.ly/3LbBVTx
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
YouTube video: https://youtu.be/i4qx5mjEqio
The SOC 2 examination's popularity has dramatically increased since its inception. This is due to growing concerns regarding information security have heightened scrutiny of organization’s control infrastructure and driven the demand for attestation reports.
Join BrightLine Principal, Debbie Zaller and Senior Manager, Doug Kanney during this free webinar - and learn how a SOC 2 examination can help your organization. Become familiar with the SOC 2's report objectives, learn about its structure and areas to focus, and benefit from some valuable lessons we've learned from extensive experience.
This session will provide you with a:
• Overview of the SOC 2 background
• Definition of the AICPA Framework
• Overview of the purpose and scope
• Discussion of the common challenges and benefits
• Requirements of the examination process
• Discussion of the alignment with other standards
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
Here is your guide on how to progress through the cyber security career ladder. This resource shows you all the different cyber security roles and the qualifications needed for each!
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
The new CMMC version 1 was published in January 2020. This presentation was provided to small businesses's that are part of the DoD supply chain. It helps to understand the requirements.
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.
This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
Micro Segmentation for Zero trust security and compliance
1) What is Zero Trust?
2) How does zero trust relate to compliance?
3) Guardicore and Micro Segmentation,
4) YouAttest and Compliance
5) Short Demo and Q&A session
Find out the SOC Cyber Security at Steppa. Our SOC contains several capabilities like process and break down any PC translated information, assess and distinguish suspicious and maicious web and system activities, visualize and monitor all threats in real time.
Software supply chain attacks increased 650% in 2021. Learn why software supply chains are vulnerable, the types of attacks, and how to prevent them using OSS tools like Sigstore cosign and CNCF Kyverno!
1 Software Requirements Descriptions and specification.docxjeremylockett77
1
Software Requirements
Descriptions and specifications
of a system
What is a requirement?
• May range from
– a high-level abstract statement of a service
or
– a statement of a system constraint to a
detailed mathematical functional specification
• Requirements may be used for
– a bid for a contract
• must be open to interpretation
– the basis for the contract itself
• must be defined in detail
• Both the above statements may be called
requirements
Example Example
……
4.A.5 The database shall support the generation and control of
configuration objects; that is, objects which are themselves groupings
of other objects in the database. The configuration control facilities
shall allow access to the objects in a version group by the use of an
incomplete name.
……
2
Types of requirements
• Written for customers
– User requirements
• Statements in natural language plus diagrams of the
services the system provides and its operational
constraints.
• Written as a contract between client and
contractor
– System requirements
• A structured document setting out detailed
descriptions of the system services.
• Written for developers
– Software specification
• A detailed software description which can serve as a
basis for a design or implementation.
User requirements readers
• Client managers
• System end-users
• Client engineers
• Contractor managers
• System architects
System requirements readers
• System end-users
• Client engineers
• System architects
• Software developers
Software specification readers
• Client engineers (maybe)
• System architects
• Software developers
3
We will come back to user
and system requirements
Functional requirements
• Statements of services the system
should provide, how the system
should react to particular inputs
and how the system should behave
in particular situations.
Functional requirements
• Describe functionality or system services
• Depend on the type of software,
expected users and the type of system
where the software is used
• Functional user requirements may be
high-level statements of what the
system should do but functional system
requirements should describe the system
services in detail
Examples of functional
requirements
1. The user shall be able to search either
all of the initial set of databases or
select a subset from it.
2. The system shall provide appropriate
viewers for the user to read documents
in the document store.
3. Every order shall be allocated a unique
identifier (ORDER_ID) which the user
shall be able to copy to the account’s
permanent storage area.
4
Requirements imprecision
• Problems arise when requirements are
not precisely stated
• Ambiguous requirements may be
interpreted in different ways by
developers and users
• Consider the term ‘appropriate viewers’
– User intention - special purpose viewer fo ...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
To protect your organization from cyber attacks, you need to implement a robust information security management system (ISMS) and business continuity management system (BCMS) based on international standards, such as ISO/IEC 27001 and ISO 22301.
Amongst others, the webinar covers:
• Why we need a cyber response plan to protect business operations
• Introduction to ISO/IEC 27001 and ISO 22301
• What do we need for a cyber security response plan?
• How do we develop a cyber security response plan?
Presenters:
Nick Frost
Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.
Simon Lacey
Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.
Date: April 26, 2023
Find out more about ISO training and certification services
Training: https://bit.ly/3AyoyYF
https://bit.ly/3LbBVTx
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
YouTube video: https://youtu.be/i4qx5mjEqio
The SOC 2 examination's popularity has dramatically increased since its inception. This is due to growing concerns regarding information security have heightened scrutiny of organization’s control infrastructure and driven the demand for attestation reports.
Join BrightLine Principal, Debbie Zaller and Senior Manager, Doug Kanney during this free webinar - and learn how a SOC 2 examination can help your organization. Become familiar with the SOC 2's report objectives, learn about its structure and areas to focus, and benefit from some valuable lessons we've learned from extensive experience.
This session will provide you with a:
• Overview of the SOC 2 background
• Definition of the AICPA Framework
• Overview of the purpose and scope
• Discussion of the common challenges and benefits
• Requirements of the examination process
• Discussion of the alignment with other standards
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
Here is your guide on how to progress through the cyber security career ladder. This resource shows you all the different cyber security roles and the qualifications needed for each!
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Improve Cybersecurity posture by using ISO/IEC 27032PECB
Cybersecurity is a universal concern across today’s enterprise and the need for strategic approach is required for appropriate mitigation.
Adopting ISO 27032 will help to:
• Understanding the nature of Cyberspace and Cybersecurity
• Explore Cybersecurity Ecosystem – Roles & Responsibilities
• Achieve Cyber Resilience through implementing defensive and detective cybersecurity controls
Presenter:
Obadare Peter Adewale is a first generation and visionary cyberpreneur. He is a PECB certified Trainer, Fellow Chartered Information Technology Professional, the First Licensed Penetration Tester in Nigeria, second COBIT 5 Assessor in Africa and PCI DSS QSA. He is also an alumnus of Harvard Business School and MIT Sloan School of Management Executive Education.
Link of the recorded session published on YouTube: https://youtu.be/NX5RMGOcyBM
The new CMMC version 1 was published in January 2020. This presentation was provided to small businesses's that are part of the DoD supply chain. It helps to understand the requirements.
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.
This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Micro segmentation and zero trust for security and compliance - Guardicore an...YouAttestSlideshare
Micro Segmentation for Zero trust security and compliance
1) What is Zero Trust?
2) How does zero trust relate to compliance?
3) Guardicore and Micro Segmentation,
4) YouAttest and Compliance
5) Short Demo and Q&A session
Find out the SOC Cyber Security at Steppa. Our SOC contains several capabilities like process and break down any PC translated information, assess and distinguish suspicious and maicious web and system activities, visualize and monitor all threats in real time.
Software supply chain attacks increased 650% in 2021. Learn why software supply chains are vulnerable, the types of attacks, and how to prevent them using OSS tools like Sigstore cosign and CNCF Kyverno!
1 Software Requirements Descriptions and specification.docxjeremylockett77
1
Software Requirements
Descriptions and specifications
of a system
What is a requirement?
• May range from
– a high-level abstract statement of a service
or
– a statement of a system constraint to a
detailed mathematical functional specification
• Requirements may be used for
– a bid for a contract
• must be open to interpretation
– the basis for the contract itself
• must be defined in detail
• Both the above statements may be called
requirements
Example Example
……
4.A.5 The database shall support the generation and control of
configuration objects; that is, objects which are themselves groupings
of other objects in the database. The configuration control facilities
shall allow access to the objects in a version group by the use of an
incomplete name.
……
2
Types of requirements
• Written for customers
– User requirements
• Statements in natural language plus diagrams of the
services the system provides and its operational
constraints.
• Written as a contract between client and
contractor
– System requirements
• A structured document setting out detailed
descriptions of the system services.
• Written for developers
– Software specification
• A detailed software description which can serve as a
basis for a design or implementation.
User requirements readers
• Client managers
• System end-users
• Client engineers
• Contractor managers
• System architects
System requirements readers
• System end-users
• Client engineers
• System architects
• Software developers
Software specification readers
• Client engineers (maybe)
• System architects
• Software developers
3
We will come back to user
and system requirements
Functional requirements
• Statements of services the system
should provide, how the system
should react to particular inputs
and how the system should behave
in particular situations.
Functional requirements
• Describe functionality or system services
• Depend on the type of software,
expected users and the type of system
where the software is used
• Functional user requirements may be
high-level statements of what the
system should do but functional system
requirements should describe the system
services in detail
Examples of functional
requirements
1. The user shall be able to search either
all of the initial set of databases or
select a subset from it.
2. The system shall provide appropriate
viewers for the user to read documents
in the document store.
3. Every order shall be allocated a unique
identifier (ORDER_ID) which the user
shall be able to copy to the account’s
permanent storage area.
4
Requirements imprecision
• Problems arise when requirements are
not precisely stated
• Ambiguous requirements may be
interpreted in different ways by
developers and users
• Consider the term ‘appropriate viewers’
– User intention - special purpose viewer fo ...
Platform Observability “is when you infer the internal state of a system only by observing the data it generates, such as logs, metrics, and traces”. When observability is implemented well, a system will not require operations teams to spend much effort on understanding its internal state.
Decision Matrix for IoT Product DevelopmentAlexey Pyshkin
At first sight, the development of "hardware" products hardly differs from that of IoT devices. Here you can see the methodology of IoT product development based on an IoT framework by Daniel Elizalde. It’s a convenient and simple model that estimates expenses and potential income, evaluates the technological complexity and at the same time is easily understood by the client.
Made by notAnotherOne
Requirements Engineering - "Ch2 an introduction to requirements"Ra'Fat Al-Msie'deen
System requirements, Types of requirements, Requirements problems, FAQS about requirements, Systems engineering, Emergent properties, System engineering activities, Requirements document, Users of requirements documents, Adapting the standard, Writing requirements, Writing guidelines, Writing essentials, etc.
The Security Policy Management Maturity Model: How to Move Up the CurveAlgoSec
Rising network complexity and increased demands on business agility are rapidly hindering the traditional approach to managing security policies. The Security policy management maturity model can help you better understand your current network environment and provide you with a roadmap for improving both your security AND agility. Learn:
- The four stages of the maturity model
- How to compare your environment to the different stages
- Tips for orchestrating security policy management
- Real-life examples of benefits achieved by "moving up the curve"
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
fundamentals of software engineering a deep study of diagrams DFD ER use case Activity and many others functional and non functional requirements listed required by customer
Practical Approaches to Securely Integrating Business and ProductionJim Gilsinn
Presented @ 2016 ISA Process Control & Safety Symposium, November 10, 2016
The exchange of key information between business operations, suppliers, customers, production, and ultimately the production equipment itself can provide significant financial and productivity advantages. This presentation will discuss some practical approaches to utilizing the cyber security principles from ISA/IEC 62443 in order to integrate the business and production environments. It will also present some of the different solutions for meeting a variety of scenarios, such as data historians, patching/updating, and remote maintenance.
Presented @ Frederick Linux Users Group (KeyLUG)
May 7, 2016
A presentation on protecting Small Office/Home Office (SOHO) networks that I made at the Frederick Linux Users Group (KeyLUG). I work virtually from my home, and this presentation goes through some of my experiences setting up my home network to be better and more secure. I ditched my consumer-grade NAT router and have installed a firewall, commercial-grade wireless access points, and an intrusion detection system (IDS). I'm not finished yet, but this presentation will give you an idea of some of the things that I've done, where I'm thinking about going, and as some things to consider as you setup your own network.
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
Presented: BSidesDC 2015, Washington, DC, October 18, 2015
YouTube Video @ https://youtu.be/v3LBywLthjY
Determining the overall health and security of an industrial control system (ICS) network is currently done by looking at the negative case. If the network infrastructure devices indicate that all the devices are connected and communicating, then the network must be operating correctly. If the controllers indicate that they are able to communicate with the other devices in the system, then the system must be operating correctly. If the network security monitoring (NSM) or security information and event management (SIEM) system are not indicating any security events, then the system must be operating correctly. In each of these cases, the assumption is that the system is operating correctly if there are no errors or events being indicated by any of the devices. In reality, the actual health and security of the system can only be determined by positive conditions. The communication streams need to be measured to determine that they are operating within certain limits based upon a desires set of conditions, like rate and maximum latency. Many controllers keep track of these factors for real-time communications, however they are often only recorded as averages and not high-fidelity measurements.
This paper presents an approach to analyzing the real-time network traffic performance of an ICS by measuring the jitter and latency associated with individual network traffic streams in the system. By using statistical and mathematical analysis of the high-fidelity jitter and latency data, a network reliability factor can be determined and used to indicate the health of those traffic streams. The author will present a method to combine the individual network reliability factors into a network reliability monitoring system. Lastly, the author will discuss how network reliability monitoring can be used to indicate potential security problems by observing the network traffic patterns.
Presented @ BSidesDE, November 14, 2014
Cook like a hacker, and I don’t mean Ramen noodles, take-out pizza, and a bowl of cereal. A lot of hacking involves using a basic set of equipment, learning a powerful set of tools, following a basic set of procedures, a lot of improvising and experimenting, and learning from your mistakes. Cooking is the same. You can cook amazing meals, but it means that you have to be willing to apply a hacker-type mindset to an area that doesn’t involve computers.
Integrating the Alphabet Soup of StandardsJim Gilsinn
Presented @ 2014 ICS Cyber Security Conference
October 21, 2014
It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.
Presented @ ISA Process Control & Safety Symposium
October 8, 2014
Description of the Kenexis project to build a ICS performance and security lab-in-a-box. This talk accompanies a live demo of the lab equipment.
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
Presented @ Emerson Exchange
October 7, 2014
Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.
Cyber & Process Attack Scenarios for ICSJim Gilsinn
Presented at the OPC Foundation's "The Information Revolution 2014" in Redmond, WA August 5-6, 2014
This presentation discusses the modes and methodologies an attacker may use against an industrial control system in order to create a complex process attack. The presentation then discusses some specific examples, both real and hypothetical. The presentation finishes with a description of some common ways in which an organization could defend itself against these types of attacks.
Network performance testing for devices and systems can be a daunting task for vendors and end-users given the cost of test equipment and the investment that the companies have to spend in developing relevant tests and understanding the results. During the last couple years, a group of low cost computing systems have been introduced that are very capable from a functional point of view, but how well do they actually perform? Can they be used in a low-cost performance testing lab system to validate ICS devices before they go into production? Can end-users use them to capture live traffic in their network and get reliable performance results? This talk will discuss how and when different types of equipment can be used to develop a low-cost network performance testing lab. It will also show results from a series of performance tests conducted on some of the equipment and with different testing architectures.
With the ever increasing number of networking protocols, it can be difficult for vendors, integrators, and end-users to determine how well different products and systems perform in real-world networking situations. Each protocol has their own method of defining traffic streams and message structures. Packet analyzers, like Wireshark, have been developed to interpret individual network packets and can perform rudimentary analysis of traffic streams for well-known packet types. Analyzing industrial protocols usually requires much more massaging of the data and in many cases requires a user to do much of the work by hand. This session will present a method to break-down industrial traffic streams into the core components necessary to analyze their performance. By identifying a few key fields in each protocol, a user can define their own method to identify individual traffic streams and analyze their performance.
Presented in May 2010
This presentation goes through the Wireshark network analyzer. It presents an overview of the different features that I've found useful while doing network performance analysis for ICS network protocols.
Presented @ ISA Safety & Security Symposium 2012
Aneheim, CA, April 2012
Wireshark is the de facto network packet analysis tool used in the industry today. It is an easily extensible open–source tool that provides a large number of capabilities for users. It’s not just for IT–based protocols either. Many industrial protocols have created packet decoders for Wireshark. This tutorial will provide the user with:
* An introduction to protocol layering
* A basic overview of packet capture and analysis
* A demonstration of how Wireshark can be used for packet capture and analysis
* Examples of some industrial protocol in Wireshark
* An explanation of some more advanced features available in Wireshark
Test Tool for Industrial Ethernet Network Performance (June 2009)Jim Gilsinn
Presented @ 55th International Instrumentation Symposium
League City, Texas, 1–5 June 2009
Ethernet is being used by a wider variety of industrial devices and applications. Industrial applications and systems require deterministic operations that traditional Ethernet and Transport Control Protocol / Internet Protocol (TCP/IP) suites were not originally designed to support. A standardized way to describe and test industrial devices is needed in order to aid users to characterize the performance of their software and hardware applications.
The Manufacturing Engineering Laboratory (MEL) of the National Institute of Standards & Technology (NIST) has been working to develop a set of standardized network performance metrics, tests, and tools since 2002. NIST has cooperated with standards organizations and other groups during that time.
NIST is presently working on developing an open-source test tool, called Industrial Ethernet Network Performance (IENetP), to aid vendors in characterizing the performance of their devices. The IENetP test tool will be capable of conducting a full series of performance tests and reporting the results to the user. The current version of the software is capable of analyzing network traffic and producing statistics and graphs showing the network performance of a device.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
2. Jim Gilsinn
• Senior Investigator, Cybersecurity @ Kenexis Consulting
• International Society of Automation (ISA)
• Co-Chair, ISA99 Committee
• Co-Chair, ISA99 WG2, IACS Security Program
• Liaison to ISO/IEC JTC1/SC27 WG1 & WG3
• Previously Electrical Engineer @ NIST
June 3-5, 2014 ICSJWG Spring 2014 2
3. Overview
• Project Description
• ANSI/ISA-62443-3-3 Organization
• Step 1 – Defining the System Under Consideration
• Step 2 – Determining Applicable Requirements
• Step 2a – Develop Use Cases
• Step 3 – Assess Requirements
• Step 3a – Update Use Cases
• Step 3b – Reassess Requirements
• Step 4 – Report Results
• Questions
June 3-5, 2014 ICSJWG Spring 2014 3
4. Project Description
• Network segmentation vendor assembled system from various
components
• Hardware
• Software
• Web-Based Database
• Wanted an assessment relative to ANSI/ISA-62443-3-3
• System-level cyber security
• Capability requirements
• Kenexis:
• Conducted interviews
• Reviewed manuals
• Viewed system in lab environment
June 3-5, 2014 ICSJWG Spring 2014 4
5. ANSI/ISA-62443-3-3 Organization
• Common Control System Constraints
• Foundational Requirements (FRs)
• Identification & Authentication Control (IAC)
• Use Control (UC)
• System Integrity (SI)
• Data Confidentiality (DC)
• Restricted Data Flow (RDF)
• Timely Response to Events (TRE)
• Resource Availability (RA)
• System Requirements (SRs)
• Base Requirement
• Requirement Enhancements (REs)
June 3-5, 2014 ICSJWG Spring 2014 5
6. Step 1 – Defining the System
Under Consideration
Network Segmentation
Device Web-Accessible
Audit Logging
Operating System
Basic File Transfer
System
Basic Network
Transfer System
Application-Specific
Network Transfer
Application-Specific
File Transfer
Virus & Malware
File Checking
June 3-5, 2014 ICSJWG Spring 2014 6
7. Step 1 – Defining the System
Under Consideration
Network Segmentation
Device Web-Accessible
Audit Logging
Operating System
Basic File Transfer
System
Basic Network
Transfer System
Application-Specific
Network Transfer
Application-Specific
File Transfer
Virus & Malware
File Checking
June 3-5, 2014 ICSJWG Spring 2014 7
8. Step 2 – Determining Applicable
Requirements
• Not every requirement will apply for every system
• Requirements in 62443-3-3 generally written from end-user
perspective
• For vendor product systems, some requirements…
• Depend on end-user implementation
• Apply to technology not implemented in or outside control of the SuC
• Depends on way it is not implemented or outside control
• Are out-of-scope per vendor documentation
June 3-5, 2014 ICSJWG Spring 2014 8
9. Step 2 – Determining Applicable
Requirements
• Example #1 (Not Applicable) – Wireless
• System has no wireless interfaces itself
• Same capabilities for network segmentation of wired and wireless
devices connected through system
• Example #2 (Applicable) – Multi-Factor Authentication
• System provides a management interface with IAC and UC
• System inherently has capability in operating system
• Vendor has not been asked to implement by customers
• Example #3 (Applicable) – Unified Account Management
• System provides a management interface with IAC and UC
• System inherently has capability in operating system
• Vendor has not been asked to implement by customers
June 3-5, 2014 ICSJWG Spring 2014 9
10. Step 2 – Determining Applicable
Requirements
• Example #4 (Not Applicable) – Protection of Time Source
Integrity
• System can utilize an existing time source on network
• System has no time source capability itself (can’t act as stratum clock)
• Network traffic from time source treated no differently
• Example #5 (Not Applicable) – PKI and Certificates
• System doesn’t use PKI or certificate authorities
• Example #6 (Not Applicable) – Session Integrity
• No TCP session information is transmitted through device
• Device specifically designed to act as protocol break
• Strips header information and rebuilds packets on other side
June 3-5, 2014 ICSJWG Spring 2014 10
11. Step 2a – Develop Use Cases
• Use cases are a useful tool when conducting assessments
• Describe how different components in system interact
• Help to determine when requirements apply
• Use cases should represent realistic situations
• Adaptations of real cases are the best
• Generalizations are necessary
• ANSI/ISA-62443-3-3 has two as a starting point
• Chlorine truck loading station
• Manufacturing assembly line
June 3-5, 2014 ICSJWG Spring 2014 11
12. Step 2a – Develop Use Cases
June 3-5, 2014 ICSJWG Spring 2014 12
13. Step 2a – Develop Use Cases
• Elements adapted from ANSI/ISA-62443-3-3
• Business Network
• Control Center
• Control System
• Safety System
• Modifications from ANSI/ISA-62443-3-3 use cases
• Vendor System Replaces DMZ
• Added Production Server Network
• Expansion of Business Server Network
June 3-5, 2014 ICSJWG Spring 2014 13
14. Step 2a – Develop Use Cases
June 3-5, 2014 ICSJWG Spring 2014 14
15. Step 2a – Develop Use Cases
• Elements adapted from ANSI/ISA-62443-3-3
• Business Network
• Robot Cells
• Modifications from ANSI/ISA-62443-3-3 use cases
• Vendor System Replaces DMZ
• Added Production Server and Device Networks
• Expansion of Business Server Network
• Added Inspection Station
June 3-5, 2014 ICSJWG Spring 2014 15
16. Step 3 – Assess Requirements
• Is the requirement met by any single component in the system?
• If multiple components are needed to fulfill the requirement, do
they act in a way that violates that requirement?
• In order for the component(s) to meet the requirement, do they
violate other requirements?
• Are their optional configurations that allow the requirements to
be met?
June 3-5, 2014 ICSJWG Spring 2014 16
17. Step 3a – Revise Use Cases
• It is probable that the use cases will need to be revised
• During the requirements assessment, component features or
configurations may be uncovered that change the use cases in
some way
• Final use cases should follow as closely as possible real
system configurations
June 3-5, 2014 ICSJWG Spring 2014 17
18. Step 3b – Reassess Requirements
• It is possible that the system developer may have
changed/added features during the assessment
• The system developer may want some of the requirements
reassessed given the most recent features and/or configuration
June 3-5, 2014 ICSJWG Spring 2014 18
19. Step 4 – Report Results
• Reporting should include, at a minimum:
• Requirement pass/fail values
• Requirement pass/fail justification
• Other good things to add:
• Use cases
• Low-hanging fruit and longer-term changes
• Potential issues that may be uncovered through use cases
June 3-5, 2014 ICSJWG Spring 2014 19
Good Morning.
My name is Jim Gilsinn, and I work for Kenexis Consulting.
We recently conducted an evaluation of a customers products to assess how well they met the capability requirements described in ANSI/ISA-62443-3-3.
I’m here today to talk to you all about the methodology that Kenexis used to conduct this assessment.
First, a little bit about myself.
I joined Kenexis Consulting as a Senior Investigator for Cybersecurity in late 2012.
We specialize in taking a system-wide approach to assessing, designing, and validating ICS networks and security.
I am also the current Co-Chair of the ISA99 committee, the Co-Chair of the working group developing the 62443-2-1 standard on an ICS security program, and the liaison to the ISO/IEC committee developing the 2700x series of standards.
Previously, I spent 20 years in the Engineering Laboratory at NIST working on a variety of projects from ICS network performance tests and tools, wireless sensors, embedded sensor design, software design, robotics, and controls.
This is an overview of my talk today.
I’ll start by giving you a little bit of information about our project.
I’ll then go over a brief description of how the 62443-3-3 standard is organized, for those that aren’t familiar with it.
Then, I’ll move on to describing the steps in our methodology.
Step 1 – The first step in the project was to determine what constituted the System under Consideration
Step 2 – The next step was to determine the requirements that were applicable to the system. As part of this step, some basic use cases were developed to help determine which requirements should be excluded.
Step 3 – The third major step was to actually conduct the assessment. After the primary assessment was complete, the use cases were updated to reflect any additional information gained while conducting the assessment. As a final part to this step, it may be necessary to reassess some of the requirements if new information becomes available.
Step 4 – The final step in the process is reporting the results.
I should have time for questions at the end of my talk.
A vendor of network segmentation products approached Kenexis to conduct an assessment of one of their devices against 62443-3-3.
After some discussion, we reached the conclusion that it would be better to evaluate a series of products including the hardware device itself, some of the related software products, and an accompanying web-based database instead of just the hardware device itself.
This system actually matched up better to how their customers were purchasing and implementing their products.
They wanted to assess their system of products against the ANSI/ISA-62443-3-3 standard.
It describes capability requirements that need to be implemented in industrial control systems.
The method we used to collect data for the project is similar to many other consulting projects, we conducted interviews with staff members from the customer, we reviewed the product manuals, and we observed and interacted with the system in a lab environment.
I’m not going to go deeply into the ANSI/ISA-62443-3-3 standard or the other documents in the 62443 series.
I just wanted to explain how the requirements are broken down to those not familiar with it and explain how that affected our process.
The first clause with requirements in the standard are what are called “Common Control System Constraints”
These generally deal with issues that cross over all the different Foundational Requirements.
The Common Constraints are also generally associated with security not affecting safety or other essential functions for the control system.
The majority of the requirements in the requirements in -3-3 are contained within each of the Foundational Requirements sections.
Each of these sections represents a different aspect of cybersecurity.
It goes above and beyond the normal CIA since there are more aspects to ICS cybersecurity that don’t relate to the normal IT categories.
Also, aspects like Identification and Authentication and Use Control are extremely important with a large number of requirements, but arguably have no direct correlation to CIA aspects.
Within each of the FRs, there are individual System Requirements consisting of a base requirement and zero or more requirement enhancements.
The REs allow the standard to expand its required capabilities depending on the level of capability the system is built to attain.
Now, getting into the actual steps we took to conduct the assessment.
The first step was to decide what components actually constituted the system under consideration for the -3-3 assessment.
The vendor gave us a list of 6 different products that they sell.
A hardware network segmentation device
A software module to securely transfer files across the zone boundary
A web-based database for audit logging and monitoring
And 3 application-specific file and network traffic transfer software packages
Inside the hardware component there were some additional components that were base components for the network segmentation
A secure Linux-based operating system
A network data transfer system
A basic file transfer system
And a virus and malware checking system
The core features that were considered part of the system related to the capability to:
Control access to the different components
Transfer network traffic and files in a controlled manner across the network zone boundary
Prevent malicious network traffic and files from spreading across the zone boundary
Provide some measure of audit logging and monitoring
Features like moving specific types of network traffic or files were not relevant to the cyber security aspect of the system, so they were removed from the assessment.
These were kept as good use cases for consideration as part of the project.
But, they didn’t represent a core feature that would affect the overall cyber security aspects of the capability requirements.
One thing to realize is that this was strictly a cyber security feature capability assessment.
Kenexis was not asked to do a code review or detailed vulnerability assessment of the system.
Those get into the actual implementation of the hardware and software components and were outside the scope of a functional capability assessment.
Out of the 110 requirements and requirement enhancements contained within -3-3, some will not apply to the system under consideration for various reasons.
Many of the requirements in -3-3 were written with an end-user implementation focus.
In this case, we were evaluating a vendor’s system of components.
Some of the reasons that requirements were eliminated from consideration were:
They had to do with end-user implementation of the product and were not something that the system would be capable of implementing
They applied to technology that was not implemented at all within the system
It related to technology that was outside the control of the system under consideration
Were out of scope based upon specific user documentation recommending against using the system in that way.
I understand that people always take things and implement them in ways that the vendor probably didn’t anticipate, but when the vendor expressly tells the user not to implement their products in a certain way, then the user is assuming the risk for any associated weaknesses they introduce into the system.
I’ll explain a little bit more about the implementation and outside control with some examples, which may make it easier to understand.