human factor and it/ot correlation
TRANSCRIPT
HUMAN FACTORS AND
IT-OT CORRELATION
Andrea Vallavanti ICT Manager
DEFINITIONS
The entire spectrum of technologies for information processing, including
software, hardware, communications technologies and related services. In
general, IT does not include embedded technologies that do not generate data
for enterprise use.
Is hardware and software that detects or causes a change through the direct
monitoring and/or control of physical devices, processes and events in the
enterprise.”
IT
OT
EVOLUTION AND INTEGRATION
OT
OT +IT
80
902
k
NOW
IT AND OT CONVERGING
TRANSPORTATION
OIL&GAS
HEALTHCAREDEFENSE
MINING
UTILITIES
MANUFACTURING
SECURITY/OBSCURITY AND STANDARDS
A SHARED SET OF STANDARDS AND
PLATFORMA ACROSS IT&OT WILL REDUCE COST OF SW
MANAGEMENT
….WILL REDUCE RISK COME FROM
REDUCING MALAWARE AND
INTERNAL ERRORS
CYBERSECURITY NOT ONLY IN IT POINT OF VIEW BUT IN A
«HOLISTIC» IT OT SECURITY POINT OF VIEW
ACCEPTABLE POLICY WITH MOST OF OLDER GENERATION OT
PLATFORM
NO NEED OF EXTERNAL
CONNECTION
IT IS NO LONGER RELY AND THIS MAXIM BECAUSE OT PLATFORM HAVE EVOLVED
TO USE COMMERCIAL GENERIC INFRASTRUCTURE WITH EXTERNAL WAN
CONNECTION
CIA TRIAD
HUMAN TREATH
Failure of staff to
understand new threats.
Increased use of social media
by staff.
Failure of IT staff to follow security procedures and
policies
General negligence/carelessness
with websites and applications.
Lack of security expertise with websites and applications
EXTERNAL THREAT
WORKLIFE
COMMON THREAT INFORMATION TECNOLOGY
& OPERATIONAL TECHNOLOGY
IT & OT CONCERNS
COMMON GROUND
Security Analisys with VA-
PT . Highlight threats and
remediation .
Upgrade of firmaware
and Sw and Integrity of
the updates
Idetifying & authenticating
all devices within the system
Define responsibilities
and common rules of
data interchange
VA-PT have to be
scheduled
Awarness on
threat for
employee
NEW EMPLOYEE
POLICY AND PROCEDURES
ENOUGH ???
EMPLOYEE HAVE A DEFINED A STRICTLY BOUNDARIES TO RESPECT OR IMPOSED
BY AUTHOMATIC OR PREDEFINED RULES / HW
EMPLOYEE EVEN IF TRAINED, NEED TOINTERACT DAILY IN DIFFERENT WAYS
AND ONLY WITH A CLEAR UNDERSTANDING OF EXTERNAL/INTERNAL
MENACE CAN BE AWARE
SOMETIMES YES IF …
SOMETIMES NO IF
SECURITY EDUCATION
SECURITY ASSESSMENT
REMEDIATION PHASE
INCIDENT INVESTIGATION
Policy ProceduresCybersecurityfundamentals
Penetration TestingImpact of PEN TEST with
Risk Analysis
Threat analysisIncident ResponseImpact on business
Fill the GapBudget €
CYCLE OF SECURITY
SOME BULLETS POINTS
• INVESTING 76% LESS COMPARE THOSE WHO NOT RECEIVING TRAINING
COMPANIES WITH
PROGRAMS OF
SECURITY AWARENESS
• 50% OF PROBABILITY LESS OF INCURRING IN VIOLATION OF THE PERSONAL SAFETY
COMPANIES WITH
PROGRAMS OF
SECURITY AWARENESS
•ACCIDENTS DECREASE UP TO 80%
•REDUCTION RANSOMWARE OF 50-60%
•TRANSLATION OF CYBERSECURITY LIKE IT CONCET IN COMPANY CONCEPT
•MEASURABLE RESULTS IN TERMS OF CYBERSECURITY AWARENESS
GOOD CYBERSECURITY
AWARENESS CAN
DETERMINE
PLATFORM FOR TRAINING AND ON LINE SKILL
COMPETENCE ANALYSIS Determine in depth the skills requirements relating to workplace. Skill assessment also in function of the role covered in the
company
TRAINING MODULE Anti-phishing protection, protection and data destruction, secure
approach to social network , physical security, smartphone security, web surfing, social engineering, email security and
PASSWORD
SIMULATED ATTACK E-mail phishing personalized with different level of difficulty. Employee learn also through mistakes and dedicated module
can be tailored to fill the gap
ANALYSIS AND REPORTS Security campaign report by : group, type of device, office, location (industrial or office)
SIMULATION
WHATEVER IS THE EXTERNAL AWARENESS
October Cybersecurity Awareness Month: Every Employee Should Be A Level Of Security
National Cyber Security Awareness Month: Security Tips for Enterprises and
Employees
Top online safety practices for companies & employees – Cyber Security Awareness Month
2016
SUBJECTS INVOLVED
Senior Manager
Line Manager
All Employee
Security Officers
Short training Impact on the business
Motivational training
Computer basedon access training
Cybersecurity culture assessmentLeading to the light side
TOP – DOWN APPROACH
Senior
Manager
Line Manager
All Employee
Security Officers
TOP
DOWN
WHY ?• When top executives lead by example
and participate themselves, key messages are understood to be important by the masses. Leading by example is key.
• Budget €/$• Make it simple …Stick to max three
topics• You cannot use the same materials
that you intend to use for the general population. Executives have concerns that are unique to their job function
OPTIMIZING CONTROL INVESTMENT
Cost of controls
Cost of impact
Optimum level of control investment
Increasing control
Co
sts
Company with limited security control suffer relatively more information security breaches
Beyond a certain point it is important to balance additional controls costs vsCost coming from security breaches
We clearly should not invest in additional controls unless we are convincedthey are truly cost- effective
REMIND THAT ….
Employeesmake simple
mistakes whichplaces them in
a risk .
Human error is
responsible for 95% of all
security incident
Lax email habits: opening suspicious
emails – click through website where
attackers can then phish for details
Weak Password easy to hack after
personal information shared
No backing data up
Poor security habit outside work.
Unptched vulnerabilities & connecting
to unsecure Wi Fi networks .
CONCLUSIONS
WE MUST TACKLE THE HUMAN FACTOR AS WELL AS THE TECHNOLOGY
PROACTIVELY MANAGING THE RISKS INVOLVES ASSESSING AND REASSESSINGALL THRETS , VULNERABILITIES ETC
OVERALL INVOLVEMENT ON SECURITY TOP DOWN APPROACH
THIS IS NOT A ONE- OFF «FIRE AND FORGET» OPERATION
THANKS !
Andrea Vallavanti – ICT MANAGER -
Mail to: [email protected]
: : https://goo.gl/Kgnoya
Federprivacy Member
"The relationship between the IT and OT
groups needs to be managed better, but
more importantly, the nature of the OT
systems is changing, so that the underlying
technology — such as platforms, software,
security and communications — is
becoming more like IT systems," said
Kristian Steenstrup, research vice
president and Gartner fellow. "This gives a
stronger justification for IT groups to
contribute to OT software management,
creating an IT and OT alignment that could
be in the form of standards, enterprise
architecture (EA), support and security
models, software configuration practices, and information and process integration."
IT and OT are converging in numerous important industries, such as
healthcare, transportation, defense, energy, aviation, manufacturing,
engineering, mining, oil and gas, natural resources, and utilities. IT leaders
who are impacted by the convergence of IT and OT platforms should consider
the value and risk of pursuing alignment between IT and OT, as well as the
potential to integrate the people, tools and resources used to manage and
support both technology areas.
"A shared set of standards and platforms across IT and OT will reduce costs
in many areas of software management, and reduced risks come from
reducing malware intrusion and internal errors," Mr. Steenstrup said.
"Cybersecurity can be enhanced if IT security teams are shared, seconded or
combined with OT staff to plan and implement holistic IT-OT security. 'Security
through obscurity' was an acceptable policy with most older-generation OT
platforms because of their proprietary architectures and limited connection to
IT. It is no longer possible to rely on this maxim, because OT platforms have
evolved to use commercial generic infrastructures."
With IT and OT converging, the scope of CIO authority may cater to the needs
of planning and coordinating a new generation of operational technologies
alongside existing information- and administration-focused IT systems. The
key change for CIOs may be that their role moves from leading the IT delivery
organization to leading the exploitation of the business assets of processes,
information and relationships across all technologies in the enterprise — IT or
OT, whether delivered, supported, or managed by the formal IT organization
or elsewhere.
"The intersection of IT and OT changes the relative importance of IT
management disciplines for the IT organizations concerned. CIOs and other IT
leaders need to evaluate and realign their roles and relationships to maximize
the value of converging IT and OT," said Mr. Steenstrup. "CIOs have a great
opportunity to lead their enterprises in exploiting information flows from digital
technologies. By playing this role, they can better enable decisions that
optimize business processes and performance."
• Governance
• We'll help you build the Security Policies, Standards, and Procedures that form the basis of your security program. From there we'll address each aspect of your enterprise, helping you select and implement the most appropriate technologies, tools and products to achieve your security and business goals.
• Security Engineering
• Human Element will show you how to implement engineering processes using secure design principles. We have assisted commercial and Government organizations to effectively apply security engineering and evaluation models. First, we'll hep you define the most appropriate security controls for your information systems based on your risk, threat, and regulatory environment. Then we'll define specific security architectures, designs, and solutions to mitigate potential vulnerabilities. We have experience engineering web-based systems, mobile systems, embedded devices, cyber-physical systems, and cryptographic solutions as well as site and facility physical security.
• Governance
• Security Engineering
• Physical Security
• Communications and Networks
• Access Control - Identity and Access Management
• Assessments and Testing
• Security Network Operations Support
• Application Security
• Business Continuity and Disaster Recovery
• Vulnerability Management
• Intrusion Detection
• Asset and Data Security
• Human-Based Cyber Defense
• Security Operations