Information Security Standards inCritical Infrastructure Protection

Berlin 11/11/2015

Alessandro GuarinoStudioAG

Slide 2 of 19

Introduction

● Computers everywhere!

● ICT Technologies pervasive even in veryanalog settings: trains, planes, automobiles(and water treatment)

● Worse… everything seems to be connected

Slide 3 of 19

Introduction

● However… we have a problem

● Industrial plants and infrastructureapplications have their own peculiarities:– Physical effects

– Long life and legacy systems

– Geographical dispersion

– Safety first!

– Important societal impacts – several stakeholders

Slide 4 of 19

Introduction

● [...]an asset , system or part thereof located inMember States which is essential for themaintenance of vital societal functions,health, safety, security, economic or socialwell-being of people, and the disruption ordestruction of which would have a significantimpact in a Member State as a result of thefailure to maintain those functions.

Slide 5 of 19

Introduction

● Standards as an integral part of Infosec

● In CIP and Cyber Security they are becomingintegral to policy

● Cybersecurity policy at the crossroads ofInformation Technology, Security, Policy,Economics...

Slide 6 of 19

The World of Standardisation

● Overly fragmented and complex (actors andbodies, geography, interests involved…)

● Rough classification of norms along twoparams:– Technical vs. Organisational

– Certifiable vs. Non-certifiable

Slide 7 of 19

The World of Standardisation

● Who writes standards?

● An alphabet soup (selection):

● Europe: CEN, CENELEC & ETSI– The “European Standardisation Organisations”

● United States: NIST, ANSI, NERC

● Worldwide: ISO, IEC

● Many, many others...

Slide 8 of 19

Available Standards

(Some of them...)

ISO 27001

Common Criteria, aka ISO 15408

NIST 800-53

NERC CIP

ANSI/ISA 99

Slide 9 of 19

ISO 27001

● Risk-based

● Wide range of controls

● Not specific, needs to be tailored andimplemented

● Part of the ISO 27xxx series

Slide 10 of 19

Common Criteria

● Concerned with design & development

● Adopted in the military

● Not directly applicable but useful to assessthe level of security of single elements of thesystem

Slide 11 of 19

American Standards

● NIST 800-53 “Security and Privacy Controls forFederal Information Systems andOrganizations”

● The framework for Cyber Security of 2014

Slide 12 of 19

American Standards

● NERC Standards for the Power Grid

● A very interesting case study for policy

● (Specific sector but example of a CriticalInfrastructure, central to many others)

Slide 13 of 19

Standardisation Policies

● Standard development

● Standard implementation and adoption

Slide 14 of 19

Standardisation Policies

● The development phase– Europe: The ESO ecosystem, the Commission and their

interactions

– US: Free Market and Supreme Executive Power

Slide 15 of 19

Standardisation Policies

● Adoption of standards: policy options– No mandatory standardisation (non-interference)

– Voluntary standardisation compliance ● Possibly with economic incentives

– Mandatory compliance (NERC CIP)

Slide 16 of 19

Standardisation Policies

Slide 17 of 19

Conclusions

● Benefits of technical standardisations ismostly non-controversial

● Organisational models adoption sketchy

● Problem – Organisational Security Models arefundamental for Cyber Security

● Policy-wise, mandatory adoption seemsnecessary for CI. Alternatives?

Slide 18 of 19

Thank you!Any questions?

Contacts:

a.guarino@studioag.eu

@alexsib17

Full Paper and Slide Deck Freely Available at:www.studioag.pro

(Information Security Blog)

StudioAG – Infosec Consultancy Firmwww.studioag.eu

Slide 19 of 19

References

● CEN-CENELEC-ETSI Cyber Security Coordination Group: “Recommendations for aStrategy on European Cyber Security Standardisation”, 2014 (http://www.cscg.focusict.de)

● Dept. of Homeland Security: “Homeland Security Presidential Directive 7: CriticalInfrastructure Identification, Prioritization and Protection”, 2003

● ISO/IEC: “ISO/IEC 27001:2013 – Information Technology – Security Techniques –Information Security Management Systems – Requirements”

● NIST: “Framework for Improving Critical Infrastructure Cybersecurity”, 2014● NIST: “NIST Special Publication 800-53 – Revision 4 – Security and Privacy Controls

for Federal Information Systems and Organizations”