integrating the alphabet soup of standards
DESCRIPTION
Presented @ 2014 ICS Cyber Security Conference October 21, 2014 It’s been over a year since the NIST Cybersecurity Framework and ISA-62443-3-3 were published, ISA-62443-2-1 has been out for almost 5 years, and ISO/IEC 27001 & 27002 have been out for nearly a decade. NIST has already started their process for revisions, ISA is actively working to overhaul 62443-2-1, and ISO/IEC just published a major revision to their standard. In addition to these cross-domain standards, there are a multitude of local and sector-specific standards as well. As a consultant, we are often asked to use one of these as a baseline to help our customers generate an ICS cyber security program. This presentation will discuss some of the strengths and weaknesses of these different standards and the effort to integrate them into a realistic set of ICS cyber security program requirements.TRANSCRIPT
Kenexis® All Rights Reserved 2014 1
Integrating the Alphabet Soup of Standards
Jim Gilsinn
October 21-23, 2014
Kenexis® All Rights Reserved 2014 2
Jim Gilsinn• Senior Investigator, Kenexis Security• 23 years engineering experience– 13 years in ICS network performance and security
• Areas of responsibility– ICS network and cyber vulnerability assessments– ICS network and cyber security designs– Developer, Kenexis Gemini network analysis system– Developer, Kenexis Lab-in-a-Box system
• International Society of Automation (ISA)– Co-chair, ISA99 committee (ISA/IEC 62443 Series)– Co-chair, ISA99 WG2, cyber security program– ISA99 Liaison to ISO/IEC JTC1/SC27
October 21-23, 2014
Kenexis® All Rights Reserved 2014 3
Some History
October 21-23, 2014
Kenexis® All Rights Reserved 2014 4
ISA99 Security Program
October 21-23, 2014
Implementation Guidance
Requirements
Kenexis® All Rights Reserved 2014 5
ISA99 Security Program – History• 2004 – ISA-TR99.00.02 – ISA publishes guidance material on
building a security program and other relevant information• 2009 – ISA-99.02.01 – ISA publishes standard on IACS
security program• 2010 – IEC-62443-2-1 – IEC publishes standard
– Advises ISA that standard must be re-written as a modification to ISO/IEC 2700x
• 2012 – ISA-62443-2-1 Draft – ISA issues draft for comment on revised format– Not approved
• Current – ISA-62443-2-1 Draft – Planning next committee draft for vote later this year
October 21-23, 2014
Kenexis® All Rights Reserved 2014 6
ISA99 Security Program – Documents• ISA-62443-2-1 – Requirements for an IACS security
management system– Modify requirements in both ISO/IEC 27001 & 27002 for IACS– Annexes provide additional requirements– Annexes with guidance on specific requirements
• ISA-62443-2-2 – Implementation guidance for an IACS security management system– Include much of the informative material from 1st edition– Guidance material on how to actually satisfy requirements
October 21-23, 2014
Kenexis® All Rights Reserved 2014 7
NIST Special Publications• SP800-53
– Security program and controls– Included Annex I for ICS– 2009/2010 – Revision 3– 2013 – Revision 4 (Draft)– Revision 4 changes to overlay model
• Establish base controls• Allow for modifications as necessary for different industries• Annex I moved to SP800-82
• SP800-82– Inherited some guidance material from ISA-TR99.00.02– Provide guidance on meeting requirements in 800-53 for ICS– Newer versions greatly expand on material and provide ICS overlay– 2011 – Revision 0– 2013 – Revision 1– 2014 – Revision 2 (Draft)
October 21-23, 2014
Kenexis® All Rights Reserved 2014 8
NIST Cybersecurity Framework• Feb. 2013 – President issues Executive Order 13636– Directed NIST to develop a voluntary framework – based on
existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure
• Feb. 2014 – NIST releases version 1.0• Oct. 2014 – NIST starting process for revision• Risk management framework– Framework Core – Requirements & references– Framework Implementation Tiers – Maturity model– Framework Profile – States of the system (current, target)
October 21-23, 2014
Kenexis® All Rights Reserved 2014 9
NIST Cybersecurity Framework
October 21-23, 2014
Kenexis® All Rights Reserved 2014 10
ISO/IEC 2700x• 1995 – BS7799 published• 1999 – BS7799 revised• 2000 – ISO/IEC 17799 published• 2002 – BS7799-2 revised– Implemented Plan-Do-Check-Act model
• 2005 – ISO/IEC 27001 replaces BS7799-2• 2007 – ISO/IEC 27002 replaces ISO/IEC 17799• 2013 – ISO/IEC 27001 & 27002 revised– Removed Plan-Do-Check-Act for Continuous Improvement– Create consistent management system
October 21-23, 2014
Kenexis® All Rights Reserved 2014 11
Cross Mapping Problem
October 21-23, 2014
Kenexis® All Rights Reserved 2014 12
Cross Mapping Problem
October 21-23, 2014
Cybersecurity Framework – 99 CategoriesSP800-53r4 – 256 Req., 666 Req. Enhancements
ISA-62443-2-1-2009 – 126 Req.
ISO/IEC 27001 – 140 Req.ISO/IEC 27002 – 114 Req.
Kenexis® All Rights Reserved 2014 13
Cross Mapping Problem• NIST Cybersecurity Framework
– Probably the closest to a wide cross mapping– References selected controls in
• SANS 20 Controls (CCS CSC)• COBIT 5• ISA-62443-2-1-2009• ISA-62443-3-3-2013• ISO/IEC 27001:2013• NIST SP800-53r4
• ISA-62443-2-1– Being rewritten as modification to ISO/IEC 27001 & 27002
• Other standards?– NERC CIP (US)?– CFATS (US)?– CPNI (UK)?– WIB (NL)– National ICS Security Standard (Qatar)
October 21-23, 2014
Kenexis® All Rights Reserved 2014 14
Creating a Security Program
October 21-23, 2014
Kenexis® All Rights Reserved 2014 15
Creating a Security Program• As a consultant, how do we help our customers create a
security program?• No one standard has everything• Don’t try to be an expert in everything– Pick one and become an expert– Pick one or two others and become knowledgeable– Get exposed to the others– Pick individuals to gain knowledge on different ones– Many of them have similar requirements
• Customers generally have one in mind– As part of RFP, customers generally indicate which one they
want to use as their baseOctober 21-23, 2014
Kenexis® All Rights Reserved 2014 16
Creating a Security Program• Try to avoid one-off solutions– Start with a main standard– Integrate good parts of other standards– Create a repeatable process
• But, don’t create a cookie-cutter solution– Customers all have different needs and priorities– Security program will need to be tailored
• Include a checklist, but don’t focus on it– Everyone talks about not using a checklist approach– Customers want a simple assessment tool to evaluate
whether they met their design goals– Checklists provide “add-on value” for customers
October 21-23, 2014
Kenexis® All Rights Reserved 2014 17
Creating a Security Program• So what do we do at Kenexis?• Avoid approaching this from a purely security point of
view– Security is insurance, and everyone hates paying for insurance– System reliability is a much better tact
• A viable security program is difficult to design without an assessment
October 21-23, 2014
Kenexis® All Rights Reserved 2014 18
Creating a Security Program• 2-stage risk assessment– Incredibly valuable part of ISA-62443-2-1– High-level risk assessment to determine areas that need more
attention• Doesn’t have to be a analytical approach, but it helps for repeatability
– Low-level risk assessment is NOT a pen test!• We have created an ICS Cyber Vulnerability Assessment (CVA) process• Low-level risk assessment needs to include process evaluation• Show the existing vulnerabilities and problems, but do not actually
show exploits• Not every network “vulnerability” is a real problem
October 21-23, 2014
Kenexis® All Rights Reserved 2014 19
Creating a Security Program• Asset inventory– Absolutely necessary– Almost never correct– Not just hardware devices, also look at software
• Zones & Conduits– Zone & conduit model is a way to visualize the segmentation
in a network– It is logical, not real!– It is only real if the systems are actually implemented
correctly– Overlay zones on actual network architecture for practicality
October 21-23, 2014
Kenexis® All Rights Reserved 2014 20
Questions?
October 21-23, 2014
Kenexis® All Rights Reserved 2014 21
Contact Information• Jim Gilsinn– Email: [email protected]– Phone: +1-614-323-2254– Twitter: @JimGilsinn– LinkedIn: http://www.linkedin.com/in/jimgilsinn/– SlideShare: http://www.slideshare.net/gilsinnj– Website: http://www.kenexis.com
October 21-23, 2014