integrating the alphabet soup of standards

Kenexis® All Rights Reserved 2014 1

Integrating the Alphabet Soup of Standards

Jim Gilsinn

October 21-23, 2014


Jim Gilsinn• Senior Investigator, Kenexis Security• 23 years engineering experience– 13 years in ICS network performance and security

• Areas of responsibility– ICS network and cyber vulnerability assessments– ICS network and cyber security designs– Developer, Kenexis Gemini network analysis system– Developer, Kenexis Lab-in-a-Box system

• International Society of Automation (ISA)– Co-chair, ISA99 committee (ISA/IEC 62443 Series)– Co-chair, ISA99 WG2, cyber security program– ISA99 Liaison to ISO/IEC JTC1/SC27

October 21-23, 2014


Some History

October 21-23, 2014


ISA99 Security Program

October 21-23, 2014

Implementation Guidance

Requirements


ISA99 Security Program – History• 2004 – ISA-TR99.00.02 – ISA publishes guidance material on

building a security program and other relevant information• 2009 – ISA-99.02.01 – ISA publishes standard on IACS

security program• 2010 – IEC-62443-2-1 – IEC publishes standard

– Advises ISA that standard must be re-written as a modification to ISO/IEC 2700x

• 2012 – ISA-62443-2-1 Draft – ISA issues draft for comment on revised format– Not approved

• Current – ISA-62443-2-1 Draft – Planning next committee draft for vote later this year

October 21-23, 2014


ISA99 Security Program – Documents• ISA-62443-2-1 – Requirements for an IACS security

management system– Modify requirements in both ISO/IEC 27001 & 27002 for IACS– Annexes provide additional requirements– Annexes with guidance on specific requirements

• ISA-62443-2-2 – Implementation guidance for an IACS security management system– Include much of the informative material from 1st edition– Guidance material on how to actually satisfy requirements

October 21-23, 2014


NIST Special Publications• SP800-53

– Security program and controls– Included Annex I for ICS– 2009/2010 – Revision 3– 2013 – Revision 4 (Draft)– Revision 4 changes to overlay model

• Establish base controls• Allow for modifications as necessary for different industries• Annex I moved to SP800-82

• SP800-82– Inherited some guidance material from ISA-TR99.00.02– Provide guidance on meeting requirements in 800-53 for ICS– Newer versions greatly expand on material and provide ICS overlay– 2011 – Revision 0– 2013 – Revision 1– 2014 – Revision 2 (Draft)

October 21-23, 2014


NIST Cybersecurity Framework• Feb. 2013 – President issues Executive Order 13636– Directed NIST to develop a voluntary framework – based on

existing standards, guidelines, and practices – for reducing cyber risks to critical infrastructure

• Feb. 2014 – NIST releases version 1.0• Oct. 2014 – NIST starting process for revision• Risk management framework– Framework Core – Requirements & references– Framework Implementation Tiers – Maturity model– Framework Profile – States of the system (current, target)

October 21-23, 2014


NIST Cybersecurity Framework

October 21-23, 2014


ISO/IEC 2700x• 1995 – BS7799 published• 1999 – BS7799 revised• 2000 – ISO/IEC 17799 published• 2002 – BS7799-2 revised– Implemented Plan-Do-Check-Act model

• 2005 – ISO/IEC 27001 replaces BS7799-2• 2007 – ISO/IEC 27002 replaces ISO/IEC 17799• 2013 – ISO/IEC 27001 & 27002 revised– Removed Plan-Do-Check-Act for Continuous Improvement– Create consistent management system

October 21-23, 2014


Cross Mapping Problem

October 21-23, 2014


Cross Mapping Problem

October 21-23, 2014

Cybersecurity Framework – 99 CategoriesSP800-53r4 – 256 Req., 666 Req. Enhancements

ISA-62443-2-1-2009 – 126 Req.

ISO/IEC 27001 – 140 Req.ISO/IEC 27002 – 114 Req.


Cross Mapping Problem• NIST Cybersecurity Framework

– Probably the closest to a wide cross mapping– References selected controls in

• SANS 20 Controls (CCS CSC)• COBIT 5• ISA-62443-2-1-2009• ISA-62443-3-3-2013• ISO/IEC 27001:2013• NIST SP800-53r4

• ISA-62443-2-1– Being rewritten as modification to ISO/IEC 27001 & 27002

• Other standards?– NERC CIP (US)?– CFATS (US)?– CPNI (UK)?– WIB (NL)– National ICS Security Standard (Qatar)

October 21-23, 2014


Creating a Security Program

October 21-23, 2014


Creating a Security Program• As a consultant, how do we help our customers create a

security program?• No one standard has everything• Don’t try to be an expert in everything– Pick one and become an expert– Pick one or two others and become knowledgeable– Get exposed to the others– Pick individuals to gain knowledge on different ones– Many of them have similar requirements

• Customers generally have one in mind– As part of RFP, customers generally indicate which one they

want to use as their baseOctober 21-23, 2014


Creating a Security Program• Try to avoid one-off solutions– Start with a main standard– Integrate good parts of other standards– Create a repeatable process

• But, don’t create a cookie-cutter solution– Customers all have different needs and priorities– Security program will need to be tailored

• Include a checklist, but don’t focus on it– Everyone talks about not using a checklist approach– Customers want a simple assessment tool to evaluate

whether they met their design goals– Checklists provide “add-on value” for customers

October 21-23, 2014


Creating a Security Program• So what do we do at Kenexis?• Avoid approaching this from a purely security point of

view– Security is insurance, and everyone hates paying for insurance– System reliability is a much better tact

• A viable security program is difficult to design without an assessment

October 21-23, 2014


Creating a Security Program• 2-stage risk assessment– Incredibly valuable part of ISA-62443-2-1– High-level risk assessment to determine areas that need more

attention• Doesn’t have to be a analytical approach, but it helps for repeatability

– Low-level risk assessment is NOT a pen test!• We have created an ICS Cyber Vulnerability Assessment (CVA) process• Low-level risk assessment needs to include process evaluation• Show the existing vulnerabilities and problems, but do not actually

show exploits• Not every network “vulnerability” is a real problem

October 21-23, 2014


Creating a Security Program• Asset inventory– Absolutely necessary– Almost never correct– Not just hardware devices, also look at software

• Zones & Conduits– Zone & conduit model is a way to visualize the segmentation

in a network– It is logical, not real!– It is only real if the systems are actually implemented

correctly– Overlay zones on actual network architecture for practicality

October 21-23, 2014


Questions?

October 21-23, 2014


Contact Information• Jim Gilsinn– Email: [email protected]– Phone: +1-614-323-2254– Twitter: @JimGilsinn– LinkedIn: http://www.linkedin.com/in/jimgilsinn/– SlideShare: http://www.slideshare.net/gilsinnj– Website: http://www.kenexis.com

October 21-23, 2014

mailto:[email protected]

http://www.linkedin.com/in/jimgilsinn/

http://www.slideshare.net/gilsinnj

http://www.kenexis.com/

integrating the alphabet soup of standards

Technology

kenexis security

kenexis lab

current isa

specific requirements

security program14

isa99 security program

nist sp80053r4 isa

isoiec jtc1sc272