Can Standards Bring Clarity from the Confusion?€¦ · Can Standards Bring Clarity from the Confusion? 2014 ISA Water / Wastewater and Automatic Controls Symposium August 5-7, 2014

Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

Cybersecurity

Can Standards Bring Clarity fromthe Confusion?

2014 ISA Water / Wastewater and Automatic Controls SymposiumAugust 5-7, 2014 – Orlando, Florida, USA

Speaker:David Doggett

2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 2

Presenter

• David Doggett

– David is a Cybersecurity Program Director forSchneider Electric’s Industry Business.

– David has a BS in Electrical Engineering and hasworked on both the system integration and supplierside of control systems for 20 years.


Presentation Outline

• Standards or Certification, which is better?

• Review of Standards– International, National and Segment standards.

– End user, System Integrator and System Vendors standards.

• Choosing the right Standard to apply– For an end user security program

– For suppliers


Standards or Certification

• Standards guide the security level/features of a system

• Certification provides 3rd party assurance that a systemmeets a minimum level of security.– Can substitute for expertise when evaluating a system.

Do you understand the details of SSL/TLS or just trust the icon onthe browser?


International, National and Segment

• .

Development Lifecycle

Product CommunicationsRobustness

ProductFunctional

Security

System FunctionalSecurity

IEC62443 / ISA99 Standards

62443-4-2Technical Security Requirements

62443-2-4System Deployment Process (SI)

62443-3-3System SecurityRequirements

62443-4-1Product Development

Process

Process DomainSecurity RequirementsEmbedded Device Security Assurance

Achilles CommunicationRobustness

System SecurityAssurance

IEC62443 Certification – coming in 2014?

Specialist Certifications available today- Certifies a product or system against test criteria/standard

AchillesCertified

PracticesISASecure EDSA

AchillesCommunication

RobustnessISASecure System

National Standards – Under Development

China

France

Segments

NERC-CIP


IEC Standards

• IEC Standards Status


End User Standards

• Check security features for the system and it’s operation– NERC-CIP

• Provide guidance on how the system should beprocured, installed and operated– IEC62443-2-1

• Provide Guidance on how to implement a securityprogram– NIST Security Framework


NIST Framework

• Complements, and does not replace, an organization’s existing business orcybersecurity risk management process and cybersecurity program.

• Organizations can use its current processes and leverage the framework toidentify opportunities to improve an organization’s cybersecurity riskmanagement.

Core

● Functions● Categories● Subcategories● Informative Reference

Tier● 1 - Partial● 2 - Risk Informed● 3 - Repeatable● 4 - Adaptive

Profile

● Establish a Roadmap


NIST Framework mapping to existingstandards

• NIST Framework requirements map back to existing standards.

• IEC62443, NIST SP800-53 etc


System Integrator Standards mean …

• The System was developed by trusted parties.

• The end users data was secured during and after systemdevelopment.

• The system as delivered meets specific security levels orprovides functionalities.

• The system can be patched and maintained securely.

• The staff that will maintain the system are trusted.

IEC62443-2-4

Self Certification


Vendor /Product Standards

• The product or system was developed in a secure way tominimise the risk of unknown security flaws.

• The product has a defined set of security functions.


Choosing the correct Standard

• End user standards for guidance on plant operation.

• System Integrator standards to ensure the system isdelivered securely.

• Product standards to ensure that products meet aminimum level of functionality.

2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA

Questions?

David DoggettCybersecurity Program Director

Industry Business

BostonONE Campus800 Federal StreetAndover, MA 01810-1067Office: 978.975.9119 | Mobile: 978.902.6238david.doggett@Schneider-Electric.comwww.schnedier-electric.com

Documents

Can Standards Bring Clarity from the Confusion?€¦ · Can Standards Bring Clarity from the Confusion? 2014 ISA Water / Wastewater and Automatic Controls Symposium August 5-7, 2014