Upload
vuongtuyen
View
215
Download
2
Embed Size (px)
Citation preview
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Cybersecurity
Can Standards Bring Clarity fromthe Confusion?
2014 ISA Water / Wastewater and Automatic Controls SymposiumAugust 5-7, 2014 – Orlando, Florida, USA
Speaker:David Doggett
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 2
Presenter
• David Doggett
– David is a Cybersecurity Program Director forSchneider Electric’s Industry Business.
– David has a BS in Electrical Engineering and hasworked on both the system integration and supplierside of control systems for 20 years.
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 3
Presentation Outline
• Standards or Certification, which is better?
• Review of Standards– International, National and Segment standards.
– End user, System Integrator and System Vendors standards.
• Choosing the right Standard to apply– For an end user security program
– For suppliers
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 4
Standards or Certification
• Standards guide the security level/features of a system
• Certification provides 3rd party assurance that a systemmeets a minimum level of security.– Can substitute for expertise when evaluating a system.
Do you understand the details of SSL/TLS or just trust the icon onthe browser?
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 5
International, National and Segment
• .
Development Lifecycle
Product CommunicationsRobustness
ProductFunctional
Security
System FunctionalSecurity
IEC62443 / ISA99 Standards
62443-4-2Technical Security Requirements
62443-2-4System Deployment Process (SI)
62443-3-3System SecurityRequirements
62443-4-1Product Development
Process
Process DomainSecurity RequirementsEmbedded Device Security Assurance
Achilles CommunicationRobustness
System SecurityAssurance
IEC62443 Certification – coming in 2014?
Specialist Certifications available today- Certifies a product or system against test criteria/standard
AchillesCertified
PracticesISASecure EDSA
AchillesCommunication
RobustnessISASecure System
National Standards – Under Development
China
France
Segments
NERC-CIP
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 6
IEC Standards
• IEC Standards Status
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 7
End User Standards
• Check security features for the system and it’s operation– NERC-CIP
• Provide guidance on how the system should beprocured, installed and operated– IEC62443-2-1
• Provide Guidance on how to implement a securityprogram– NIST Security Framework
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 8
NIST Framework
• Complements, and does not replace, an organization’s existing business orcybersecurity risk management process and cybersecurity program.
• Organizations can use its current processes and leverage the framework toidentify opportunities to improve an organization’s cybersecurity riskmanagement.
Core
● Functions● Categories● Subcategories● Informative Reference
Tier● 1 - Partial● 2 - Risk Informed● 3 - Repeatable● 4 - Adaptive
Profile
● Establish a Roadmap
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 9
NIST Framework mapping to existingstandards
• NIST Framework requirements map back to existing standards.
• IEC62443, NIST SP800-53 etc
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 10
System Integrator Standards mean …
• The System was developed by trusted parties.
• The end users data was secured during and after systemdevelopment.
• The system as delivered meets specific security levels orprovides functionalities.
• The system can be patched and maintained securely.
• The staff that will maintain the system are trusted.
IEC62443-2-4
Self Certification
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 11
Vendor /Product Standards
• The product or system was developed in a secure way tominimise the risk of unknown security flaws.
• The product has a defined set of security functions.
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA 12
Choosing the correct Standard
• End user standards for guidance on plant operation.
• System Integrator standards to ensure the system isdelivered securely.
• Product standards to ensure that products meet aminimum level of functionality.
2014 ISA WWAC SymposiumAug 5-7, 2014 – Orlando, Florida, USA
Questions?
David DoggettCybersecurity Program Director
Industry Business
BostonONE Campus800 Federal StreetAndover, MA 01810-1067Office: 978.975.9119 | Mobile: 978.902.6238david.doggett@Schneider-Electric.comwww.schnedier-electric.com