ICS Security Management System “Using ISO 27001 Standard as the Strategic Management Foundation Integrated with NIST SP 800-82 Auditing Platform” Presented by: Pedro Wirya IT and ICS Security Consultant – PECB Certified Trainer PECB Webinar, October 28th, 2015
ICS Security Management System using ISO 27001 Standard as the
Strategic Management Foundation Integrated with NIST SP 800-82
Auditing Platform Final.pptxICS Security Management System “Using
ISO 27001 Standard as the Strategic Management Foundation
Integrated with NIST SP 800-82 Auditing Platform”
Presented by: Pedro Wirya IT and ICS Security Consultant – PECB
Certified Trainer
PECB Webinar, October 28th, 2015
Pedro Putu Wirya, an IT and SCADA ICS Security Consultant with an
extensive experience in Information Security Management System
(ISMS) and Cyber Security Assurance
Pedro Putu Wirya Consultant
Summary
4
Background
incident (HSE risk)
perspective
Why ICS is IMPORTANT?
“One aspect that most likely being ignored in ICS engineering &
operations is the ICS Cyber Security Assurance”
5
Background
The importance of Industrial Control System security Critical
function that controls the plant, ensure the
safety operations and meet the business goal
o Critical industry
o Public infrastructure
HSE risk exposure vs. Financial
6
Background
The computerized ICS with open protocol dan open platform
infrastructure Integration between ICS Network and Business
Network
Risk heritage from the common IT infrastructure that being adopted
by ICS
Awareness level and Business Buy-In
Big gaps between IT security vs. ICS security
Threat and vulnerability vs. Risk -> Safety, Business,
Environment -> tangible impact vs. investment
7
Background
Summary
9
Information Security Management System standard that cover the
management system framework of full lifecycle of Information
Security Assurance
An Industrial Control System security standard that cover the
detail recommendation on how to design, develop, implement and
ensure the ICS security assurance
Integration ISMS + Audit Framework
7 Clauses
5. Leadership
6. Planning
7. Support
8. Operation
Industrial Standard References
NIST SP 800-82 “Guideline to Industrial Control Systems (ICS)
Security” Standard
Contain 6 Chapters I. Introduction
II. Overview of Industrial Control Systems
III. ICS Risk Management and Assessment
IV. ICS Security Program Development and Deployment
V. ICS Security Architecture
VI. Applying Security Controls to ICS
As summary, it has 23 categories that being concerned in
correlation with ICS Security (based CSET 7.0 “Questions” method
audit platform)
12
Content
Background
Summary
13
Information Security Assurance Lifecycle
The continual improvement process using PDCA concept is a
requirement in ISO 27001:2005
In ISO 27001:2013 there is no longer required to use PDCA only,
each organization can use their existing continual improvement
process
Following description will still use PDCA as the continual
improvement process for simplicity and general understanding
purpose
14
Check Chapter 9.
Performance Evaluaon
Act Chapter 10.
Clause 7. Support Clause 5. Leadership
Annex A
ISO 27001 Standard Structure
16
PLAN “Establish ISMS policy, objectives, processes and procedures
relevant to managing risk and improving information security to
deliver results in accordance with an organization’s overall
policies and objectives.”
DO “Implement and operate the ISMS policy, controls, processes, and
procedures.”
CHECK “Assess and, where applicable, measure process performance
against ISMS policy, objectives, and practical experience and
report the results to management for review.”
ACT “Take corrective and preventive actions, based on the results
of the internal ISMS audit and management review or other relevant
information, to achieve continual improvement of the ISMS.”
17
Content
Background
Summary
18
ICS Security Auditing Platform
Auditing Tools platform that being used is CSET 7.0 by Department
of Homeland Security
The Standard for Auditing Industrial Control System security is
using NIST SP 800-82 Rev.2
The type of Auditing Method that being used in CSET 7.0 is
“Questions” based method
19
Questions based
o Select “Questions” to answer simple question related to the
selected standard(s)
Requirement based
o Select “Requirement” to utilize the exact text of a standard.
This is particularly helpful for asset owner preparing for an audit
against a particular standard
Cyber Security Framework
21
ICS Security Auditing Platform
NIST SP 800-82 Rev.2 Auditing Standard consist of 23 Categories of
Concern (using Question Mode in CSET 7.0)
Total +/- 634 questions to be answered against the standard
The categories are as per displayed in the following slide:
27
Document Management Maintenance Monitoring & Malware
Organizational Personnel Physical Security Plans Policies Policies
& Procedures General Portable/Mobile/Wireless Procedures Remote
Access Control Risk Management and Assessment System and
Services Acquisition System Integrity System Protection
Training
28
ICS Security Auditing Platform
The CSET audit using NIST SP 800-82 can be used to assess ICS
security assurance in all phases of plant operations
o Design & Engineering
ICS Security Auditing Platform
Integration of NIST SP 800-82 Auditing Platform into ISO 27001 in
order to capture the full lifecycle of Information Security
Assurance
Mapping the PDCA cycle that reflected into ISO 27001 chapters,
integrated with the NIST SP 800-82 auditing platform
The more detail of this concept will be described in the next
content
30
Content
Background
Summary
31
Integrating NIST SP 800-82 into ISO 27001 Framework When to do
ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82
standard)
When it comes to the “Operations Phase” only?
or is it recommended to perform the audit during the other plant
lifecycle?
32
Integrating NIST SP 800-82 into ISO 27001 Framework When to do
ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82
standard)
Design & Engineering
33
Integrating NIST SP 800-82 into ISO 27001 Framework When to do
ICS-SMS Audit (CSET 7.0 Approach with NIST SP 800-82
standard)
Plant Lifecycle ICS-SMS Audit Focus
Design & Engineering Phase Assess the design complianceagainst
the ICS security standard
Explore some security holes and fix it prior to the next
phase
Commissioning & Testing Phase Align the compliance from the
previous phase when it comes to the implementation
As the bridge to the next phase, ensuring the security assurance
are well in place
Operations Phase Assessing the real practice against the
standard
Determine the real compliance in a long term window
Continuous improvement align with the plant life time
Post Operations Phase Ensuring the Information Credential is safe
prior to disengagement
Final assessment prior to disengaged the system
34
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Assurance in NIST SP 800-82 Standard
6 Chapters, with 4 core contents related to ICS-SMS assurance
I. Introduction
IV. ICS Security Program Development and Deployment
V. ICS Security Architecture
35
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Risk
Management and Assessment
The concept of ICS risk management and assessment is similar to ISO
27001
The main different is the object that being assessed
The ultimate exposure level (in common) is HSE, instead of
Financial loss
Operations Technology vs. Information Technology
o Resources awareness, availability and capability
o Management buy-in, determination of risk appetite and risk
acceptance level
o Tangible vs. Intangible risk exposure
o Some specific risk exposure scenario compare to common IT
security, expertise and field experience are required
36
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Program Development and Deployment
Security as Business Case
37
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Architecture
ICS Network segmentation and segregation
ICS logical and physical separation
Boundary protection
Backup and restore management
Defense-in-Depth architecture
38
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Architecture
ICS security architecture recommended practice o Firewall policies
for ICS (incl. rules for specific services)
o NAT
o AAA
o Incident detection, response and system recovery
39
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Controls
The ICS security controls is categorized into three types:
Operational Control
Technical Control
System Management
Control
40
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Controls
System Management Control: o Security Assessment and
Authorization
o Planning
41
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Controls
Operational Control: o Personnel Security
o Physical and Environmental Protection
o Contingency Planning
o Configuration Management
o Media Protection
o Incident Response
42
Integrating NIST SP 800-82 into ISO 27001 Framework ICS Security
Controls
Technical Control: o Identification and Authentication
o Access Control
43
The Mapping between NIST SP 800-82 Standard into ISO
27001 ISMS Framework
Continual Improvement ISO 27001 NIST SP 800-82
The Umbrella Chapter 4. Context of the Organization
Chapter 5. Leadership Chapter 7. Support
PLAN Chapter 6. Planning Chapter 3. ICS Risk Management and
Assessment
Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
DO Chapter 8. Operations Chapter 4. ICS Security Program
Development and Deployment
Chapter 5. ICS Security Architecture
CHECK Chapter 9. Performance Evaluation
Auditing Platform using CSET 7.0 against NIST SP 800-82
Standard
ACT Chapter 10. Improvement Chapter 6. Applying Security Controls
to ICS
Annex A. Control Objectives and Controls
45
ISMS Framework Integration NIST SP 800-82 into ISO
27001(Explanation)
Chapter 4. Context of the Organization
The Umbrella
Determining the scope of ICS Security Management System
(ICS-SMS)
Establish, implement, maintain and continually improve ICS Security
Management System (ICS-SMS)
Chapter 5. Leadership
Ensure that ICS Security Management System (ICS-SMS) is compatible
with strategic orientation of the organization
Integrate ICS-SMS requirements into the organization’s related
business processes
Resources support from Management
Chapter 7. Support
Coverage including the resources, awareness, competence of
individual and team related to the ICS-SMS
Communication internally and externally to ensure the ICS-SMS
assurance
Documented information
ISMS Framework
Explanation
Chapter 4. ICS Security Program Development and Deployment
Chapter 5. ICS Security Architecture
Team development, information gathering, define the scope of ICS
security and object, guidance and reference (incl. strategize and
development of ICS security manual/ policy/procedure), schedule and
charter, asset Inventory and characterization (incl. asset
criticality assessment), ICS security risk assessment (initial RA),
ICS security campaign
Chapter 8. Operations
Chapter 5. ICS Security Architecture
ICS security campaign, ICS security risk assessment (operations
phase – review/revision), controls catalog management,
implementation of ICS security program into operations phase,
deploy the policy and procedure, review and monitoring of ICS
security assurance in periodic timing, ensure ICS security practice
in align with the agreed references
Chapter 9. Performance Evaluation
Auditing Platform using CSET 7.0 against NIST SP 800-82
Standard
Audit of ICS security compliance against reference standard (NIST
SP 800-82) by adhering to ISO 27001 ISMS framework, manage the gap
findings and strategize the closure action, manage the audit result
as per the priority, assign the responsible party and ECD,
stewardship against the planned and completed activities
Chapter 10. Improvement
Annex A. Control Objectives and Controls
Implement the security controls to improve the ICS security
assurance as per the audit recommendation, integrate ISO 27001
Annex A with Chapter 6 NIST SP 800-82 to have more robust solutions
(risk analyze for affordability vs. compliance), controls catalog
stewardship for continuous improvement, proper closure
action/report/management
47
Content
Background
Summary
48
Summary
ISO 27001 has complete coverage to form the close cycle of ISMS and
continual improvement
NIST SP 800-82 has more detail on covering the ICS security
specific requirement
Integration NIST SP 800-82 platform (including auditing platform
using CSET) into ISO 27001 will form better ICS- SMS framework that
cover the full cycle of continual process and also detail specific
requirement on ICS security assurance
ICS Security Assurance is required in each phases of the plant
lifecycle (the depth of the detail is subject to local discretion
and further analysis)
IT and SCADA ICS Security Courses ICS Cyber Security Management
System
5 Day Course
http://fedco.co.id/ics-cyber-security-management-system/
http://fedco.co.id/it-security-essentials/
Certified Lead SCADA Security Professional 4 Days Course + 1 Day
Exam
http://fedco.co.id/certified-lead-scada-security-professional/
Certified ISO 27001 Lead Auditor 4 Days Course + 1 Day Exam
http://fedco.co.id/certified-iso-27001-lead-auditor/
IT Security Assurance Services