Dubai Cyber Security ICS-SCADA Cyber Security Standards


Presentation Description

Dubai Cyber Security ICS-SCADA Cyber Security Standards, Solution Tips & Challenges


Presentation Transcript


ICS/SCADA Cyber Security Standards, Solution Tips & Challenges Ahmed M. Al Enizy IT Security Manager International Systems Engineering

Bottom Line:

10/4/2012 2 In the era of Cyber War, securing ICS and SCADA systems helps in protecting national infrastructure thus preserving steady national economic growth. But deploying the right technical and/or physical solutions is not enough. There are too many Security Standards for each industry that can complement Technical Solutions. There is no single Standard that covers everything. This adds to the increasing complexity of ICS/SCADA Management, Governance, and Compliance. Bottom Line


Difference between Standards, Frameworks, and Best Practices ICS/SCADA Security Standards Which One is Good? Solution Tips How Does ISO 27001 Works? General Challenges 10/4/2012 3 Agenda

Standards, Frameworks, Best Practices:

10/4/2012 4 Standards, Frameworks, Best Practices Act Regulation Standard Framework Best Practice Legal Technical Act / Statute “A written law passed by a legislative body.” Wikipedia. Regulation “A rule or directive made and maintained by an authority.” Wikipedia . Standard “A formal document that establishes uniform engineering or technical criteria, methods, processes and practices.” Wikipedia. Framework Guiding principles and recommendations to reach a goal. Best Practice “A well-defined procedure that is known to produce near-optimum results.” Wikipedia

ICS/SCADA Security Standards:

10/4/2012 5 ICS/SCADA Security Standards 14 different standard for different Infrastructure Sectors (Energy and Power, Oil, Chemical, Defense, Water Treatment, Emergency Services, IT, Communications) API - American Petroleum Institute IEC - International Electrotechnical Commission IEEE - Institute of Electrical and Electronic Engineers ISA – Instrumentation, Systems, and Automation Society ISO - International Organization for Standardization NERC - North American Electric Reliability Council NIST - National Institute of Standards and Technology

Which one is Good?:

Good standard Incorporates the Plan-Do-Check-Act approach. Mature and stable. Not contradicting or in conflict with corporate or international standards. Clear and easy to understand. Systematic. Realistic and practical. Solves all parts of the problem. Well structured and organized. Measurable. Has a clear accreditation and certification process. Widely followed and adapted. 10/4/2012 6 Which one is Good?

Solution Tips:

There is no “silver bullet”, and definitely there is no single solution. Avoid reinventing the wheel, we are using their technologies therefor it is best to use their standards and conceder consultation. It is a result of collaborative efforts through shared responsibilities supported by commitment, resources, and consultation. The right starting point is choosing the right standard. You can consider Corporate GRC program to adapt the security standard you have chosen. GRC market solutions provide technical assistance and automation in managing GRC program vertically and horizontally. 10/4/2012 7 Solution Tips

How Does ISO 27001 Works?:

10/4/2012 8 How Does ISO 27001 Works?

General Challenges:

10/4/2012 9 General Challenges Cultures Psychological Factors Commitment Cost Complexity Limitation Compliance Flexibility Integration People Tech. Process Support Authority Awareness

General Challenges – Cont.:

Overlapping and intersection between standards. Overlapping and varying abbreviations and definitions. Growing complexity of compliance both vertical and horizontal. Limited compliant ICS/SCADA suppliers with Security Standards. 10/4/2012 10 General Challenges – Cont.

Thank you:

10/4/2012 11 Thank you Q / A @ SaudiSecurity

authorStream Live Help