IN CONTROL WITH SECURAcritical infrastructures. These include nuclear plants, oil & gas industry,...
Transcript of IN CONTROL WITH SECURAcritical infrastructures. These include nuclear plants, oil & gas industry,...
MINIMIZE RISKS FOR ICS BY USING STATE-OF-THE-ART SECURITY STANDARDS AND FRAMEWORKSIndustrial Control Systems (ICS) can be found in many of a nations’
critical infrastructures. These include nuclear plants, oil & gas industry,
transportation, chemicals processing, and other process industries. ICS
are also significant elements within the general manufacturing process,
as they can monitor, take decisions and automate parts a company’s
processes.
Due to their wide spread, as well as the criticality of domains in which
they are used, the security of Industrial Control Systems and components
should be equally taken into account, together with other aspects such as
performance or safety.
There are many vectors through which cybersecurity attacks can be
devised targeting ICS, each of them resulting in possible critical threats and
impacts. A successful way to significantly reduce and control these risks
is by aligning the whole life cycle of a system to state of the art standards
There are many vectors through which cybersecurity attacks can be devised targeting Industrial Control Systems (ICS), each of them resulting in possible critical threats and impacts. Secura understands that the security of ICS is a shared process; therefore, we designed our assessment and certification services to cover all involved parties, from manufacturers to end users.
Secura has worked in information
security and privacy for nearly
two decades. This is why
we uniquely understand the
challenges that you face like no
one else and would be delighted
to help you address your
information security matters
efficiently and thoroughly. We
work in the areas of people,
processes and technology. For
our customers we offer a range of
security testing services varying
in depth and scope.
SECURITY TESTING & COMPLIANCE FOR ICS/SCADA
IN CONTROL WITH SECURA
and frameworks. Secura understands that the security
of ICS is a shared process; therefore, we designed our
assessment and certification services to cover all involved
parties, from manufacturers to end users.
ICS/SCADA LANDSCAPEThe ICS industry landscape can be structured as
manufacturers, integrators and end users. Manufacturers
design and produce various ICS components and systems,
such as Distributed Control Systems (DCS), Programmable
Logic Controllers (PLC) or Supervisory Control and Data
Acquisition systems (SCADA).
Integrators and end users make use of the products and
systems developer by the manufacturers. Integrators are
companies which acquire ICS systems from manufacturers
and install them into various environments for a customer
(end user). Note that the integration step can be
performed by the manufacturers as well.
End users make use of the systems within their
organization. They are in charge or supervising and
maintaining the systems, unless other entities (e.g. the
integrators) take this responsibility.
As it can be seen, there is a strong relation between the
involved parties, which is why security responsibility needs
to be shared among each of them.
SECURITY STANDARDS FOR ICS/SCADAThe diagram on the next page provides an overview on the
different actors and phases relevant for the ICS life cycle.
Secura selected relevant standards to perform testing and
compliance assessments for the ICS/SCADA industry
IN CONTROL WITH SECURASecura has worked in information security and privacy for
over 18 years. By leveraging our experience and expertise,
we are a strong partner to address your information
security matters efficiently and thoroughly. Secure
performs testing and compliance assessments in the areas
of people, processes and technology.
For ICS SCADA we offer the following services, in line with
international standards and frameworks:
• For ICS components/systems manufacturers:
• Security Assessment on the development
process
• Security Assessment on product security
• For ICS users and integrators:
• Security Assessment of ICS systems
integration procedures
• Security Gap Analysis for existing ICS systems and
components
• Security Assessment of organization level
cybersecurity practices
SECURITY ASSESSMENTS FOR ICS/SCADA MANUFACTURERS
The security of an off-the-shelf ICS component or system
relies heavily on the design and development process.
Secura supports manufacturers with aligning the individual
development stages to internationally recognized
standards and frameworks, providing assurance on the
security level of their products.
We base our assessment on the internationally well-
known IEC 62443 family of standards, which is highlighting
the state of the art security requirements in the domain
of ICS. For manufacturers, specifically relevant standards
from this family are:
• IEC 62443-4-2, addressing component security
requirements
• IEC 62443-4-1, addressing product development
requirements
In addition, the assessment based on IEC 62443 can be
supplemented with the requirements highlighted in UL
2900 and the ENISA baseline requirements. These state
of the art standards provide added value by addressing
specific development process stages, such as risk analysis,
required product documentation, supply chain security or
quality management requirements.
APPLICABILITY SELECTIONDuring the assessment, we select the relevant
requirements from these standards, applicable to your
product based on use case and associated risk level.
SECURITY VALIDATIONAfter this tailored selection step, the product’s security
functions, as well as the processes related to its
development are validated through testing, document
review or audit activities. As an example, IEC 62443-4-2
tests the security controls of the device, such as secure
authentication, role separation, PKI implementation,
events logging, secure port access or data encryption.
REPORTINGThe final deliverable is an Assurance Report, devised
according to international assurance standards such as
ISAE 3000 and signed off by a certified auditor.
ICS/SCADA
Manufacturers Users/integrators
IEC 62443
UL2900
ENISArequirements
IEC62443
IEC 62443, UL 2900,
ENISA requirements
NIST CSF, NIST 800-53,
NCSA,DHS catalog
IntegrationSystem
security gap analysis
Development & DeploymentOrganization cybersecurity
INTERESTED?Would you like to learn more about our services?Please do not hesitate to contact us.
Vestdijk 595611 CA EindhovenNetherlands
Karspeldreef 81101 CJ AmsterdamNetherlands
T +31 (0)40 23 77 990E [email protected] www.secura.com
Follow us on
OUR VALUE TO YOUThe assessment will demonstrate compliance with
state of the art security requirements, in the form of an
internationally recognized report. This will enable you to
showcase the security of your product, which could lead to
a significant market advantage. Moreover, implementing
and following the standards applicable to your business
helps you in structurally increasing security and show this
to the markets you are active in.
SECURITY ASSESSMENTS FOR ICS/SCADA USERS/INTEGRATORS
The world of ICS users is at least as dynamic as the one
of the manufacturers. While an ICS component or system
can be secure in its off the shelf state, its integration and
further usage are vital for the security of the organization
as a whole. Secura can support in aligning and certifying
the secure deployment of ICS products against state of the
art standards.
The base of our assessment for ICS integrators and end
users is focused on the IEC 62443 family.
ICS systems integrators can get assurance on their
procedures based on the IEC 62443-2-4 standard.
Once the system is integrated, most of the secure
usage responsibility falls on the end user organization.
Implementation of a correct ICS cybersecurity program
following IEC 62443-2-1 is vital from an organization's
perspective. Moreover, IEC 62443-3-3 can be used to
assess the security capabilities of the deployed systems,
also creating gap analysis for achieving the desired level of
security.
As added service, besides compliance in line with IEC
62443, the assessment for end users can be extended to
include other state of the art standards such as UL 2900
or the ENISA baseline requirements. These standards
can be used to verify additional requirements in terms of
system security functionalities, complementing the set of
requirements in IEC 62443-3-3.
Finally, end user organizations can align their procedures,
policies and implemented security controls to well-known
security frameworks, such as the international NIST CSF,
NIST 800-53, Department of Homeland Security Catalog or
the Dutch specific NCSC ICS security checklist.
APPLICABILITY SELECTIONFor both integrators and end users, we select the relevant
requirements from the above mentioned standards based
on your particular activity domain. Thus, our approach
provides a tailored, risk based way of assessing security.
SECURITY VALIDATIONThe assessment is carried by validating the policies,
processes and security functionalities of the systems.
As examples, IEC 62443-3-3 tests the security controls
of the deployed system, such as secure authentication,
role separation, PKI implementation, events logging,
secure port access or data encryption. On the process
side, IEC 62443-2-1 addresses the implementation of a
cybersecurity management system, including risk analysis,
personnel awareness, security countermeasures and
system monitoring.
REPORTINGThe final deliverable is an compliance report providing
the conclusions of the assessment. This report can also
be made in the form of an Assurance Report, devised
according to international assurance standards such as ISAE
3000 and signed off by a certified auditor.
OUR VALUE TO YOUThrough this report, you obtain a powerful tool for
internationally demonstrating your compliance, thus
empowering your brand on the market.