ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines •...
Transcript of ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines •...
![Page 1: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/1.jpg)
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
ISA Belgium Section
Presentation
Security in Industrial
Automation Control
Systems
March 2016
![Page 2: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/2.jpg)
Agenda
• Welcome
• Overview ISA & ISA Belgium
• Figures, Trends & Scope
• Introduction to the standard
• Q&A
![Page 3: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/3.jpg)
Who is ISA ?
• International Society of Automation
• Headquarter in North Carolina, USA
• European Headquarter in Eindhoven, The Netherlands
• > 30.000 members worldwide
• Activities:
– Develop standards
– Certify industry professionals
– Provide training
– Publish books
– Organize conferences
![Page 4: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/4.jpg)
ISA-Belgium Section
• Part of EMEA organization ISA (known as District 12)
• Section was not active since 1999 and is reactivated in
2011
• www.isa-belgium.org
www.isa.org/belgium
• Adress:Kasteelhoekstraat 1
1820 Perk
+32 2 253 01 55
• Board:Marc Blekkink [email protected]
Kris Adriaenssens [email protected]
Wim Tindemans [email protected]
Johannes Cottyn
Wim De Bruyn
![Page 5: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/5.jpg)
Independent distributor of hard- and software since 1976
3 divisions:
Automation Solutions
Electrical Test Solutions
Fire Protection Solutions
Automation Solutions:
• GE Digital: Software & Security Solutions
• GE Automation & Controls: Hardware
• Kepware Connectivity Solutions
Control & Protection (nutshell)
![Page 6: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/6.jpg)
Introduction to
Process Control Secuty
![Page 7: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/7.jpg)
In Critical Infrastructure, cyber attacks are real.
Critical Infrastructure: Security Preparedness and Maturity (July 2014), Unisys
and Ponemon
![Page 8: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/8.jpg)
…and organizations are not prepared.
2015 Global Megatrends in Cybersecurity, Raytheon and
Ponemon
![Page 9: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/9.jpg)
Security incidents happen everyday…
Verizon Data Breach Investigations Report 2015,
Verizon
![Page 10: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/10.jpg)
I
IT BIGWHAT’S THE
DIFFERENCE?
O
OT
![Page 11: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/11.jpg)
ITSecurity is about
data
OTSecurity is about critical assets
people
environment
assets
RISK and SAFETY
UPTIMEquality and performance
![Page 12: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/12.jpg)
YOUR ENVIRONMENT IS ALREADY CHALLENGING…
The expectation is for
24x7 production
You can’t directly
control the
environment
You can’t see your
own
vulnerabilities
and you can’t see
the threats
Any one
incident could
cripple the
entire
production
![Page 13: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/13.jpg)
INDUSTRIAL INTERNET DRIVES BETTER OUTCOMES
CONNECTIVITY LEADS TO EFFICENCIES & GROWTH
2005
2016
1995
IT
OT• Connected people
• Data-driven analysis
• Consumer/businesspublic cloud
• Connected devices & machines
• Physics-based data science & predictions
• Industrial community cloud
• Connected processes
• Reporting & dashboards
• On-premises client/server
BACK-OFFICE
AUTOMATION
SOCIAL MEDIA & CRM
INDUSTRIAL INTERNET
TIME
INN
OV
AT
ION
IT / OT convergence
![Page 14: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/14.jpg)
WHAT DOES IT MEAN TO SECURE
THE INDUSTRIAL INTERNET?
Technology that provides
deep visibility and
protection for industrial-
connected devices.
CYBER SECURITY
EXPERTISE
INDUSTRIAL
MINDSET
PURPOSE-BUILT
TECHNOLOGY
IT security is one thing,
OT is another. OT
threats and risks call
for OT security
expertise.
Operational efficiency.
Process control integrity.
And a mantra of zero
downtime.
![Page 15: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/15.jpg)
OT Security: from build to operate
Build
security in
Validate/certify
for security
Operate
processes
securely
Product Supplier
(Device Manufacturer)
Service Provider
(Integrator)
Asset Owner
(Operator)
OT SystemsOT device
and softwareOT software
OT device
![Page 16: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/16.jpg)
Introduction to
ISA/IEC-62443 (Formerly ISA-99)
![Page 17: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/17.jpg)
ISA99 and ISA/IEC 62443
• ISA/IEC 62443 is a Series of Standards
• Being Developed by 3 Groups
– ISA99 ANSI/ISA-62443
– IEC TC65/WG10 IEC 62443
– ISO/IEC JTC1/SC27 ISO/IEC 2700x
![Page 18: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/18.jpg)
Other Partners for Related Topics
• Process Safety (ISA84)
• Wireless Communications (ISA100)
• Certification (ISCI)
• Information Sharing (ICSJWG)
• Security Framework (NIST)
• International Reach (IEC/ISO)
• etc. IACS
Security
![Page 19: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/19.jpg)
The Basics
• General Concepts
• Fundamental Concepts
![Page 20: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/20.jpg)
General Concepts
• Security Context
• Security Objectives
• Least Privilege
• Defense in Depth
• Threat-Risk Assessment
• Policies and Procedures
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 21: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/21.jpg)
Fundamental Concepts
• Security Life Cycle
• Zones and Conduits
• Security Levels
• Foundational Requirements
• Program Maturity
• Safety and Security
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 22: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/22.jpg)
Security Life Cycle
Source: ISA-62443-1-1, 2nd Edition (Under development)
![Page 23: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/23.jpg)
Zones and Conduits
A network & system segmentation technique:
• Prevents the spread of an incident
• Provides a front-line set of defenses
• The basis for risk assessment in system design
![Page 24: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/24.jpg)
System Segmentation
• A process to understand:
– How different systems interact
– Where information flows between systems
– What form that information takes
– What devices communicate
– How fast/often those devices communicate
– The security differences between system components
• Technology helps, but architecture is more important
![Page 25: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/25.jpg)
Example
![Page 26: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/26.jpg)
Security Levels
![Page 27: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/27.jpg)
Foundational Requirements
• FR 1 – Identification & authentication control
• FR 2 – Use control
• FR 3 – System integrity
• FR 4 – Data confidentiality
• FR 5 – Restricted data flow
• FR 6 – Timely response to events
• FR 7 – Resource availability
![Page 28: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/28.jpg)
Program Maturity
• A means of assessing capability
• Similar in concept to Capability Maturity
Models
– e.g., SEI-CMM
• An evolving concept in the standards
– Applicability to IACS-SMS
![Page 29: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/29.jpg)
Safety and Security
• Safety is much of the “raison d’etre” for
security
– Presenting consequences
• Much to be learned from the Security
community
• Collaboration
– ISA99-ISA84 joint efforts
– ISA Safety and Security Division
![Page 30: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/30.jpg)
Work Products
![Page 31: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/31.jpg)
The ISA-62443/IEC 62443 Series
![Page 32: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/32.jpg)
What is Happening
![Page 33: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/33.jpg)
Recent Developments
• ISA-TR62443-1-3
– Formally assigned to a new WG12 for
development
• ISA-TR62443-2-3
– Published in July 2015
• IEC-62443-2-4
– Published by IEC
– Proposed adoption by ISA
![Page 34: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/34.jpg)
Recent Developments
• ISA-TR62443-3-2
– Submitted to committee for approval
• ISA-TR62443-4-1
– Submitted to committee for comment
• ISA-TR62443-4-2
– Submitted to committee for comment
![Page 35: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/35.jpg)
Current Areas of Attention
• Alignment of Management System with
ISO 27001:2013
• Affirming of Fundamental Concepts
• Detailed Requirements
– Component Technical
– Product Development
• The relationship between security and
safety
![Page 36: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/36.jpg)
• ISA99 Wiki – http//isa99.isa.org
• Twitter – @ISA99Chair
• Committee Co-Chairs– General: [email protected]
– Eric Cosman [email protected]
– Jim Gilsinn [email protected]
• ISA Staff Contact– Charley Robinson, [email protected]
• Membership:– 120 US$/year
– Access to standards
Please provide contact information & area of expertise or interest
Questions, Comments, Contributions…
![Page 37: ISA Belgium Section Presentation Security in …public cloud • Connected devices & machines • Physics-based data science & predictions • Industrial community cloud • Connected](https://reader033.fdocuments.in/reader033/viewer/2022050100/5f3fc3a367651726be0df04b/html5/thumbnails/37.jpg)
Thank you.
For more information please
contact us at:
ISA Belgium VZW
Kasteelhoekstraat 1
1820 PERK
Tel. 02-253 01 55
Fax 02-252 01 55
isa-belgium.org
www.isa.org/belgium