Sdl deployment in ics
26
SDL Deployment in Industrial Control Systems Mayur Mehta
-
Upload
mayur-mehta -
Category
Engineering
-
view
457 -
download
0
Transcript of Sdl deployment in ics
SDL Deployment in Industrial Control Systems
Mayur Mehta
2
AirplaneHacked
Cyber Incidents
Cyber Threats Emerged Over Time
Source: MITRE
Sop
hist
icat
ion
Decades
NI
Yokog
awa
Honey
wellABB
CODESYSSiel
coEca
va GE
Roack
well
Advan
tech
Schne
ider
SIEMENS
0
20
40
60
80
100
120
Vendors
Row
Cou
nt
• The NIST CVE database - 71,500+ vulnerabilities.• Chart based on ICS 408 CVE
Source: Recorded Future
SHODAN
NORSE View
Cost of Security Lapse
• After release, it costs 30 times more than the fix done in design phase ( As per National Institute of Standards and Technology)
• Goodwill Loss - Customer’s productivity and confidence.
0
10
20
30
2.5x 5x10x
15x
30x
SDL – “Secure Development Lifecycle”
SDL helps us reduce Products maintenance costs and increase reliability of software concerning Security related issues.
Training
..
• Bare minimum knowledge• Role Based knowledge
Requirements
..
•Evaluate requirements •Access Control (Authentication), •Use Control (Authorization), •Logging (Auditing), •Confidentiality, •Integrity,•Availability.
•Standards •IEC-62443 •IEC-62351 •NIST 800-82/800-53 •NERC CIP
Design
..
Step1 Perform Threat Modeling Security design practice
Step2 Produce a Mitigation Action Plan STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) & DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability).
Step3 Perform Attack Surface Analysis & Reduction
Step4 Conduct a Secure Architecture Design Review
Implementation
..
Step1 Implement Security featuresStep2 Use approved toolsStep3 Secure Coding practices
Review Source Code – top 10 to top 100 best secure coding practices Perform Static Analysis – using Klocwork, FxCop, Fortify etc. Analyze & Fix security issues
Verification
Step1 Penetration test plan - Attack surface and Security requirements.
Step2 Test security requirement against attack vectors. Step3 Manual and/or automated vulnerability assessment. Step4 Penetration attempts.Step5 Remove false positives.
Step6 Final report with evidence(s).
Release
Step1 Results vs goalsStep2 Security features & settings in documentation
Response
• Incident response• Providing fixes on zero day vulnerability• Forensics Analysis• Binary Vulnerability Scanning• Responsible Disclosure
• Security is not a goal that can be reached• New vulnerabilities are discovered daily• Threats continue to evolve• Weak points in the system change, becoming new points of attack
• Security is a process and an attitude
SDL – “Secure Development Lifecycle”
Reference•http://nvlpubs.nist.gov/•NIST 800-82 Guide to Industrial Control Systems (ICS) Security•Microsoft SDL•www.recordedfuture.com•http://www.isasecure.org/•NERC - North American Electric Reliability Corporation •IEC 62443 (formerly ISA-99)•ISO 27001 and 27002•OWASP - www.owasp.org/ •SE PSO wiki
The key to successful cyber defence is preparation...
Thank you.
