CyberSecurity Malaysia | An Agency Under MOSTI

(1)

People First, Performance Now

Ministry od Science, Technology and Innovation

BRIDGING BARRIERS:

LEGAL

AND

TECHNICAL

OF

CYBERCRIME CASES

Session 6 : Securing Your Fortress

(2)

Ministry od Science, Technology and Innovation People First,

Performance Now



 

Back to basics



 

Statistics



 

Understanding the underlying

complexities and issues with organization

(real life experiences)



 

Defining strategies and techniques



 

Global remediation efforts within

organizations with complex environments

– Challenges

(3)

“Information”

• Information is an asset which, like other important business assets,

has value to an organization and consequently needs to be suitably

protected

• Information can exist in many forms – database, system

(4)

(5)

Security Breaches in 2010 – Scary ..

Stuxnet

APT

Cyber Warfare

(6)

Security Breaches in 2010 – Scary ..

(7)

Security Breaches in 2010 – Scary ..

(8)

(9)

Security Breaches in 2011 – Scary ..

(10)

• No clearly defined roles and

responsibilities (grey operational areas)

• No clear understanding of different

technology advancements and the

potential security implications of adopting

new technologies

• No clear understanding or potential risk

attack vectors (where the threats come

from ? and rare understanding of BIA )

(11)

• Wrong attitude – “Nothing happened for

the past 25 years, why happen now,

what's changed ?”

• Full trust on vendors – “They should know

best, this is their system, they are the

experts”

(12)

(13)

(14)

Standards Overview

API 1164 – “SCADA Security”

The SCADA security standard, API 1164, provides guidance to the operators of oil and gas liquid pipeline systems for managing SCADA system integrity and security. The use of this document is not limited to pipelines regulated under Title 49 CFR 195.1, but should be viewed as a long listing of best practices to be employed when reviewing and developing standards for a SCADA system. The API standard, to date, applies only to pipeline operators and does not cover refineries. Previously released cyber-security guidelines are considered by API to be adequate for refineries at this time. Although the standard does address physical security, the primary thrust of this document is cyber security and access control. This document embodies "API Security Guidelines for the Petroleum Industry," and is specifically designed to provide the operators with a description of industry practices in SCADA security and to provide the framework needed to develop sound security practices within the operator’s individual companies.

NERC Security Guidelines – “Security Guidelines for the Electricity Sector”

(15)

Standards Overview

NERC 1300 – “Cyber Security”

The current draft NERC standard was Draft Version 1 of NERC 1300. This is the document that was reviewed. The current draft NERC cyber security standard, CIP-002 through CIP-009, when released, will replace NERC 1200, “Urgent Action Cyber Security Standard.” These standards are in the review process by the North American Electric Reliability Council. The first drafts of these standards were released for review on September 15, 2004; review comments submitted on the third draft are now in review by the

NERC 1200 – “Urgent Action Standard 1200 – Cyber Security”

(16)

Governance – achieving success

Effective governance framework:



 

Vision



 

Stakeholder identification, engagement and

management



 

Sponsorship



 

What for are you creating versus plugging in to



 

Communication – language, passion, risk and

business focus and clarity



 

Culture

(17)

Benefits of a harmonised

governance system

• A single control framework allows integrated assurance

• Benefits:

• Reduced assurance costs

• Single view of compliance state

• Easily demonstrable to stakeholders

(18)

A way of operating effectively

Today

  Project oriented

  Viewed in isolation

  Managed disparately

  Separated from the flow of business

  Owned by compliance

  Manual and reactive

  Reactive compliance

model

Tomorrow

  “The way we do business”

  Dynamic and action-oriented

  Integrated into processes

  Process and data centric

  Owned by the “business”

  Automated and preventive

  Proactive organisational capabilities driven

approach

What happens when?

  People leave

  Processes are improved

  New systems are implemented

  Businesses are sold/acquired

(19)

The Sweet Spot for Harmonised IT Compliance

TURITY

/

BUSINESS RISK

COMPLIANCE PROCESS

BUSINESS RISK

(20)

Control model

• What types of controls do you implement?

• Mandatory – legislation specific to country

• Data Protection Act, Computer Crime Act

_…

• Core – customer requirements, industry requirements

• PCI, SOX, Basel – II/III, ITIL,

_…

• Voluntary – business driven

(21)

Key Thoughts

• IT compliance will grow more complex

• GOAL

–

Multiple requirements / controls

one control framework

–

Multiple audits, multiple auditors

one auditor

• Integrated assurance can

–

Reduce assurance costs

(22)

• Example of remediation efforts

–

Complex environments within Utility’s sector

Global Remediation Efforts - Challenges

• Core business Vs. enterprise IT (do we understand

the difference, what our policies cover) –

SCADA,

PCD Networks, Core Telco, NGN, etc.

• Convergence Risks

(old infra with new) ?

(23)

Global Remediation Efforts - Challenges

• No standardized policies

• No standardized technologies

• Various system and systems generations

(can we have

standardized logging) ?

• Controls over the operational environment

(operational /

convenience vs. control and security)

(24)

Global Remediation Efforts - Challenges

• Inability to understand the extend of the attacks

• Commercialization risks

• If I get my vendor to support my operations through remote

connectivity – do I fully understand the associated risks ?

• My provider will monitor my network for me

can we see any

(25)

(26)