People First, Performance Now
Ministry od Science, Technology and Innovation
BRIDGING BARRIERS:
LEGAL
AND
TECHNICAL
OF
CYBERCRIME CASES
People First, Performance Now
Ministry od Science, Technology and Innovation
Session 6 : Securing Your Fortress
People First, Performance Now
Ministry od Science, Technology and Innovation People First,
Performance Now
Ministry od Science, Technology and Innovation
Back to basics
Statistics
Understanding the underlying
complexities and issues with organization
(real life experiences)
Defining strategies and techniques
Global remediation efforts within
organizations with complex environments
– Challenges
People First, Performance Now
Ministry od Science, Technology and Innovation
“Information”
•
Information is an asset which, like other important business assets,
has value to an organization and consequently needs to be suitably
protected
•
Information can exist in many forms – database, system
People First, Performance Now
Ministry od Science, Technology and Innovation
People First, Performance Now
Ministry od Science, Technology and Innovation
Security Breaches in 2010 – Scary ..
Stuxnet
APT
Cyber Warfare
People First, Performance Now
Ministry od Science, Technology and Innovation
Security Breaches in 2010 – Scary ..
People First, Performance Now
Ministry od Science, Technology and Innovation
Security Breaches in 2010 – Scary ..
People First, Performance Now
Ministry od Science, Technology and Innovation
People First, Performance Now
Ministry od Science, Technology and Innovation
Security Breaches in 2011 – Scary ..
People First, Performance Now
Ministry od Science, Technology and Innovation
•
No clearly defined roles and
responsibilities (grey operational areas)
•
No clear understanding of different
technology advancements and the
potential security implications of adopting
new technologies
•
No clear understanding or potential risk
attack vectors (where the threats come
from ? and rare understanding of BIA )
People First, Performance Now
Ministry od Science, Technology and Innovation
•
Wrong attitude – “Nothing happened for
the past 25 years, why happen now,
what's changed ?”
•
Full trust on vendors – “They should know
best, this is their system, they are the
experts”
People First, Performance Now
Ministry od Science, Technology and Innovation
People First, Performance Now
Ministry od Science, Technology and Innovation
People First, Performance Now
Ministry od Science, Technology and Innovation
Standards Overview
API 1164 – “SCADA Security”
The SCADA security standard, API 1164, provides guidance to the operators of oil and gas liquid pipeline systems for managing SCADA system integrity and security. The use of this document is not limited to pipelines regulated under Title 49 CFR 195.1, but should be viewed as a long listing of best practices to be employed when reviewing and developing standards for a SCADA system. The API standard, to date, applies only to pipeline operators and does not cover refineries. Previously released cyber-security guidelines are considered by API to be adequate for refineries at this time. Although the standard does address physical security, the primary thrust of this document is cyber security and access control. This document embodies "API Security Guidelines for the Petroleum Industry," and is specifically designed to provide the operators with a description of industry practices in SCADA security and to provide the framework needed to develop sound security practices within the operator’s individual companies.
NERC Security Guidelines – “Security Guidelines for the Electricity Sector”
People First, Performance Now
Ministry od Science, Technology and Innovation
Standards Overview
NERC 1300 – “Cyber Security”
The current draft NERC standard was Draft Version 1 of NERC 1300. This is the document that was reviewed. The current draft NERC cyber security standard, CIP-002 through CIP-009, when released, will replace NERC 1200, “Urgent Action Cyber Security Standard.” These standards are in the review process by the North American Electric Reliability Council. The first drafts of these standards were released for review on September 15, 2004; review comments submitted on the third draft are now in review by the
NERC 1200 – “Urgent Action Standard 1200 – Cyber Security”
People First, Performance Now
Ministry od Science, Technology and Innovation
Governance – achieving success
Effective governance framework:
Vision
Stakeholder identification, engagement and
management
Sponsorship
What for are you creating versus plugging in to
Communication – language, passion, risk and
business focus and clarity
Culture
People First, Performance Now
Ministry od Science, Technology and Innovation
Benefits of a harmonised
governance system
•
A single control framework allows integrated assurance
•
Benefits:
•
Reduced assurance costs
•
Single view of compliance state
•
Easily demonstrable to stakeholders
People First, Performance Now
Ministry od Science, Technology and Innovation
A way of operating effectively
Today
Project oriented
Viewed in isolation
Managed disparately
Separated from the flow of business
Owned by compliance
Manual and reactive
Reactive compliance
model
Tomorrow
“The way we do business”
Dynamic and action-oriented
Integrated into processes
Process and data centric
Owned by the “business”
Automated and preventive
Proactive organisational capabilities driven
approach
What happens when?
People leave
Processes are improved
New systems are implemented
Businesses are sold/acquired
People First, Performance Now
Ministry od Science, Technology and Innovation
The Sweet Spot for Harmonised IT Compliance
TURITY
/
BUSINESS RISK
COMPLIANCE PROCESS
BUSINESS RISK
People First, Performance Now
Ministry od Science, Technology and Innovation
Control model
•
What types of controls do you implement?
•
Mandatory – legislation specific to country
•
Data Protection Act, Computer Crime Act
…
•
Core – customer requirements, industry requirements
•
PCI, SOX, Basel – II/III, ITIL,
…
•
Voluntary – business driven
People First, Performance Now
Ministry od Science, Technology and Innovation
Key Thoughts
•
IT compliance will grow more complex
•
GOAL
–
Multiple requirements / controls
one control framework
–
Multiple audits, multiple auditors
one auditor
•
Integrated assurance can
–
Reduce assurance costs
People First, Performance Now
Ministry od Science, Technology and Innovation
•
Example of remediation efforts
–
Complex environments within Utility’s sector
Global Remediation Efforts - Challenges
•
Core business Vs. enterprise IT (do we understand
the difference, what our policies cover) –
SCADA,
PCD Networks, Core Telco, NGN, etc.
•
Convergence Risks
(old infra with new) ?
People First, Performance Now
Ministry od Science, Technology and Innovation
Global Remediation Efforts - Challenges
•
No standardized policies
•
No standardized technologies
•
Various system and systems generations
(can we have
standardized logging) ?
•
Controls over the operational environment
(operational /
convenience vs. control and security)
People First, Performance Now
Ministry od Science, Technology and Innovation
Global Remediation Efforts - Challenges
•
Inability to understand the extend of the attacks
•
Commercialization risks
•
If I get my vendor to support my operations through remote
connectivity – do I fully understand the associated risks ?
•
My provider will monitor my network for me
can we see any
People First, Performance Now
Ministry od Science, Technology and Innovation
People First, Performance Now
Ministry od Science, Technology and Innovation