Industrial Control Systems Security

Empathy map example - Tommy

door Mindomo Team

PBL: Buying a Car

door Kim Davis

CHAPTER 2. PERSONAL FINANCIAL STATEMENT

door FARAH DALILA ABDUL KARIM

SIR TIM BERNERS-LEE

door William Miguel Arboleda Moreno

OT vs IT

Architecture

Besides being pervasive in our personal lives, IT is a relatively standardized world, and that is far more homogeneous than OT.) IT also tends to adapt far more quickly to multiple computing trends, from PCs to Internet to mobility, all of which have broadly shaped today’s Corporate IT strategy.

In contrast, OT is filled with silos of proprietary architectures because of its task‐specific nature. For example, a refinery is designed so it can run continuously for 5+ years before it is shut down for maintenance. In other words, reliability can often trump innovation, open architecture, interoperability, etc.

Focus

The IT software portfolio is people‐centric in the sense that it helps people “make money” by managing and coordinating the higher‐level processes and transactions of the business.

In contrast, the OT portfolio is largely “thing‐centric” in the sense that it helps “make product” by controlling the physical equipment with a great deal of precision (and safety), where the human’s role is supervisory (as automation increases.)

End‐Point

The end‐point being managed is often a human (whose job tends to be information‐intensive) using a computing device (that has been relatively homogeneous until the recent and growing BYOD [bring your own device] trend.)

The end‐point being managed is often a physical asset such as pumps, motors, conveyors, valves, forklifts, etc., where these “things” come in all shapes, sizes, level of complexity, versions and vintage.

Scope & Ownership

IT

Covers the spectrum of systems that support corporate functions like Finance, HR, Supply Chain, Order Management, Sales, etc. Functions and their processes tend to have commonality across industries.

OT

Covers the spectrum of systems that deal with the physical transformation of products and services. They are task‐ specific systems, are highly customized for industries and considered mission‐critical. They typically fall under the domain of Engineering.

Industrial Control Systems Security

Actividad No. 3 Sistemas de Información Industrial

Fundamental Concepts

Safety and Security

Program Maturity

Foundational Requirements

Security Levels

Zones and Conduits

Security Life Cycle

Sources of Help

In typical order of usefulness…

Applications

Collaboration between safety and security

New approaches to program definition

System segmentation is an accepted concept

IT and OT; What’s the point?

Common Questions

“IT or Engineering control of the network?”

“What products and technologies are suitable?”

“How do I manage my risks?”

“How do I manage patches?”

“What are the real threats?”

“Separate or Interconnected Networks?”

Understanding it is essential for success in many areas, including Security

Distinction is nonetheless real

Old wine in new bottles

Changing the Conversation

Know what you are trying to achieve, and why

Speak in plain language, not “cyber speak”

Focus on process capability and potential consequence

Less Fear, Uncertainty and Doubt (FUD)

Creating the Program

Establish and implement measurements

Identify objectives

Assess current performance

Establish program structure

Technology

Process

People

Understand the Fundamental Concepts

Identify sources of “Help”

Expectations and Regulation

Standards

Practices and Guidance

OT – IT Partnership

With an understanding of consequences…

Additional Resources

Consequence

Be wary of statements like

“Why would anyone do that.”

“Well, that could never happen.”

Expand to include areas where:

»Devices don’t act as they are designed

»People don’t act as they are supposed to

Subtema

Be realistic

This is the focus for asset owners!

Vulnerability

Do vulnerabilities mean bad things will happen?

Well‐crafted malware can exist for months or years before detected

Will always exist in industrial systems

»“Zero‐Day” and “Forever‐Day”

Threat

Context is important!

Some details may be classified or otherwise protected

Often vague and/or non‐specific

»“There’s a virus in the wild!” »Sources include US‐CERT and ICS‐CERT

Industrial Control Systems Security

Operational Technology (OT) and Information Technology (IT) serve distinct roles within an organization. OT is primarily concerned with controlling physical equipment to produce goods safely and precisely, with human intervention being mostly supervisory.

Empathy map example - Tommy

PBL: Buying a Car

CHAPTER 2. PERSONAL FINANCIAL STATEMENT

SIR TIM BERNERS-LEE

OT vs IT

Architecture

Besides being pervasive in our personal lives, IT is a relatively standardized world, and that is far more homogeneous than OT.) IT also tends to adapt far more quickly to multiple computing trends, from PCs to Internet to mobility, all of which have broadly shaped today’s Corporate IT strategy.

Focus

The IT software portfolio is people‐centric in the sense that it helps people “make money” by managing and coordinating the higher‐level processes and transactions of the business.

In contrast, the OT portfolio is largely “thing‐centric” in the sense that it helps “make product” by controlling the physical equipment with a great deal of precision (and safety), where the human’s role is supervisory (as automation increases.)

End‐Point

The end‐point being managed is often a human (whose job tends to be information‐intensive) using a computing device (that has been relatively homogeneous until the recent and growing BYOD [bring your own device] trend.)

The end‐point being managed is often a physical asset such as pumps, motors, conveyors, valves, forklifts, etc., where these “things” come in all shapes, sizes, level of complexity, versions and vintage.

Scope & Ownership

IT

Covers the spectrum of systems that support corporate functions like Finance, HR, Supply Chain, Order Management, Sales, etc. Functions and their processes tend to have commonality across industries.

OT

Covers the spectrum of systems that deal with the physical transformation of products and services. They are task‐ specific systems, are highly customized for industries and considered mission‐critical. They typically fall under the domain of Engineering.

Industrial Control Systems Security

Fundamental Concepts

Safety and Security

Program Maturity

Foundational Requirements

Security Levels

Zones and Conduits

Security Life Cycle

Sources of Help

In typical order of usefulness…

Applications

Collaboration between safety and security

New approaches to program definition

System segmentation is an accepted concept

IT and OT; What’s the point?

Common Questions

“IT or Engineering control of the network?”

“What products and technologies are suitable?”

“How do I manage my risks?”

“How do I manage patches?”

“What are the real threats?”

“Separate or Interconnected Networks?”

Understanding it is essential for success in many areas, including Security

Distinction is nonetheless real

Old wine in new bottles

Changing the Conversation

Know what you are trying to achieve, and why

Speak in plain language, not “cyber speak”

Focus on process capability and potential consequence

Less Fear, Uncertainty and Doubt (FUD)

Creating the Program

Establish and implement measurements

Identify objectives

Assess current performance

Establish program structure

Technology

Process

People

Understand the Fundamental Concepts

Identify sources of “Help”

Expectations and Regulation

Standards

Practices and Guidance

OT – IT Partnership

With an understanding of consequences…

Additional Resources

Consequence

Be wary of statements like

Expand to include areas where:

Be realistic

This is the focus for asset owners!

Vulnerability

Do vulnerabilities mean bad things will happen?

Well‐crafted malware can exist for months or years before detected

Will always exist in industrial systems

Threat

Context is important!

Some details may be classified or otherwise protected

Often vague and/or non‐specific

Determined as a result of Intelligence Gathering