to minimize risk
play

to minimize risk? Standards Certification Education & Training - PowerPoint PPT Presentation

Feb 08, 2023 •263 likes •734 views

How can I use ISA/IEC- 62443 (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits What is ISA 62443? A series of ISA standards that addresses the subject of security for

  1. How can I use ISA/IEC- 62443 (Formally ISA 99) to minimize risk? Standards Certification Education & Training Publishing Conferences & Exhibits

  2. What is ISA 62443? A series of ISA standards that addresses the subject of security for industrial automation and control systems. The focus is on the electronic security of these systems, commonly referred to as cyber security. 2

  3. What is ISA 62443?

  4. What is ISA 62443? Part 1: Terminology, Concepts and Models Establishes the context for all of the remaining standards in the series by defining a common set of terminology, concepts and models for electronic security in the industrial automation and control systems environment . 4

  5. ISA/IEC 62443-1-1 Terminology, Concepts and Models

  6. What is ISA 62443? Part 2: Establishing an Industrial Automation and Control System Security Program Describes the elements of a cyber security management system and provide guidance for their application to industrial automation and control systems. 6

  7. ISA/IEC 62443-2-1 Establishing an Industrial Automation and Control Systems Security ISA/IEC 62443-2-1 Requirements for an IACS Security Management System

  8. ISA/IEC 62443-2-3 Patch management in the IACS environment

  9. What is ISA 62443? Part 3: Operating an Industrial Automation and Control System Security Program Addresses how to operate a security program after it is designed and implemented. This includes definition and application of metrics to measure program effectiveness. 9

  10. ISA/IEC 62443-2-3 System security requirements and security levels

  11. Overstating the Risk and Consequence

  12. Potential cyber threats (What management hears on the news or from IT) • Database Injection • Replay • Spoofing • Social Engineering • Phishing • Malicious Code • Denial of Service • Escalation of Privileges ISA/IEC 62443-1-1 5.5.4

  13. FACTS Targeted attack on a steel plant in Germany 2010. METHOD Using sophisticated spear phishing and social engineering an attacker gained initial access on the office network of the steelworks. From there, they worked successively to the production networks.

  14. DAMAGE More frequent failures of individual control components or entire plants became evident. The failures resulted in a unregulated blast furnace in a controlled condition that could not be shut down. The result was massive damage to the furnace.

  15. Technical skills The technical capabilities of the attacker were very advanced. Compromise extended to a variety of internal systems of industrial components. The know-how of the attacker was very pronounced in the field of conventional IT security and extended to applied industrial control and production processes.

  17. The root cause… In a report released earlier this month, Unisys recommended that critical infrastructure organizations take on cost effective security strategies by aligning them with other business strategies and goals, and through managing identities and entitlements to improve identity assurance and reduce "critical employee errors," – as 47 percent of respondents said an "accident or mistake" was the root cause of their security breaches in the past year.

  19. Your current likely internal cyber threats • Missing or undocumented DCS/PLC programs • Missing drivers or configuration software • Loading old program versions • Loss of passwords • Inadvertent virus infections • Disruptive polling of automation system from business network • Curious employees • Power failure ISA/IEC 62443-1-1 5.5.4

  20. Your current likely external cyber threats Suxtnet is not your problem It’s the USB Or the contractors laptop

  21. Let’s save some time! “High -level assessment is required because experience has shown that if organizations start out by looking at detailed vulnerabilities, they miss the big picture of cyber risk and find it difficult to determine where to focus their cyber security efforts. Examination of risks at a high level can help to focus effort in detailed vulnerability assessments .” ISA/IEC 62443-2-1 Annex C Proposed

  23. ISA/IEC 62443-2-1 4.1

  24. The first step to implementing a cyber security program for IACS is to develop a compelling business rationale for the unique needs of the organization to address cyber risk • Prioritized business consequences • Prioritized threats • Estimated annual business impact • Cost

  25. Business risks from current and potential threats • Personnel safety risks: death or injury • Process safety risks: equipment damage or business interruption • Information security risk: cost, legal violation, or loss of brand image • Environmental risk: notice of violation, legal violations, or major impact • Business continuity risk: business interruption

  26. So where do I start? ISA/IEC 62443-2-1 Annex A

  27. Annex A soon to be Annex C • Developing a network diagram of the IACS (see C.3.3.3.8.4). • Understanding that risks, risk tolerance and acceptability of countermeasures may vary by geographic region or business organization. • Maintaining an up-to-date record of all devices comprising the IACS for future assessments.

  28. Annex A soon to be Annex C • Establishing the criteria for identifying which devices comprise the IACS. • Identifying devices that support critical business processes and IACS operations including the IT systems that support these business processes and IACS operations. • Classifying the logical assets and components based on availability, integrity, and confidentiality, as well as HSE impact.

  29. Developing a network diagram of the IACS WAN INTERNET Remote PLC LOCAL ISP Support via Enterprise Terminal Services to Remote DCS PLC Support Engineering Internal (Static IP) Station Device Adaptive Security (Static IP) Firewall CEMS VIM CEMS Appliance and VPN software System BUSINESS LAN support support (Static IP) (Static IP) DMZ VLAN PLC CEMS DMZ Engineering Workstation Station I/P SWITCH 3 Fiber Optic 3 3 Channel B Windows Domain Operator Operator Operator Engineering Controller/Anti Workstation Workstation Workstation Historian Ethernet I/P DCS Workstation virus/Management Radio (Password DCS VLAN management) 1 2 1 2 1 2 1 2 1 2 1 1 1 1 1 2 2 2 2 2 1 2 Root Switch Root Switch Fiber Optic Channel A (exisitng) (exisitng) FIELD Replace hub with optional switch to create subnet to isolate HMI polls from DCS network Cooling CEMS-2 Air Quality-1 Air Quality-2 ASH FUEL CEMS-1 Demin Demin RO HMI RO PLC Tower HMI PLC Chemical (Future) 29

  30. Developing a network diagram of the IACS 30

  31. Developing a network diagram of the IACS 31

  32. Developing a network diagram of the IACS WAN INTERNET Remote PLC LOCAL ISP Support via Enterprise Terminal Services to Remote DCS PLC Support Engineering Internal (Static IP) Station Device Adaptive Security (Static IP) Firewall CEMS VIM CEMS Appliance and VPN software System BUSINESS LAN support support (Static IP) (Static IP) DMZ VLAN PLC CEMS DMZ Engineering Workstation Station I/P SWITCH 3 Fiber Optic 3 3 Channel B Windows Domain Operator Operator Operator Engineering Controller/Anti Workstation Workstation Workstation Historian Ethernet I/P DCS Workstation virus/Management Radio (Password DCS VLAN management) 1 2 1 2 1 2 1 2 1 2 1 1 1 1 1 2 2 2 2 2 1 2 Root Switch Root Switch Fiber Optic Channel A (exisitng) (exisitng) FIELD Replace hub with optional switch to create subnet to isolate HMI polls from DCS network Cooling CEMS-2 Air Quality-1 Air Quality-2 ASH FUEL CEMS-1 Demin Demin RO HMI RO PLC Tower HMI PLC Chemical (Future) 32

  33. If you done a HAZOP, you can do a cyber security risk assessment!

  34. Consequences • Loss of life • Damage to equipment • Loss of production • Environmental reporting fines • Bad Press ISA/IEC 62443-1-1 6.1

  35. Risk Assessment WAN INTERNET Remote PLC LOCAL ISP Support via Enterprise Terminal Services to Remote DCS Low PLC Support Engineering Internal (Static IP) Station Device Adaptive Security (Static IP) Firewall CEMS VIM CEMS Appliance and VPN software System BUSINESS LAN support support (Static IP) (Static IP) Medium DMZ VLAN PLC CEMS DMZ Engineering Workstation High Station I/P SWITCH 3 Fiber Optic 3 3 Channel B Windows Domain Operator Operator Operator Engineering Controller/Anti Workstation Workstation Workstation Historian Ethernet I/P DCS Workstation virus/Management Radio (Password DCS VLAN management) 1 2 1 2 1 2 1 2 1 2 1 1 1 1 1 2 2 2 2 2 1 2 Root Switch Root Switch Fiber Optic Channel A (exisitng) (exisitng) FIELD Replace hub with optional switch to create subnet to isolate HMI polls from DCS network Cooling CEMS-2 Air Quality-1 Air Quality-2 ASH FUEL CEMS-1 Demin Demin RO HMI RO PLC Tower HMI PLC Chemical (Future) 35

  36. The risk equation

  37. Risk Response (For the MBAs) • Assess initial risk • Implement countermeasures • Assess residual risk ISA/IEC 62443-1-1 6.1

  38. Risk Response (For the Engineers) • Design the risk out • Reduce the risk • Accept the risk • Transfer or share the risk • Eliminate or fix outdated risk control measures

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

n ( n ( I ( i , j ) = i j minimize ... | {z } r r . . A . k 2 Youngsoo

n ( n ( I ( i , j ) = i j minimize ... | {z } r r . . A . k 2 Youngsoo

Spacetime least-squares PetrovGalerkin projection for nonlinear model reduction r ) + r ( P k minimize r ( v ; ) k 2 P r r v n ( n ( I ( i , j ) = i j minimize ... | {z } r r . .

751 views • 36 slides
October 15, 2015 Who is pushing the preference buttons? Learn how to minimize preference risk

October 15, 2015 Who is pushing the preference buttons? Learn how to minimize preference risk

Presentation of David M. Grogan Shumaker, Loop & Kendrick, LLP to The Association of International Credit and Trade Finance Professionals October 15, 2015 Who is pushing the preference buttons? Learn how to minimize preference risk

988 views • 51 slides
O PT F UELS : A SSESSING FIRE RISK AND SCHEDULING FUEL TREATMENTS SPATIALLY OVER TIME TO MINIMIZE

O PT F UELS : A SSESSING FIRE RISK AND SCHEDULING FUEL TREATMENTS SPATIALLY OVER TIME TO MINIMIZE

O PT F UELS : A SSESSING FIRE RISK AND SCHEDULING FUEL TREATMENTS SPATIALLY OVER TIME TO MINIMIZE EXPECTED LOSS FROM FUTURE FIRE Greg Jones , Kurt Krueger , USDA Forest Service RMRS; SNPLMA - Round 9 Woodam Chung , Edward Butler , The University of

229 views • 21 slides
Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a

Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a

Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a loved product. Courtney Hemphill @chemphill @carbonfive courtney@carbonfive.com We used to design and build desktop applications Berkeley Breathed,

675 views • 66 slides
Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN

Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN

Cybersecurity Legal Requirements Today and Tomorrow AND HOW TO MINIMIZE LIABILITY RISK IN CHANGING TIMES Robert Kriss Partner +1 312 701 7165 rkriss@mayerbrown.com Speakers Robert Kriss Partner - Chicago Overview What is the current

639 views • 32 slides
Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a

Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a

Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a loved product. @chemphill courtney@carbonfive.com @carbonfive #GOTOBerlin Courtney Hemphill Partner/Tech Lead @chemphill

1.03k views • 63 slides
Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a

Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a

Mixing Lean UX & Agile Development How to minimize risk, maximize flexibility, and create a loved product. Friday, November 1, 13 Courtney Hemphill @chemphill courtney@carbonfive.com Friday, November 1, 13 We used to design and build

807 views • 65 slides
Risk Management Presented by: Jocelyn Filippini Gougeon Insurance Brokers What is Risk

Risk Management Presented by: Jocelyn Filippini Gougeon Insurance Brokers What is Risk

Risk Management Presented by: Jocelyn Filippini Gougeon Insurance Brokers What is Risk Management? Risk Management is the process of making and implementing decisions that will minimize the adverse effects of accidental and business losses on

459 views • 25 slides
zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Risk Management in Higher Education ERM?

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Risk Management in Higher Education ERM?

zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA Risk Management in Higher Education ERM? Risk Management in Higher Education Risk Managem ent Is the process of making and implementing decisions that will minimize the adverse effects of

322 views • 21 slides
Ohio Tax State Transfer Pricing Audits Effective Strategies to Minimize Your Risk Tuesday,

Ohio Tax State Transfer Pricing Audits Effective Strategies to Minimize Your Risk Tuesday,

27th Annual Tuesday & Wednesday, January 2324, 2018 Hya Regency Columbus, Columbus, Ohio Workshop Z Ohio Tax State Transfer Pricing Audits Effective Strategies to Minimize Your Risk Tuesday, January 23, 2018 4:15 p.m. to 5:15

469 views • 28 slides
Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
April 15, 2014 2 3 Minimize Water Use Reduce Maintenance Reconnect with Nature

April 15, 2014 2 3 Minimize Water Use Reduce Maintenance Reconnect with Nature

1 San Bernardino Valley College Gymnasium Project Landscape Overview April 15, 2014 2 3 Minimize Water Use Reduce Maintenance Reconnect with Nature (AERIAL OF GLADE- GREAT OPPORTUNITY) Outdoor Education 4 Minimize

174 views • 14 slides
Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Analysis Biosafety Risk assessment, Risk Risk analysis encom passes Management & risk risk assessm ent, risk communication m anagem ent, and risk com m unication. Ephy Khaemba International Livestock Research Institute

506 views • 11 slides
WEIGHTED SUMS OF RANDOM KITCHEN SINKS Replacing minimization with randomization in learning

WEIGHTED SUMS OF RANDOM KITCHEN SINKS Replacing minimization with randomization in learning

WEIGHTED SUMS OF RANDOM KITCHEN SINKS Replacing minimization with randomization in learning The model Given a set of training data in a domain Fit a function to minimize risk Empirical Risk Risk Loss Function Hinge loss

621 views • 13 slides
Community Health Center Risk Management Core Program Elements The process of applying sound

Community Health Center Risk Management Core Program Elements The process of applying sound

Community Health Center Risk Management Core Program Elements The process of applying sound management techniques to RISK MANAGEMENT the identification, assessment, and resolution of problems Generally To prevent and/or minimize

148 views • 10 slides
Sensor Networks Presented by: Fatima Rivera 1 Purpose To minimize the preamble in MAC

Sensor Networks Presented by: Fatima Rivera 1 Purpose To minimize the preamble in MAC

X-MAC: A Short Preamble MAC Protocol for Duty-Cycled Wireless Sensor Networks Presented by: Fatima Rivera 1 Purpose To minimize the preamble in MAC protocols Reduce latency at each hop Optimize energy consumption Minimize energy

401 views • 13 slides
ISDD Presentation How to Prepare Data Sheets for Datasheet Definitions Ron Montgomery ISDD In

ISDD Presentation How to Prepare Data Sheets for Datasheet Definitions Ron Montgomery ISDD In

ISDD Presentation How to Prepare Data Sheets for Datasheet Definitions Ron Montgomery ISDD In Industry St Standard Da Datasheet De Defin inition Build and Use Program (Why Do It (How to Do It) Datasheet/Spreadsheet Engineering Use Issues

349 views • 13 slides
F a ll L e a de rs Me e ting 2017 T a mpa Ba y Histo ric Go a ls T he first de c la ra

F a ll L e a de rs Me e ting 2017 T a mpa Ba y Histo ric Go a ls T he first de c la ra

F a ll L e a de rs Me e ting 2017 T a mpa Ba y Histo ric Go a ls T he first de c la ra tion of polic y sta te d: to a dva nc e the a rts a nd sc ie nc e s re la te d to the the o ry, de sig n, ma nufa c ture , a nd use

497 views • 26 slides
1Q20 RESULTS PRESENTATION Disclaimer The statements contained in this report regarding the

1Q20 RESULTS PRESENTATION Disclaimer The statements contained in this report regarding the

1Q20 RESULTS PRESENTATION Disclaimer The statements contained in this report regarding the business outlook of ISA CTEEP (ISA CTEEP, CTEEP, Company), the projections and their growth potential are based on mere forecasts and

126 views • 11 slides
ISA term project Anawil C. 5912087 Create a list of register Assign pointer to point to array

ISA term project Anawil C. 5912087 Create a list of register Assign pointer to point to array

ISA term project Anawil C. 5912087 Create a list of register Assign pointer to point to array Code Create 2 variable to find clock cycle and how many time instruction has been executed Function to find register, once we receive input from

92 views • 8 slides
DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT

DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT

ETSC RESPONSE TO THE DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT ALLOWS FOR 4 TYPES OF FEEDBACK 1. visual warning + cascaded acoustic warning 2. visual warning + cascaded haptic warning:

410 views • 19 slides
Disclosure and Barring Roadshows What you need to know: Changes commencing September 2012 Aims

Disclosure and Barring Roadshows What you need to know: Changes commencing September 2012 Aims

Disclosure and Barring Roadshows What you need to know: Changes commencing September 2012 Aims for the Day To outline the work of government since the completion of the reviews of the Vetting & Barring Scheme (VBS) and Criminal Records

299 views • 26 slides
DISABILITIES (HOLD) David Abbey Director MySafeHome Limited davidabbey@mysafehome.info 02476

DISABILITIES (HOLD) David Abbey Director MySafeHome Limited davidabbey@mysafehome.info 02476

HOME OWNERSHIP FOR PEOPLE WITH LONG-TERM DISABILITIES (HOLD) David Abbey Director MySafeHome Limited davidabbey@mysafehome.info 02476 402211 WHAT IS HOLD? Home Ownership for people with Long-term Disabilities (HOLD) is a PROVEN

521 views • 36 slides
Q1 2013 Results The Hague May 8, 2013 Alex Wynaendts Darryl Button CEO EVP aegon.com Key

Q1 2013 Results The Hague May 8, 2013 Alex Wynaendts Darryl Button CEO EVP aegon.com Key

Q1 2013 Results The Hague May 8, 2013 Alex Wynaendts Darryl Button CEO EVP aegon.com Key messages Execution of strategy to get closer to our customers Continued sales momentum in accumulation and at-retirement products

368 views • 36 slides

More recommend