2. About me
Rabbani Syed
27 years of wide range of experience in Defense, Manufacturing, Energy, Oil & Gas industries
Systems Analyst, IT Quality Management, Information Technology, Kuwait National Petroleum Company.
Previous: Systems Engineer – Kuwait Controls Co.
◦ SCADA, DCS & Telemetry Systems for Ministry of Electricity & Water (MEW) – Kuwait.
Senior Engineer, Bharat Electronics (BEL-India)
◦ Design & Development of Real Time Computer Systems for Electronic Warfare Systems (Anti-Radar
and Electronic Counter Measure Systems)
M. Engg. in ECE – Osmania University, B. Tech in ECE – JNTU, India
Certifications: PMP, CISSP, CISA, CISM, CGEIT
Certificates: ISO27001LA, ISA99 Cybersecurity Fundamentals Specialist
3. Quality Assurance: The 80% of Industrial Control
Systems (ICS) Cybersecurity
Overview:
1. The ICS Context
2. The Challenges
3. Technology, People, Processes
4. Quality Assurance:
◦ Processes & Frameworks
4. Changes in the ICS Architecture
• ICS now use commercial technology
• Highly connected to internet
• Offer remote access
In past few years, there has been
an increase in number of
Cyberattacks on ICS
5. The ICS Context
ICS – Industrial Control
Systems (SCADA, DCS,
PLCs, Telemetry, Building
Automation Systems etc.)
OT – Operational
Technology
IT – Information
Technology
6. The ICS Context
Inversion of
importance in
Core Security
Goals:
Confidentiality
Integrity
Availability
Confidentiality
Integrity
Availability
IT
OT
7. The ICS Context, in Contrast with IT Context
Differing Performance Requirements:
8. The ICS Context
Differing Reliability Requirements:
IT Network ICS Network
Scheduled Operations Continuous Operations
Occasional Failures tolerated Outages Intolerable
Beta testing in field acceptable Thorough QC testing expected in
non-production environment
Modifications possible with little
paperwork
Formal Certifications may be
required after any change
10. The ICS Context
Differing Security Architectures:
IT World ICS World
Critical Systems to Protect:
Servers, Storage etc.–
reside in Computer Room
Critical Systems to Protect:
PLC and Smart Instruments –
reside in the field
11. The ICS Challenges:
1. Multi-vendor EPC Contracts
2. Increasing Management Expectations
3. Over 20+ ICS Cybersecurity Standards
4. SIL Certification does not evaluate Cybersecurity
5. Hackers – No Experience required
6. Unintentional Security Incidents
7. Expanding depth and breadth of ICS Security Tasks
14. The Challenge:
SIL Certification does not evaluate Cybersecurity
• IEC 61508 Certification (SIL Certification)
does not evaluate Cybersecurity.
15. The Challenges
Over 20+ Standards
1. ISA 99 / IEC 62443 Cybersecurity Standard for ICS
2. NIST SP800-82 : Guide to Industrial Control Systems Security
3. NERC – CIP 002 through CIP -009
4. Oil & Gas Sector: API Standard 1164 – SCADA Security
5. Water & Waste Water Sector Standards
6. Chemical Sector Standards
7. ……
16. The Challenge:
Hackers – No Experience required
Nessus plugins and Metasploit modules have been publically released enabling anyone to find and
exploit these vulnerabilities.
17. The Challenge:
Hackers – No Experience required
www.rapid7.com, www. shodan.com; Free code to crash PLCs available on internet.
20. Addressing ICS Cybersecurity:
1. Should controls be taken away from Smart Instruments?
2. Why can’t we build secure systems?
3. Is 100% Cybersecurity ever possible?
22. Addressing ICS Cybersecurity:
Technology, People and Processes
1. Technology
◦ The Cost-Benefit Analysis
2. People
◦ Is Cybersecurity awareness & training enough?
3. Processes
◦ Where is the end?
24. Addressing ICS Cybersecurity:
Technology, People and ProcessesTECHNOLOGY
• The Cost-
Benefit
Analysis
• Constraint:
• COST
PEOPLE
• The Human
Factor
• The End:
• TRUST
PROCESSES
• Quality
Assurance
• Sky is the
Limit
25. Quality Assurance
1. QA/QC – Definitions
2. The Processes
3. Standards & Frameworks
◦ The ICS Standards & Frameworks
◦ ISA99
◦ …..
◦ The IT Standards & Frameworks
◦ TOGAF
◦ COBIT
◦ ITIL
◦ ….
26. ICS Standards & Frameworks
ISA99 / IEC 62443
Relevant part to
End-Users:
ISA 62443-2 Series
Policies & Procedures
28. IT Standards & Frameworks
1. ISO 27001
2. IT Governance - COBIT 5
2. IT Service Management - ITIL V3.1
3. Enterprise IT Architecture – TOGAF V9.1
29. The Contrast
IT & ICS Standards & Frameworks
1. Technology Focus ICS
2. Business Enablement IT
30. TOGAF 9.1
1. Enterprise IT Architecture
2. Originated from TAFIM of
early 1980s, developed by US
Dept. of Defense
3. Provides an approach for
designing, planning,
implementing, and governing
an enterprise Information
Technology architecture.
31. COBIT 5
1. Governance & Management
Framework for Enterprise IT –
End to End
2. Building on 16 Year History
3. Provides Structure, Practices,
Tools for:
◦ Proactively deliver value
◦ Manage Risk
◦ Maximize ROI
32. ITIL V3.1
1. IT Service Management
Framework
2. Originated in late 1980s by
UK Govt’s CCTA
3. Focus on optimal service
provisioning at justifiable cost