ICS/SCADACyber Security Standards, Solution Tips &

ChallengesAhmed M. Al Enizy

IT Security ManagerInternational Systems Engineering

04/10/20232

In the era of Cyber War, securing ICS and SCADA systems helps in protecting national infrastructure thus preserving steady national economic growth. But deploying the right technical and/or physical solutions is not enough.

There are too many Security Standards for each industry that can complement Technical Solutions.

There is no single Standard that covers everything. This adds to the increasing complexity of ICS/SCADA

Management, Governance, and Compliance.

Bottom Line

04/10/20233

Difference between Standards, Frameworks, and Best Practices

ICS/SCADA Security Standards Which One is Good? Solution Tips How Does ISO 27001 Works? General Challenges

Agenda

04/10/20234

Standards, Frameworks, Best Practices

Act

Regulation

Standard

Framework

Best Practice

Legal

Technical

04/10/20235

ICS/SCADA Security Standards

14 different standard for different Infrastructure Sectors (Energy and Power, Oil, Chemical, Defense, Water Treatment, Emergency Services, IT, Communications)

API - American Petroleum Institute IEC - International

Electrotechnical Commission IEEE - Institute of Electrical and

Electronic Engineers ISA – Instrumentation, Systems,

and Automation Society ISO - International Organization

for Standardization NERC - North American Electric

Reliability Council NIST - National Institute of

Standards and Technology

04/10/20236

Good standard◦ Incorporates the Plan-Do-Check-Act approach.◦ Mature and stable.◦ Not contradicting or in conflict with corporate or

international standards.◦ Clear and easy to understand.◦ Systematic.◦ Realistic and practical.◦ Solves all parts of the problem.◦ Well structured and organized.◦ Measurable. ◦ Has a clear accreditation and certification process.◦ Widely followed and adapted.

Which one is Good?

04/10/20237

There is no “silver bullet”, and definitely there is no single solution.

Avoid reinventing the wheel, we are using their technologies therefor it is best to use their standards and conceder consultation.

It is a result of collaborative efforts through shared responsibilities supported by commitment, resources, and consultation.

The right starting point is choosing the right standard. You can consider Corporate GRC program to adapt the

security standard you have chosen. GRC market solutions provide technical assistance and

automation in managing GRC program vertically and horizontally.

Solution Tips

04/10/20238

How Does ISO 27001 Works?

04/10/20239

General Challenges

Cultures

PsychologicalFactors

Commitment

Cost

Complexity

Limitation

Compliance

Flexibility Integration

People Tech.

Process

SupportAuthority

Awareness

04/10/202310

Overlapping and intersection between standards.

Overlapping and varying abbreviations and definitions.

Growing complexity of compliance both vertical and horizontal.

Limited compliant ICS/SCADA suppliers with Security Standards.

General Challenges – Cont.

04/10/202311

Thank youQ / A

http://sa.linkedin.com/in/ahmadalanazy

@SaudiSecurity

amalanazy@gmail.com

a.alenizy@ise.sa