Information Security Standards inCritical Infrastructure Protection
Berlin 11/11/2015
Alessandro GuarinoStudioAG
Slide 2 of 19
Introduction
● Computers everywhere!
● ICT Technologies pervasive even in veryanalog settings: trains, planes, automobiles(and water treatment)
● Worse… everything seems to be connected
Slide 3 of 19
Introduction
● However… we have a problem
● Industrial plants and infrastructureapplications have their own peculiarities:– Physical effects
– Long life and legacy systems
– Geographical dispersion
– Safety first!
– Important societal impacts – several stakeholders
Slide 4 of 19
Introduction
● [...]an asset , system or part thereof located inMember States which is essential for themaintenance of vital societal functions,health, safety, security, economic or socialwell-being of people, and the disruption ordestruction of which would have a significantimpact in a Member State as a result of thefailure to maintain those functions.
Slide 5 of 19
Introduction
● Standards as an integral part of Infosec
● In CIP and Cyber Security they are becomingintegral to policy
● Cybersecurity policy at the crossroads ofInformation Technology, Security, Policy,Economics...
Slide 6 of 19
The World of Standardisation
● Overly fragmented and complex (actors andbodies, geography, interests involved…)
● Rough classification of norms along twoparams:– Technical vs. Organisational
– Certifiable vs. Non-certifiable
Slide 7 of 19
The World of Standardisation
● Who writes standards?
● An alphabet soup (selection):
● Europe: CEN, CENELEC & ETSI– The “European Standardisation Organisations”
● United States: NIST, ANSI, NERC
● Worldwide: ISO, IEC
● Many, many others...
Slide 8 of 19
Available Standards
(Some of them...)
ISO 27001
Common Criteria, aka ISO 15408
NIST 800-53
NERC CIP
ANSI/ISA 99
Slide 9 of 19
ISO 27001
● Risk-based
● Wide range of controls
● Not specific, needs to be tailored andimplemented
● Part of the ISO 27xxx series
Slide 10 of 19
Common Criteria
● Concerned with design & development
● Adopted in the military
● Not directly applicable but useful to assessthe level of security of single elements of thesystem
Slide 11 of 19
American Standards
● NIST 800-53 “Security and Privacy Controls forFederal Information Systems andOrganizations”
● The framework for Cyber Security of 2014
Slide 12 of 19
American Standards
● NERC Standards for the Power Grid
● A very interesting case study for policy
● (Specific sector but example of a CriticalInfrastructure, central to many others)
Slide 13 of 19
Standardisation Policies
● Standard development
● Standard implementation and adoption
Slide 14 of 19
Standardisation Policies
● The development phase– Europe: The ESO ecosystem, the Commission and their
interactions
– US: Free Market and Supreme Executive Power
Slide 15 of 19
Standardisation Policies
● Adoption of standards: policy options– No mandatory standardisation (non-interference)
– Voluntary standardisation compliance ● Possibly with economic incentives
– Mandatory compliance (NERC CIP)
Slide 16 of 19
Standardisation Policies
Slide 17 of 19
Conclusions
● Benefits of technical standardisations ismostly non-controversial
● Organisational models adoption sketchy
● Problem – Organisational Security Models arefundamental for Cyber Security
● Policy-wise, mandatory adoption seemsnecessary for CI. Alternatives?
Slide 18 of 19
Thank you!Any questions?
Contacts:
@alexsib17
Full Paper and Slide Deck Freely Available at:www.studioag.pro
(Information Security Blog)
StudioAG – Infosec Consultancy Firmwww.studioag.eu
Slide 19 of 19
References
● CEN-CENELEC-ETSI Cyber Security Coordination Group: “Recommendations for aStrategy on European Cyber Security Standardisation”, 2014 (http://www.cscg.focusict.de)
● Dept. of Homeland Security: “Homeland Security Presidential Directive 7: CriticalInfrastructure Identification, Prioritization and Protection”, 2003
● ISO/IEC: “ISO/IEC 27001:2013 – Information Technology – Security Techniques –Information Security Management Systems – Requirements”
● NIST: “Framework for Improving Critical Infrastructure Cybersecurity”, 2014● NIST: “NIST Special Publication 800-53 – Revision 4 – Security and Privacy Controls
for Federal Information Systems and Organizations”