Pedro Putu Wirya, an IT and SCADA ICS Security Consultant with an extensive experience in Information Security Management System (ISMS) and Cyber Security Assurance
Pedro Putu Wirya Consultant
www.fedco.co.id
linkedin.com/in/pedro-putu-wirya-37491734 pedro.putuwirya
+62-21-8657310 [email protected]
3
Content
Background
IT vs. SCADA ICS Risk Profile
SCADA ICS Security Risk Assessment
Summary
4
Background
The core functions of Industrial Control System Plant operations
Plant monitoring and surveillance
Plant controls and action
The goals of using ICS as backbnone system Ensuring Plant Safety Operations
Ensuring Plant Business Continuity
5
Background
The urgent and importance of ICS security Risk escalation (Internal vs. External)
IT heritage risk
Safety risk as ultimate concern
Critical infrastructure concern
Competing with time
6
Content
Background
IT vs. SCADA ICS Risk Profile
SCADA ICS Security Risk Assessment
Summary
7
IT vs. SCADA ICS Risk Profile
The Essentials of Cyber Security Assurance
Integrity
Information confidentiality of data communication
The validity of information exchange
The availability of the required information
The system objective will drive the fulfilment of these three aspects
8
IT vs. SCADA ICS Risk Profile
IT vs. ICS from CIA Priority
Priority IT ICS
Confidentiality 1st 3rd
Integrity 2nd 2nd
Availability 3rd 1st
9
IT vs. SCADA ICS Risk Profile
Availability is the ULTIMATE PRIORITY
10
IT vs. SCADA ICS Risk Profile
Ultimate RISK Exposure
11
Content
Background
IT vs. SCADA ICS Risk Profile
SCADA ICS Security Risk Assessment
Summary
12
SCADA ICS Security Program
Asset Management
Risk Management
Security Audit &
Assessment
Implementation of Controls Strategy & Gap Closing Effort
Compliance and Stewardship
Continuous Improvement
SCADA ICS Security Risk Assessment
SCADA ICS Security Assurance
Process
13
SCADA ICS Security Risk Assessment
ISMSLifeCycleProcess SCADAICSSecurityAssuranceProcess
PLAN SCADAICSSecurityProgramAssetManagementRiskManagement
SecurityAudit&Assessment
DO Implementa�onofControlsStrategy&GapClosingEffort
CHECK ComplianceandStewardship
ACT Con�nuousImprovement
14
SCADA ICS Security Risk Assessment
RISKMANAGEMENT
ISMSLifeCycleProcess
SCADAICSSecurityAssuranceProcess
PLAN Prepara�onRiskAssessment
DevelopingControlsStrategyControlsStrategy&Risk
Acceptance
DO Implementa�onofControlsStrategy
CHECK RiskAssessmentReview
ACT Con�nuousImprovement
15
RISKASSESSMENTPROCESS
RISKCOMMUNICATION
Prepara�on CoreAc�vi�es Finaliza�on
Teamdevelopment RiskIden�fica�onAcceptanceofRiskProfile
TeamCharter RiskAnalysis
Setupobjec�ve,goals,technical
requirementandscope
RiskEvalua�onAcceptanceofControls
StrategyRiskstrategyand
approach
SecurityControlsDevelopment(Controls
Strategy)
RISKASSESSMENTREVIEW
SCADA ICS Security Risk Assessment
16
SCADA ICS Security Risk Assessment
Expected results from SCADA ICS Security Risk Assessment
Risk Profile (before and after security controls)
Prevention and mitigation action (controls stategy)
Responsible party for execution
Continuous risk monitoring and review
17
Content
Background
IT vs. SCADA ICS Risk Profile
SCADA ICS Security Risk Assessment
Summary
18
Summary
Risk Assessment is the critical path to define, understand and manage the system based on its risk profile
Proper security controls (controls strategy) is the key to reduce the risk into ALARP position
The implementation of controls strategy should be integrated with the audit gap closing action
Cyber security assurance can be achieved by develop and deploy proper SCADA ICS Security Management System (SCADA ICS Security Program)
IT and SCADA ICS Security Courses ICS Cyber Security Management System
5 Day Course http://fedco.co.id/ics-cyber-security-management-system/
IT Security Essentials 4 Days Course
http://fedco.co.id/it-security-essentials/
Certified Lead SCADA Security Professional 4 Days Course + 1 Day Exam
http://fedco.co.id/certified-lead-scada-security-professional/
Certified ISO 27001 Lead Auditor 4 Days Course + 1 Day Exam
http://fedco.co.id/certified-iso-27001-lead-auditor/
SCADA ICS Security Assurance Services
IT Security Assurance Services
THANK YOU
?
+62-21-8657310 [email protected]
www.fedco.co.id