SlideShare a Scribd company logo

Industrial_Cyber_Security

W
WillianMachadoFonsec

The document outlines the IEC 62443 cybersecurity standards applicable to industrial control systems (ICS), emphasizing a risk management approach that aligns with various regulations and frameworks. It details the multi-layered defense strategies required for securing systems, including risk assessments, security levels, and lifecycle management, aimed at minimizing potential threats to operations and assets. Furthermore, it highlights the significance of a consistent methodology for communication and compliance among stakeholders involved in designing, managing, and securing ICS.

Engineering
1 of 34
Downloaded 26 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Most read
21
22
23
24
25
26
27
Most read
28
29
30
31
32
33
34
So… How do we start?
Caught between regulation, requirements, and standards IEC 62443 ISO 27032 ISA 99 NIST ANSSI NERC CIP BDSG WIB NIS directive
IACS Cybersecurity Standards Cybersecurity Standards Deliver: ✓ Common Industry Language and Terminology ✓ Standardized Methodology ✓ Guidance on how to answer: What is my current risk? What would be a more acceptable level of risk for my organization? How do I get to that more acceptable level?
IEC 62443
IEC 62443 gives us the ability to communicate in an unambiguous way
Align with industry framework Compliance & standards Applies to those responsible for designing, manufacturing, implementing or managing industrial control systems: • End-users (i.e. asset owner) • System integrators • Security practitioners • ICS product/systems vendors ISA/IEC 62443: Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). *Equivalence to ISO 27001 and NIST Cybersecurity Framework
based on a holistic Defense in depth concept IEC 62443
A secure application depends on multiple layers of diverse protection and industrial security must be implemented as a system Defense-in-Depth Deploying Network Security ▪ Defense in Depth ▪ Shield targets behind multiple levels of diverse security countermeasures to reduce risk ▪ Openness ▪ Consideration for participation of a variety of vendors in our security solutions ▪ Flexibility ▪ Able to accommodate a customer’s needs, including policies & procedures ▪ Consistency ▪ Solutions that align with Government directives and Standards Bodies DURING BEFORE AFTER
Plant security Network security System integrity Defense in depth IEC 62443
provides system design guidelines IEC 62443
Addresses the entire life cycle IEC 62443
provides a complete Cyber Security Management System IEC 62443
The IEC62443/ISO27001 based method Identification and Business Impact Assessment Definition of Target Level Risk Assessment Development and Implementation of Protection Concept Definition of Scope Getting started
What’s at risk? ▪ Loss of Life ▪ Stolen Intellectual Property ▪ Production Loss ▪ Unscheduled Downtime ▪ Damaged Equipment ▪ Environmental Impact
Business rationale Risk identification classification and assessment Risk analysis Conformance Review, improve and maintain the CSMS Monitoring and improving the CSMS
Understanding Risk High-Level Security Risk Assessments 62443 3-2 What is your current level of risk? Impact Remote Unlikely Possible Likely Certain Trivial 1 2 3 4 5 Minor 2 4 6 8 10 Moderate 3 6 9 12 15 Major 4 8 12 16 20 Critical 5 10 18 20 25
“A good overview” More info: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/understanding-component-driven-risk-management Risk methods and frameworks
NIST Cybersecurity Framework Detect Organization understands what the current state and risk is to systems, assets, and data Implement safeguards to ensure delivery of critical infrastructure services Implement appropriate activities to identify a cybersecurity event Implement activities to take action regarding a detected cybersecurity event Implement activities to maintain plans for resilience and to restore capabilities
The… Standard
1-1 Terminology, concepts and models 2-1 Security program requirements for IACS asset owners 4-1 Secure product development lifecycle requirements 3-1 Security technologies for IACS 1-2 Master glossary of terms and abbreviations 2-2 IACS security program ratings 4-2 Technical security requirements for IACS components 3-2 Security risk assessment and system design 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 2-4 Security program requirements for IACS service providers General Policies and procedures System Compo- nents Definition and metrics Processes / procedures Functional requirements 1-4 IACS security lifecycle and use- cases The structure of IEC 62443?
Protection Level (PL) • Based on IEC 62443-2-4 and ISO27001 • Maturity Level 1 - 4 Security process Security functions • Based on IEC 62443-3-3 • Security Level 1 - 4 Protection Levels are the key criteria and cover security functionalities and processes
Protection Levels are the key criteria and cover security functionalities and processes Maturity Level 4 3 2 1 PL 2 PL 3 PL 4 PL 1 Security Level
Understanding Risk High-Level Security Risk Assessment What is your Target Security Level (SL-T)? Protect Against Intentional Unauthorized Access by Entities using Sophisticated Means with Extend Resources, IACS specific Skills & High Motivation Security Level 4 Protect Against Intentional Unauthorized Access by Entities Using Sophisticated Skills with Moderate Resources, IACS specific skills & Moderate Motivation Security Level 3 Protect Against Intentional Unauthorized Access by Entities Using Simple Means with Low Resources, Generic Skills, & Low Motivation Security Level 2 Protect Against Casual or Incidental Access by Unauthorized Entities Security Level 1
Consequences – Some randomly selected points PL 2 A distributed Firewalls concept has to be implemented Inventory and Network Management are mandatory Capability to automate the backup are mandatory … Even way more… Even more… PL 3 PL 4 PL 1 Use of VLAN, network hardening, managed switches and capability to backup are mandatory …
IEC 62443 Security measures It is unambiguous … PL 1 PL 2 PL 3 PL 4 Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Revolving doors with card reader Doors with card reader Locked building/doors with keys Awareness training (e.g. Operator Aware. training) Network segmentation (e.g. VLAN) Security logging on all systems Backup / recovery system Mandatory rules on USB sticks (e.g. Whitelisting) … … Automated backup / recovery No Email, No WWW, etc. in Secure Cell … 2 PCs (Secure Cell/outside) … Remote access with cRSP or equivalent Monitoring of all human interactions Dual approval for critical actions Firewalls with Fail Close(e.g. Next Generation Firewall) Monitoring of all device activities Online security functionality verification … Persons responsible for security within own organization Continuous monitoring (e.g. SIEM) Backup verification Mandatory security education … Physical network segmentation or equivalent (e.g. SCALANCE S) Remote access restriction (e.g. need to connect principle) + Organize Security Secure Solution Design Secure Operations Secure Lifecycle management Secure Physical Access + + Page 25
Cybersecurity Essentials Equipment built with security in mind Network Design & Segmentation Asset Inventory Vulnerability Identification Patch Management Password Management Phishing Identification Training Disaster Recovery Upgrade Aging Infrastructure Limiting Privileges
IEC62443 ISO27001 NIST 800-30 Well known IT- security standard The OT-security standard Risk assessment framework A piece of a bigger picture The Functional Safety standard
IEC 62443 3-3 System security requirements and Security levels 3-2 Security risk assessment and system design 4-2 Technical security requirements for IACS products 4-1 Product development requirements Achieved SLs Target SLs Automation solution Capability SLs Product supplier System Integrator Asset Owner Recap- Contributions of the stakeholders Control System capabilities
IEC 62443-3-2 Generic Blueprint
IEC62443-3-2 Zones and Conduits Zone Enterprise Network Zone Plant Zone Control #1 Conduit Zone Control #2 PL3 PL2 PL1 Trusted/Untrusted
IEC62443-3-2 Examples Small Site OT is Air gaped
IEC62443-3-2 Examples Medium sized Site OT and IT are connected Via one Conduit..
IEC62443-3-2 Examples Large Site OT and IT are connected Via DMZ..
Spørgsmål?

More Related Content

PPTX
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
PDF
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
PPT
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
PDF
5 Tips for Presenting to Executives
speakingppt
 
PDF
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
PDF
ICS security
Ahmed Shitta
 
PDF
IoT Security
Narudom Roongsiriwong, CISSP
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
5 Tips for Presenting to Executives
speakingppt
 
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
ICS security
Ahmed Shitta
 
IoT Security
Narudom Roongsiriwong, CISSP
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 

What's hot (20)

PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PPTX
Information Security Governance and Strategy - 3
Dam Frank
 
PPTX
Security operation center (SOC)
Ahmed Ayman
 
PDF
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
PPTX
Enterprise Security Architecture Design
Priyanka Aash
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
PPTX
Security Operation Center - Design & Build
Sameer Paradia
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
PPSX
Next-Gen security operation center
Muhammad Sahputra
 
PDF
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
PPTX
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
PPTX
IBM Security QRadar
Virginia Fernandez
 
PPTX
Security operation center
MuthuKumaran267
 
PDF
Information security management system (isms) overview
Julia Urbina-Pineda
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Information Security Governance and Strategy - 3
Dam Frank
 
Security operation center (SOC)
Ahmed Ayman
 
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Enterprise Security Architecture Design
Priyanka Aash
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Introduction to Cybersecurity
Krutarth Vasavada
 
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Security Operation Center - Design & Build
Sameer Paradia
 
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Next-Gen security operation center
Muhammad Sahputra
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
IBM Security QRadar
Virginia Fernandez
 
Security operation center
MuthuKumaran267
 
Information security management system (isms) overview
Julia Urbina-Pineda
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Security Information and Event Management (SIEM)
k33a
 
Ad

Similar to Industrial_Cyber_Security (20)

PDF
Industrial Security.pdf
AhmedRKhan
 
PPTX
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
promediakw
 
PDF
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
PDF
EC-Council Certified Network Defender
ITpreneurs
 
PPTX
OT_Security.pptx
Nandan Dutta
 
PPTX
Cyber-Security-for-Smart-Grid bbbb .pptx
periiteeedept2
 
PDF
Using The Isaiec 62443 Standard To Secure Your Control Systems Course Ic32e O...
xemtpmkcmb046
 
PPTX
IEC62443.pptx
233076
 
PDF
White paper scada (2)
Ivan Carmona
 
PDF
Securing Industrial Control System
Hemanth M
 
PDF
Standards based security for energy utilities
Nirmal Thaliyil
 
PDF
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
PDF
IEEE PES GM 2017 Cybersecurity Panel Talk
Nathan Wallace, PhD, PE
 
PPTX
nsx overview with use cases 1.0
Ploynatcha Akkaraputtipat
 
PDF
VIPIN_GUPTA_SECURITY_ANALYST
VIPIN KUMAR GUPTA
 
PDF
Creating a Reliable and Secure Advanced Distribution Management System
Schneider Electric
 
PDF
Segregation of IT and OT Networks across organization
NaveedQuadri3
 
PDF
ICS (Industrial Control System) Cybersecurity Training
Forensic Academy
 
PPTX
security_assessment_report_nidhi yadav.pptx
Akttripathi
 
PDF
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
Industrial Security.pdf
AhmedRKhan
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
promediakw
 
Secure-by-Design Using Hardware and Software Protection for FDA Compliance
ICS
 
EC-Council Certified Network Defender
ITpreneurs
 
OT_Security.pptx
Nandan Dutta
 
Cyber-Security-for-Smart-Grid bbbb .pptx
periiteeedept2
 
Using The Isaiec 62443 Standard To Secure Your Control Systems Course Ic32e O...
xemtpmkcmb046
 
IEC62443.pptx
233076
 
White paper scada (2)
Ivan Carmona
 
Securing Industrial Control System
Hemanth M
 
Standards based security for energy utilities
Nirmal Thaliyil
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
IEEE PES GM 2017 Cybersecurity Panel Talk
Nathan Wallace, PhD, PE
 
nsx overview with use cases 1.0
Ploynatcha Akkaraputtipat
 
VIPIN_GUPTA_SECURITY_ANALYST
VIPIN KUMAR GUPTA
 
Creating a Reliable and Secure Advanced Distribution Management System
Schneider Electric
 
Segregation of IT and OT Networks across organization
NaveedQuadri3
 
ICS (Industrial Control System) Cybersecurity Training
Forensic Academy
 
security_assessment_report_nidhi yadav.pptx
Akttripathi
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
Ad

Recently uploaded (20)

PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PDF
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPT on Performance Review to get promotions
prashant593122
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
Construction Project Organization Group 2.pptx
vj5agdales
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 

Industrial_Cyber_Security

  • 2. Caught between regulation, requirements, and standards IEC 62443 ISO 27032 ISA 99 NIST ANSSI NERC CIP BDSG WIB NIS directive
  • 3. IACS Cybersecurity Standards Cybersecurity Standards Deliver: ✓ Common Industry Language and Terminology ✓ Standardized Methodology ✓ Guidance on how to answer: What is my current risk? What would be a more acceptable level of risk for my organization? How do I get to that more acceptable level?
  • 5. IEC 62443 gives us the ability to communicate in an unambiguous way
  • 6. Align with industry framework Compliance & standards Applies to those responsible for designing, manufacturing, implementing or managing industrial control systems: • End-users (i.e. asset owner) • System integrators • Security practitioners • ICS product/systems vendors ISA/IEC 62443: Series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). *Equivalence to ISO 27001 and NIST Cybersecurity Framework
  • 7. based on a holistic Defense in depth concept IEC 62443
  • 8. A secure application depends on multiple layers of diverse protection and industrial security must be implemented as a system Defense-in-Depth Deploying Network Security ▪ Defense in Depth ▪ Shield targets behind multiple levels of diverse security countermeasures to reduce risk ▪ Openness ▪ Consideration for participation of a variety of vendors in our security solutions ▪ Flexibility ▪ Able to accommodate a customer’s needs, including policies & procedures ▪ Consistency ▪ Solutions that align with Government directives and Standards Bodies DURING BEFORE AFTER
  • 9. Plant security Network security System integrity Defense in depth IEC 62443
  • 11. Addresses the entire life cycle IEC 62443
  • 12. provides a complete Cyber Security Management System IEC 62443
  • 13. The IEC62443/ISO27001 based method Identification and Business Impact Assessment Definition of Target Level Risk Assessment Development and Implementation of Protection Concept Definition of Scope Getting started
  • 14. What’s at risk? ▪ Loss of Life ▪ Stolen Intellectual Property ▪ Production Loss ▪ Unscheduled Downtime ▪ Damaged Equipment ▪ Environmental Impact
  • 15. Business rationale Risk identification classification and assessment Risk analysis Conformance Review, improve and maintain the CSMS Monitoring and improving the CSMS
  • 16. Understanding Risk High-Level Security Risk Assessments 62443 3-2 What is your current level of risk? Impact Remote Unlikely Possible Likely Certain Trivial 1 2 3 4 5 Minor 2 4 6 8 10 Moderate 3 6 9 12 15 Major 4 8 12 16 20 Critical 5 10 18 20 25
  • 17. “A good overview” More info: https://www.ncsc.gov.uk/collection/risk-management-collection/component-system-driven-approaches/understanding-component-driven-risk-management Risk methods and frameworks
  • 18. NIST Cybersecurity Framework Detect Organization understands what the current state and risk is to systems, assets, and data Implement safeguards to ensure delivery of critical infrastructure services Implement appropriate activities to identify a cybersecurity event Implement activities to take action regarding a detected cybersecurity event Implement activities to maintain plans for resilience and to restore capabilities
  • 20. 1-1 Terminology, concepts and models 2-1 Security program requirements for IACS asset owners 4-1 Secure product development lifecycle requirements 3-1 Security technologies for IACS 1-2 Master glossary of terms and abbreviations 2-2 IACS security program ratings 4-2 Technical security requirements for IACS components 3-2 Security risk assessment and system design 1-3 System security compliance metrics 2-3 Patch management in the IACS environment 3-3 System security requirements and security levels 2-4 Security program requirements for IACS service providers General Policies and procedures System Compo- nents Definition and metrics Processes / procedures Functional requirements 1-4 IACS security lifecycle and use- cases The structure of IEC 62443?
  • 21. Protection Level (PL) • Based on IEC 62443-2-4 and ISO27001 • Maturity Level 1 - 4 Security process Security functions • Based on IEC 62443-3-3 • Security Level 1 - 4 Protection Levels are the key criteria and cover security functionalities and processes
  • 22. Protection Levels are the key criteria and cover security functionalities and processes Maturity Level 4 3 2 1 PL 2 PL 3 PL 4 PL 1 Security Level
  • 23. Understanding Risk High-Level Security Risk Assessment What is your Target Security Level (SL-T)? Protect Against Intentional Unauthorized Access by Entities using Sophisticated Means with Extend Resources, IACS specific Skills & High Motivation Security Level 4 Protect Against Intentional Unauthorized Access by Entities Using Sophisticated Skills with Moderate Resources, IACS specific skills & Moderate Motivation Security Level 3 Protect Against Intentional Unauthorized Access by Entities Using Simple Means with Low Resources, Generic Skills, & Low Motivation Security Level 2 Protect Against Casual or Incidental Access by Unauthorized Entities Security Level 1
  • 24. Consequences – Some randomly selected points PL 2 A distributed Firewalls concept has to be implemented Inventory and Network Management are mandatory Capability to automate the backup are mandatory … Even way more… Even more… PL 3 PL 4 PL 1 Use of VLAN, network hardening, managed switches and capability to backup are mandatory …
  • 25. IEC 62443 Security measures It is unambiguous … PL 1 PL 2 PL 3 PL 4 Revolving doors with card reader and PIN; Video Surveillance and/or IRIS Scanner at door Revolving doors with card reader Doors with card reader Locked building/doors with keys Awareness training (e.g. Operator Aware. training) Network segmentation (e.g. VLAN) Security logging on all systems Backup / recovery system Mandatory rules on USB sticks (e.g. Whitelisting) … … Automated backup / recovery No Email, No WWW, etc. in Secure Cell … 2 PCs (Secure Cell/outside) … Remote access with cRSP or equivalent Monitoring of all human interactions Dual approval for critical actions Firewalls with Fail Close(e.g. Next Generation Firewall) Monitoring of all device activities Online security functionality verification … Persons responsible for security within own organization Continuous monitoring (e.g. SIEM) Backup verification Mandatory security education … Physical network segmentation or equivalent (e.g. SCALANCE S) Remote access restriction (e.g. need to connect principle) + Organize Security Secure Solution Design Secure Operations Secure Lifecycle management Secure Physical Access + + Page 25
  • 26. Cybersecurity Essentials Equipment built with security in mind Network Design & Segmentation Asset Inventory Vulnerability Identification Patch Management Password Management Phishing Identification Training Disaster Recovery Upgrade Aging Infrastructure Limiting Privileges
  • 27. IEC62443 ISO27001 NIST 800-30 Well known IT- security standard The OT-security standard Risk assessment framework A piece of a bigger picture The Functional Safety standard
  • 28. IEC 62443 3-3 System security requirements and Security levels 3-2 Security risk assessment and system design 4-2 Technical security requirements for IACS products 4-1 Product development requirements Achieved SLs Target SLs Automation solution Capability SLs Product supplier System Integrator Asset Owner Recap- Contributions of the stakeholders Control System capabilities
  • 30. IEC62443-3-2 Zones and Conduits Zone Enterprise Network Zone Plant Zone Control #1 Conduit Zone Control #2 PL3 PL2 PL1 Trusted/Untrusted
  • 32. IEC62443-3-2 Examples Medium sized Site OT and IT are connected Via one Conduit..
  • 33. IEC62443-3-2 Examples Large Site OT and IT are connected Via DMZ..