WIXLIB

A governance model for ICS and SCADA securityProposal of a model for evaluating and evolving ICSCyber Security in Gas Critical InfrastructuresToto Zammataro, 16th November 2016Prepared For:

AgendaICS Security Requirements & Governance Model Definition3 pagesMaturity Evaluation & Roadmap definition4 pagesAUTHORIZED FOR PUBLIC RELEASEA governance model for ICS and SCADA security2

ICS Security Requirements and Governance Model DefinitionProject activities have delivered to the Client their new ICS Security Requirements andGovernance ModelInformation GatheringDocumentsAssessment ToolDeliverableDeliverableAssessment ToolDefinitionCritical ICSSecurity RequirementsICS SecurityGovernance ModelInterviewsOne-to-OneOne-to-ManyAUTHORIZED FOR PUBLIC RELEASEA governance model for ICS and SCADA security3

Critical ICS Security RequirementsCritical ICS Security Requirements will help Client to secure future evolutions of theirIndustrial Control System TECHNOLOGYICS Key AssetsCritical ICS datatransmissionnetworkServer and deviceconnected to criticalICSHUMAN RESOURCESFACILITIESInternational StandardNIST 800-82 r2AUTHORIZED FOR PUBLIC RELEASEIdentification ofSecurity RequirementsSet of detailed requirements derived from NISTControls ( 800) and divided in two groups: Governance Requirements:– Applicable to each asset– NIST Families: Planning, ProgramManagement Technical and Operative Requirements:–Applicability Matrix: Asset (4) vs NISTFamilies (16)Key Outcomes The set of securityrequirements is applicable toGroup Industrial ControlSystems and is based onInternational Standards This approach could inspirethe definition ofrequirements andcountermeasures in any ICSenvironmentA governance model for ICS and SCADA security4

ICS Security Governance Model while ICS Security Governance Model enables the evaluation of the effectiveness ofsecurity measures put in placeKey Components Security Framework:– Management Processes (7)– Security Domains (11) Input Parameters– Weights associated toprioritization levels andStakeholdersApplicability Overall Organization ICS SecurityMaturity Level is derived from maturitylevels of Companies / Business Unitsbelonging to the group The model is scalable to new Client GroupCompany or BUGROUP Evaluation Process– Control based AssessmentCOMPANY 1COMPANY 2BU 1BU 2BU 1.1(CC2)BU1.2BU 2.1(CC2)BU2.2Key Outcomes ICS Security Governancemodel is built to supportcomplex organizations inwhich many actorscontribute to the ICSSecurity Management This model is independentfrom the particular inputparameters chosenProjectProjectProjectManagerManagerBU n ManagerBU 1.2.2BU(CC2)1.2.1Company / BU AssessedAUTHORIZED FOR PUBLIC RELEASEA governance model for ICS and SCADA security5

Maturity Evaluation & Roadmap DefinitionICS Security Governance Model has been applied during the project to evaluate currentmaturity levelICS SecurityGovernance ModelApplication of the ModelAssessmentAs-is Maturity roject 1Project 2 Project 8AUTHORIZED FOR PUBLIC RELEASEA governance model for ICS and SCADA security6

Assessment ToolWe evolved Intellium tool in order to allow the assessment of the ICS Security maturityof every client stakeholder Tool Structure 800 Controls, eachassociated to a singleMgmt Process andDomain 3 Weighted Priority Levels(High, Medium, Low) derivedfrom NIST evaluation 6 “Maturity Levels” for eachcontrolAUTHORIZED FOR PUBLIC RELEASEEvaluation & Results Maturity of every control is evaluated through 6maturity values Every control have to be evaluated for everycompany / Business Unit or set as NotApplicable Tool computes a weighted average to providethe maturity level for each area of theframework (single process x single domain) Results (valorized framework) are shown inreal-timeKey Outcomes Excel Tool provides real-timematurity of every company /Business Unit allowingseparate evaluations The tool is scalable with littleeffort to new Company orBusiness Unit to adapt toacquisitions, organizationalchanges, new strategyA governance model for ICS and SCADA security7

EXAMPLEAs-is Maturity Level deriving consequently from these maturities the overall maturity level of the wholeGroup Tool Structure Weight (0-1) associated toeach company / BU basedon strategy relevance andoperating margin Overall maturity levelcalculated as weightedaverage of maturity levels ofeach company / BUOverall ResultsKey Outcomes The tool also provides realtime maturity level of theoverall group Effective graphicalrepresentation: Red: As-is maturity lessthan target maturity Blue: As-is maturity graterthan or equal to targetmaturityAUTHORIZED FOR PUBLIC RELEASEA governance model for ICS and SCADA security8

Strategic RoadmapStarting from assessment results we can define a roadmap made of X projects aimingto address areas of improvement PrioritizationThree-year Roadmap Cost (CAPEX, OPEX, FTE) Complexity (implementation, organizational, )Complexity Benefit (maturity level increase, risks mitigation, )92017Cost201812019ICS Cyber Security Program81ICS Cyber Security ProgramICS Incident Management27ICS Incident Management23Cyber Threat Intelligence465Cyber Security RiskManagement5ICS Configuration Management & CMDB6Evoluzione Gestione Accessi ICS784Evoluzione Piani di RientroPost-VA/PTValutazione e SviluppoRisorse UmaneValutazione e Sviluppo8Risorse Umane33456789BenefitAUTHORIZED FOR PUBLIC RELEASEA governance model for ICS and SCADA security9

Any Question?AUTHORIZED FOR PUBLIC RELEASEA governance model for ICS and SCADA security10

Toto Zammataro 39-348-0097164 Email: tzammataro@deloitte.it : www.linkedin.com/in/totoz1)1) I’m accepting on linkedin only people I’m aware I met in real worldIl nome Deloitte si riferisce a una o più delle seguenti entità: Deloitte Touche Tohmatsu Limited, una società inglese a responsabilità limitata(“DTTL”), le member firm aderenti al suo network e le entità a esse correlate. DTTL e ciascuna delle sue member firm sono entità giuridicamenteseparate e indipendenti tra loro. DTTL (denominata anche “Deloitte Global”) non fornisce servizi ai clienti. Si invita a leggere l’informativa completarelativa alla descrizione della struttura legale di Deloitte Touche Tohmatsu Limited e delle sue member firm all’indirizzo www.deloitte.com/about. 2016 Intellium Italia Srl

AUTHORIZED FOR PUBLIC RELEASE A governance model for ICS and SCADA security 6 ICS Security Governance Model has been applied during the project to evaluate current maturity level Maturity Evaluation & Roadmap Definition Roadmap Projects Project 1 Project 2 Project 8 ICS Security Governance Model Activities Deliverable Projects Assessment