Professional Documents
Culture Documents
Leveraging Industry Standards To Address OT Cybersecurity Challenges Webinar - 3may2023 - Handout
Leveraging Industry Standards To Address OT Cybersecurity Challenges Webinar - 3may2023 - Handout
Standards,
Regulations, Type Governing Body Origin Scope Applicability
Frameworks
Policy or Regulation Mult-Industry
NIS Directive Regulation ENISA EU (+ UKI) EU
IT/OT
Dictates your intent
Electricity
NERC CIP Regulation FERC US US
IT/OT
ISA/IEC 62443 Multi-Industry
Standards (formerly ANSI ISA99)
Standard ANSI, ISA,IEC International
OT
Multi
Dictates your requirements
Framework Multi-Industry
NIST CSF NIST US Multi
(Guideline) IT/OT
Critical Security
Multi-Industry
Controls Guideline CIS US Multi
Best Practices or Guidelines (CIS Top 20)
OT
Guides your implementation Multi-Industry
ISO/IEC 27000 Series Standard ISO, IEC International Multi
IT/OT
Multi-Industry
NIST SP 800-82 Guideline NIST US Multi
OT
Procedures
Multi-Industry
Helps your implementation NIST SP 800-53 Guideline NIST US Multi
IT/OT
6
Cybersecurity Strategy
Cybersecurity in IT/OT environments is not limited to the “plants” only. The organisations shall develop an
overall cybersecurity strategy for the entire business and IT/OT ecosystems. Critical components of the
strategy may include, Enterprise Architecture and Enterprise Security Architecture
Cybersecurity Framework
8
IEC 62443 – Overall Process
9
IEC 62443 Foundational Requirements
Countermeasures for Asset Owner, System Integrator, and Product Supplier
What are Foundational Requirements (FRs)?
IEC 62443 expands the seven FRs defined in IEC 62443-1-1 into a series of SRs. Each SR has a baseline requirement and zero
or more Requirement Enhancements (REs) to strengthen security.
10
How To Select What’s Best
Asset Owner, System Integrator, and Product Supplier
Security Levels
SL 1: Protection against casual or coincidental violation Security controls against basic threats
11
One Size Doesn’t Fit All – Countermeasures
IEC 62443-3-3
7 FRs
Mitigation Cost $
Cyber Risk
IEC 62443-3-3
SL 0 SL 1 SL 2 SL 3 SL 4
1 2 3 4 Maturity Levels
51 SRs 49 REs
It can be overwhelming, choose your security control requirements based on your risk level.
Choose your countermeasures “wisely”.
12
Cybersecurity Requirements
Standards and Best Practices across IT/OT Security
Logging and Monitoring Network Segmentation System Integrity Add your requirements here
14
CRS Mapping to Security Controls
The CRS needs to be mapped to specific security
cific
control objectives to materialise your security
800-53
IEC 62443
tory
ISO 27001
requirements into Cybersecurity Solutions
ry Spe
rnal
Regula
NIST SP
Inte
Indust
Strategy, EA
Risk Assessment
VA/PT
Cybersecurity Solutions
“ Layered Security Approach – Defense-in-Depth
15
Develop Solution Compliance Checklists
Firewall
-
-
Shall be IEC 61850-3 and IEEE 1613 compliant
Shall support wide range of ICS protocol DPI
“ CRS helps with generating vendor compliance check-lists
IPS
- Shall be IEC 61850-3 and IEEE 1613 compliant
- Shall support wide range of ICS protocol DPI
- Shall offer local as well as centralised management capability
- Shall support network high-availability requirements of Digital Substation such as PRP, HSR
- Shall support integration capability with wide range of security products such as NIDS, NAC etc.
HIDS
- Shall support centralised, distributed, federated and disconnected architecture
- Shall support wide rage of operating systems including legacy operating systems
- Shall run within 20-40 meg system memory
- Shall support passive and active mode
- Shall support log forwarding using syslog etc.
16
How To Apply Defenses in ICS/OT?
Planning and Strategy
People
Process
Technology
Source: US-DHS
17
People, Process, and Technology
Governance, Risk, Compliance
Cybersecurity Framework
18
Why Defense-in-Depth?
Early detection and minimise impact, proactive security
IEC 62443 – 5D Physical and Cybersecurity Strategy MITRE ATT&CK for ICS
Cyber-attack sequence
DETER DETECT DELAY DENY DEFEAT
Initial Access
Execution Defense-in-
NIST CSF – Security Control Categories
Persistence Depth security
Evasion
measures can
Discovery
break the Cyber-
Lateral Movement
attack sequence
Collection
and prevent the
Command and Control
19
What does Defense-in-Depth Mean?
Collection
Impact
1 Identify, m
inimize, and se
c ure all ne
tw ork conn
2
ec tions to t
Harden th he ICS/O
e ICS and T.
services, p supporting
orts, and p systems b
implemen rotocols; e y disabling
nable ava u
t robust co
nfiguration ilable secu nnecessary
managem rity feature
ent practic s; and
es.
3
Technology
Continually monito
r and assess the se
networks, and inte
rconnections.
curity of the ICS/O
T, Five Key Security
Countermeasures for
4
Industrial Control Systems
Process Implement a risk-based defense-in-depth approach to and Operational Technology
securing ICS/OT systems and networks.
5
es tabl ish ex pe ctat io ns
ICS/OT; rformance; establish
ac co untabl e fo r th ei r pe
People individuals l
OT security training for al
policies; and provide ICS/
tors.
operators and administra
Source: US-DHS 22
Fortinet Can Help – Cyber Threat Assessment
23
Security Architecture
Development & Implementation
Controls to Solution and Compliance Mapping
Example
26
How To Define Security Zones and Conduits?
27
In a Nutshell
Network Segmentation and Micro-segmentation
29
Key Takeaways
It’s better to understand security gaps in your infrastructure to an applicable standard – even a basic,
initial security gap assessment is better than ignoring the problem!
30
Q&A
More information at fortinet.com/ot
Thank You!
Continue Learning
REGISTER TODAY | Part 2
32
Fortinet’s mission is
to secure people,
devices, and data
everywhere.
33