CyberSecurity Malaysia | An Agency Under MOSTI
Organizer:
Endorsed by:
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
People First,
Performance Now
Ministry od Science,
Technology and Innovation
BRIDGING BARRIERS:
LEGAL AND TECHNICAL OF
CYBERCRIME CASES
Session 6 : Securing Your Fortress
Best practices, standards, techniques and
technologies secure your organization from
cyber criminals.
5 July 2011
Dani Michaux
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Back to basics
Statistics
Understanding the underlying
complexities and issues with organization
(real life experiences)
Defining strategies and techniques
Global remediation efforts within
organizations with complex environments
– Challenges
Education/Awareness
2
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
“Information”
• Information is an asset which, like other important business assets,
has value to an organization and consequently needs to be suitably
protected
• Information can exist in many forms – database, system
documentation, user manual, operational procedures and research
information
3
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Worrying
Statistics
Source: MyCERT
4
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Scary ..
Stuxnet
APT
Cyber Intelligence
Cyber Warfare
5
.
.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Scary ..
6
.
.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Scary ..
7
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Latest case of customer data being leaked..
8
.
.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2011 – Scary ..
9
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Underlying complexities – real cases
• No clearly defined roles and
responsibilities (grey operational areas)
• No clear understanding of different
technology advancements and the
potential security implications of adopting
new technologies
• No clear understanding or potential risk
attack vectors (where the threats come
from ? and rare understanding of BIA ) 10
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Underlying complexities
• Wrong attitude – “Nothing happened for
the past 25 years, why happen now,
what's changed ?”
• Full trust on vendors – “They should know
best, this is their system, they are the
experts”
11
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Defining Strategies and Techniques
12
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
CNII to be ISMS Certified by 2013
13
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Standards Overview
API 1164 – “SCADA Security”
The SCADA security standard, API 1164, provides guidance to the operators of oil and gas liquid pipeline
systems for managing SCADA system integrity and security. The use of this document is not limited to
pipelines regulated under Title 49 CFR 195.1, but should be viewed as a long listing of best practices to be
employed when reviewing and developing standards for a SCADA system. The API standard, to date,
applies only to pipeline operators and does not cover refineries. Previously released cyber-security
guidelines are considered by API to be adequate for refineries at this time. Although the standard does
address physical security, the primary thrust of this document is cyber security and access control. This
document embodies "API Security Guidelines for the Petroleum Industry," and is specifically designed to
provide the operators with a description of industry practices in SCADA security and to provide the
framework needed to develop sound security practices within the operator’s individual companies.
NERC Security Guidelines – “Security Guidelines for the Electricity Sector”
The “NERC Security Guidelines for the Electrical Sector” consists of 14 sections addressing both
physical and cyber security. These guidelines describe general approaches, considerations, practices,
and planning philosophies to be applied in protecting the electric infrastructure systems. These
guidelines are advisory in nature, and each user determines how they will be used.
14
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Standards Overview
NERC 1200 – “Urgent Action Standard 1200 – Cyber Security”
North American Electric Reliability Council (NERC), recognized as the energy sector coordinator by
FERC, DOE, and DHS, developed the “Urgent Action Cyber Security Standard” (NERC 1200) as a
temporary standard to establish a set of defined security requirements related to the energy industry and
to reduce risks to the reliability of the bulk electric systems from any compromise of critical cyber assets.
NERC 1200 applies to entities performing various electric system functions, as defined in the functional
model approved by the NERC Board of Trustees in June, 2001.
NERC 1300 – “Cyber Security”
The current draft NERC standard was Draft Version 1 of NERC 1300. This is the document that was
reviewed. The current draft NERC cyber security standard, CIP-002 through CIP-009, when released, will
replace NERC 1200, “Urgent Action Cyber Security Standard.” These standards are in the review process
by the North American Electric Reliability Council. The first drafts of these standards were released for
review on September 15, 2004; review comments submitted on the third draft are now in review by the
standards committee. These standards are expected to cover essentially the same material as NERC
1200, but in more detail.
15
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Governance – achieving success
Effective governance framework:
Vision
Stakeholder identification, engagement and
management
Sponsorship
What for are you creating versus plugging in to
Communication – language, passion, risk and
business focus and clarity
Culture
Delivery
16
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Benefits of a harmonised
governance system
• A single control framework allows integrated assurance
• Benefits:
• Reduced assurance costs
• Single view of compliance state
• Easily demonstrable to stakeholders
– Reduced business interruption
• Fewer audits
– Controls optimisation and automation
17
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
A way of operating effectively
Today
Project oriented
Viewed in isolation
Managed disparately
Separated from the
flow of business
Owned by compliance
What happens when?
People leave
Processes are improved
Tomorrow
“The way we do business”
Dynamic and action-
oriented
New systems are implemented
Integrated into processes
Businesses are sold/acquired
Process and data centric
Processes are outsourced
Owned by the “business”
Manual and reactive
Automated and preventive
Reactive compliance
Proactive organisational
model
capabilities driven
approach
18
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
COMPLIANCE MATURITY / BUSINESS RISK
The Sweet Spot for Harmonised IT Compliance
“Sweet Spot”
BUSINESS RISK
“Diminishing
Returns”
COMPLIANCE PROCESS
Today
PROGRAM SPEND(£££) / TIME
19
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Control model
• What types of controls do you implement?
• Mandatory – legislation specific to country
• Data Protection Act, Computer Crime Act…
•
Core – customer requirements, industry requirements
• PCI, SOX, Basel – II/III, ITIL, …
•
Voluntary – business driven
• ISO 27001, ISO 20000, BS 25999, …
20
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Thoughts
• IT compliance will grow more complex
• GOAL
– Multiple requirements / controls
– Multiple audits, multiple auditors
one control framework
one auditor
• Integrated assurance can
– Reduce assurance costs
– Provide a single view of compliance and manage business risk
– Minimise business interruption
21
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Global Remediation Efforts - Challenges
• Example of remediation efforts
– Complex environments within Utility’s sector
• Core business Vs. enterprise IT (do we understand
the difference, what our policies cover) – SCADA,
PCD Networks, Core Telco, NGN, etc.
• Convergence Risks (old infra with new) ?
• Vendors / Third Parties – They know best and they
have access to support us – attack vectors ?
22
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Global Remediation Efforts - Challenges
• No standardized policies
• No standardized technologies
• Various system and systems generations (can we have
standardized logging) ?
• Controls over the operational environment (operational /
convenience vs. control and security)
• No right skills in house for incident response (admin to perform all tasks,
dependence on key staff)
23
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Global Remediation Efforts - Challenges
• Inability to understand the extend of the attacks
• Commercialization risks
• If I get my vendor to support my operations through remote
connectivity – do I fully understand the associated risks ?
• My provider will monitor my network for me can we see any
associated risks ? Have we included in risk register ? How are we
managing it through contracts / or based on trust ?
24
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Importance of education and awareness
Organizer:
Endorsed by:
People First,
Performance Now
Q&A
Ministry od Science,
Technology and Innovation
Endorsed by:
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
People First,
Performance Now
Ministry od Science,
Technology and Innovation
BRIDGING BARRIERS:
LEGAL AND TECHNICAL OF
CYBERCRIME CASES
Session 6 : Securing Your Fortress
Best practices, standards, techniques and
technologies secure your organization from
cyber criminals.
5 July 2011
Dani Michaux
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Back to basics
Statistics
Understanding the underlying
complexities and issues with organization
(real life experiences)
Defining strategies and techniques
Global remediation efforts within
organizations with complex environments
– Challenges
Education/Awareness
2
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
“Information”
• Information is an asset which, like other important business assets,
has value to an organization and consequently needs to be suitably
protected
• Information can exist in many forms – database, system
documentation, user manual, operational procedures and research
information
3
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Worrying
Statistics
Source: MyCERT
4
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Scary ..
Stuxnet
APT
Cyber Intelligence
Cyber Warfare
5
.
.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Scary ..
6
.
.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2010 – Scary ..
7
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Latest case of customer data being leaked..
8
.
.
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Security Breaches in 2011 – Scary ..
9
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Underlying complexities – real cases
• No clearly defined roles and
responsibilities (grey operational areas)
• No clear understanding of different
technology advancements and the
potential security implications of adopting
new technologies
• No clear understanding or potential risk
attack vectors (where the threats come
from ? and rare understanding of BIA ) 10
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Underlying complexities
• Wrong attitude – “Nothing happened for
the past 25 years, why happen now,
what's changed ?”
• Full trust on vendors – “They should know
best, this is their system, they are the
experts”
11
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Defining Strategies and Techniques
12
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
CNII to be ISMS Certified by 2013
13
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Standards Overview
API 1164 – “SCADA Security”
The SCADA security standard, API 1164, provides guidance to the operators of oil and gas liquid pipeline
systems for managing SCADA system integrity and security. The use of this document is not limited to
pipelines regulated under Title 49 CFR 195.1, but should be viewed as a long listing of best practices to be
employed when reviewing and developing standards for a SCADA system. The API standard, to date,
applies only to pipeline operators and does not cover refineries. Previously released cyber-security
guidelines are considered by API to be adequate for refineries at this time. Although the standard does
address physical security, the primary thrust of this document is cyber security and access control. This
document embodies "API Security Guidelines for the Petroleum Industry," and is specifically designed to
provide the operators with a description of industry practices in SCADA security and to provide the
framework needed to develop sound security practices within the operator’s individual companies.
NERC Security Guidelines – “Security Guidelines for the Electricity Sector”
The “NERC Security Guidelines for the Electrical Sector” consists of 14 sections addressing both
physical and cyber security. These guidelines describe general approaches, considerations, practices,
and planning philosophies to be applied in protecting the electric infrastructure systems. These
guidelines are advisory in nature, and each user determines how they will be used.
14
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Standards Overview
NERC 1200 – “Urgent Action Standard 1200 – Cyber Security”
North American Electric Reliability Council (NERC), recognized as the energy sector coordinator by
FERC, DOE, and DHS, developed the “Urgent Action Cyber Security Standard” (NERC 1200) as a
temporary standard to establish a set of defined security requirements related to the energy industry and
to reduce risks to the reliability of the bulk electric systems from any compromise of critical cyber assets.
NERC 1200 applies to entities performing various electric system functions, as defined in the functional
model approved by the NERC Board of Trustees in June, 2001.
NERC 1300 – “Cyber Security”
The current draft NERC standard was Draft Version 1 of NERC 1300. This is the document that was
reviewed. The current draft NERC cyber security standard, CIP-002 through CIP-009, when released, will
replace NERC 1200, “Urgent Action Cyber Security Standard.” These standards are in the review process
by the North American Electric Reliability Council. The first drafts of these standards were released for
review on September 15, 2004; review comments submitted on the third draft are now in review by the
standards committee. These standards are expected to cover essentially the same material as NERC
1200, but in more detail.
15
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Governance – achieving success
Effective governance framework:
Vision
Stakeholder identification, engagement and
management
Sponsorship
What for are you creating versus plugging in to
Communication – language, passion, risk and
business focus and clarity
Culture
Delivery
16
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Benefits of a harmonised
governance system
• A single control framework allows integrated assurance
• Benefits:
• Reduced assurance costs
• Single view of compliance state
• Easily demonstrable to stakeholders
– Reduced business interruption
• Fewer audits
– Controls optimisation and automation
17
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
A way of operating effectively
Today
Project oriented
Viewed in isolation
Managed disparately
Separated from the
flow of business
Owned by compliance
What happens when?
People leave
Processes are improved
Tomorrow
“The way we do business”
Dynamic and action-
oriented
New systems are implemented
Integrated into processes
Businesses are sold/acquired
Process and data centric
Processes are outsourced
Owned by the “business”
Manual and reactive
Automated and preventive
Reactive compliance
Proactive organisational
model
capabilities driven
approach
18
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
COMPLIANCE MATURITY / BUSINESS RISK
The Sweet Spot for Harmonised IT Compliance
“Sweet Spot”
BUSINESS RISK
“Diminishing
Returns”
COMPLIANCE PROCESS
Today
PROGRAM SPEND(£££) / TIME
19
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Control model
• What types of controls do you implement?
• Mandatory – legislation specific to country
• Data Protection Act, Computer Crime Act…
•
Core – customer requirements, industry requirements
• PCI, SOX, Basel – II/III, ITIL, …
•
Voluntary – business driven
• ISO 27001, ISO 20000, BS 25999, …
20
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Key Thoughts
• IT compliance will grow more complex
• GOAL
– Multiple requirements / controls
– Multiple audits, multiple auditors
one control framework
one auditor
• Integrated assurance can
– Reduce assurance costs
– Provide a single view of compliance and manage business risk
– Minimise business interruption
21
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Global Remediation Efforts - Challenges
• Example of remediation efforts
– Complex environments within Utility’s sector
• Core business Vs. enterprise IT (do we understand
the difference, what our policies cover) – SCADA,
PCD Networks, Core Telco, NGN, etc.
• Convergence Risks (old infra with new) ?
• Vendors / Third Parties – They know best and they
have access to support us – attack vectors ?
22
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Global Remediation Efforts - Challenges
• No standardized policies
• No standardized technologies
• Various system and systems generations (can we have
standardized logging) ?
• Controls over the operational environment (operational /
convenience vs. control and security)
• No right skills in house for incident response (admin to perform all tasks,
dependence on key staff)
23
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Global Remediation Efforts - Challenges
• Inability to understand the extend of the attacks
• Commercialization risks
• If I get my vendor to support my operations through remote
connectivity – do I fully understand the associated risks ?
• My provider will monitor my network for me can we see any
associated risks ? Have we included in risk register ? How are we
managing it through contracts / or based on trust ?
24
Organizer:
Endorsed by:
People First,
Performance Now
Ministry od Science,
Technology and Innovation
Importance of education and awareness
Organizer:
Endorsed by:
People First,
Performance Now
Q&A
Ministry od Science,
Technology and Innovation