Mapping security frameworks to your critical assets –

a focus on regional guidelines and NIST CSF

Richard Bussiere
Technical Director, Operational Technology, APAC
 Agenda

ü Quick Review of Singapore’s OT

Cybersecurity Master Plan
ü Introduction to key components of
Cybersecurity Code of Practice & What
YOU need to do
ü How to leverage the NIST Cybersecurity
Framework to comply with the CCoP

2
 Why Worry?

INDUSTRY 1.0 INDUSTRY 2.0 INDUSTRY 3.0 INDUSTRY 4.0

Mass Production + DCS + Internet = IIoT

Manual Production + Industry + Electricity =
Computers = Distributed (Industrial Internet of
Steam Power = Industry Mass Production
Control System Things)

Embedded
SCADA computing
Rapid Web-based
Software technologie scalability deployment
s

Systems
fork Experts in Communica
PLCs monitoring networking tion
& technologie technologie
controlling s s

Physical Store,
plant OT Machinery Software &
hardware IT process &
deliver
equipment
information

Remote
Cloud
industrial RTUs Networks infrastructu
software res

Remote
HMIs industrial Java &
SOL
hardware Python

3
Source:- https://iebmedia.com - https://www.i-scoop.eu/
 Migration towards a full mesh!
TRADITIONAL SUPPLY CHAIN DIGITAL SUPPLY NETWORKS

Synchronized Planning

Cognitive Planning
Dynamic Connected
Quality Sensing
Fulfillment Customer

Develop Plan Source Make Deliver Support DIGITAL

CORE
3D Printing
Sensor-driven Replenishment

Digital Smart
Development Factory

Intelligent Supply

4 Source:- Deloitte analysis (Deloitte University Press – dupress.deloitte.com)

 Lorem Ipsum is Placeholder Text

5
Source: Operational Technology Cybersecurity Masterplan 2019
MITRE ATT&CK has existed for IT environments in ATT&CK for
Enterprise. MITRE ATT&CK has leveraged this work and expanded for
ICS

Enterprise networks are used as a conduit to penetrate Control

System networks. ATT&CK for ICS focuses on what happens when
adversary achieves penetration beyond the IT ‘conduit’

• Reflects attacker's behavior and attack lifecycle

• Reflects ICS assets and systems known to be targeted
• Disruption of physical processes, destroying property, causing
environmental damage, financial disruption, even death
 Inhibit Response Impair Process
Initial Access Execution Persistence Evasion Discovery Lateral Movement Collection Command and Control
Function Control

Data Historian Change Program Exploitation for Control Device Activate Firmware
Hooking Default Credentials Automated Collection Commonly Used Port Brute Force I/O
Compromise State Evasion Identification Update Mode
Command-Line Module Indicator Removal I/O Module Exploitation of Data from Information Change Program
Drive-by Compromise Connection Proxy Alarm Suppression
Interface Firmware on Host Discovery Remote Services Repositories State

Engineering Workstation Execution Program Network Connection External Remote Detect Operating Standard Application Block Command
Masquerading Masquerading
Compromise through API Download Enumeration Services Mode Layer Protocol Message
Exploit Public-Facing Graphical User Project File Rogue Master Network Service Program Block Reporting Modify Control
Detect Program State
Application Interface Infection Device Scanning Organization Units Message Logic
External Remote Man in the System Modify
Rootkit Network Sniffing Remote File Copy I/O Image Block Serial COM
Services Middle Firmware Parameter
Program
Internet Accessible Valid Spoof Reporting Remote System Module
Organization Valid Accounts Location Identification Data Destruction
Device Accounts Message Discovery Firmware
Units
Replication Through Project File Utilize/Change Serial Connection Program
Monitor Process State Denial of Service
Removable Media Infection Operating Mode Enumeration Download
Spearphishing Point & Tag Device Rogue Master
Scripting
Attachment Identification Restart/Shutdown Device
Supply Chain Manipulate I/O
User Execution Program Upload Service Stop
Compromise Image
Modify Alarm Spoof Reporting
Wireless Compromise Role Identification
Settings Message
Unauthorized
Screen Capture Command
Message
Program Download
Rootkit ATT&CK for ICS is from the ALL the above are gathered Helps defenders to understand
System Firmware attacker's perspective, not the from real-world attacks and failures and impacts of these
Utilize/Change
Operating Mode
defenders intelligence sources methods
 The CSA OT Masterplan has 4 key thrusts

Enhance OT Establish an OT Strengthen OT Embrace innovative

Cybersecurity Cybersecurity Cybersecurity technologies to
Training Sharing and Policies enhance system
Analysis Center resilience
(OT-ISAC)

9
 CSA Masterplan Introduces the Cybersecurity Code of Practice

Legally Binding Mandatory Audits Audit Rectification

Chief Information Infrastructure Security audits of the Critical Plan for correcting non-compliance
Officer (CIIO) must comply under Infrastructures must be carried out must be issued within 30 days of a
section 11(6) of the Cybersecurity periodically based on the overall failed audit
Act risk to the organization

Organizational Structure Roles and Responsibilities Risk Management

CII Security Organizational Roles of individuals within the CII All risks must be identified and
structure must be clearly defined must be clearly defined, and those prioritized, and a risk register
by CIIO individuals held accountable to the maintained
CIIO

10
 Cybersecurity Code of
Practice

Protection Remote Connections & Vulnerability

Monitoring & Management &
Requirements/System Removable Storage
Hardening Media Controls Detection
Penetration Testing

Vulnerability
Management
Access Controls with Controls to enable remote Remediation
Identifying threats &
logging of access, multi- connections only when Management
factor authentication necessary incidents
Penetration Testing
Cyber Exercises

Identification of approved Approved applications

Baseline configuration Strong authentication network protocols only
standards for all devices Message integrity Identification & removal of
within the CII Identification of new
Encryption of all traffic unapproved applications
network protocols

Least access privilege, Changes to baseline

Disable all USB Ports Configuration mgmt.
password complexity, protocols
Limit portable computers Patch mgmt.
deletion of unused Changes to baseline or Change mgmt.
accounts, unused entering CII
anomalous Incident Mgmt.
services, patching … Encrypt removable media communications patterns

Use of “Jump Servers” for

Auditing of hardening & external connectivity and
system configurations transfer of data to/from
removable media

11
 OBSERVATIONS

12
 Priority
IT vs OT Priorities
When it comes to industrial control
and automation - Safety , Uptime &
Totally Flipped
Quality are the priorities according to
NIST.

● Blocked or delayed flow of information through ICS

networks, which could disrupt ICS operation
● Unauthorized changes to instructions, commands, or
alarm thresholds, which could damage, disable, or shut
down equipment, create environmental impacts, and/or
endanger human life
● Inaccurate information sent to system operators, either to
disguise unauthorized changes, or to cause the
operators to initiate inappropriate actions, which could
have various negative effects
● ICS software or configuration settings modified, or ICS
software infected with malware, which could have various
negative effects
● Interference with the operation of equipment protection
systems, which could endanger costly and difficult-to-
replace equipment
● Interference with the operation of safety systems, which could
endanger human life.

13 13
 Complying With The CCoP Using NIST CSF

Many of the CCoP requirements are basic Cyber Hygiene Practices

Tools are readily available for supporting the NIST CSF Framework

Expresses all Provides crucial Leverages existing Provides a vehicle

cybersecurity guidance for standards for to effectively and
activities in a reinforcing security compliance – can uniformly measure
common language controls while map existing cybersecurity
maintaining a processes and effectiveness
focus on guidelines into independent of
operational CSF existing framework
objectives
14
 The National Institute of Standards (NIST) Cybersecurity
Framework is…

Repeatable Common Language

Flexible

Technology Neutral

Cost Effective

Measurable!

15
 Objectives of CSF in a Nutshell

Communicate Describe
Risk Current
Security
Posture

Assess
Progress
towards Describe
Target Target
Posture Security
Posture

Continuous
Improvement

16
 Structure
Function unique
Function Category unique identifier Category
identifier
ID.AM Asset management
ID.BE Business environment
ID Identify ID.GV Governance
ID.RA Risk assessment
ID.RM Risk management strategy
PR.AC Access control
PR.AT Awareness and training
PR.DS Data security
PR Protect
PR.IP Information protection processes and procedures
PR.MA Maintenance
PR.PT Protective technology
DE.AE Anomalies and events
DE Detect DE.CM Security continuous monitoring
DE.DP Detection processes
RS.RP Response planning
RS.CO Communications
RS Respond RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC.RP Recovery planning
RC Recover RC.IM Improvements
RC.CO Communications

17
 Structure Example

Function Unique Category Unique Informative

Function Category Subcategory
Identifier Identifier References
• CCS-CSC1
• COBIT 5
Physical devices • ISA-62443-2-
within the 1:2009
ID.AM-1 Asset Management
organization are
inventoried
ID Identify

Software Platforms
• CCS-CSC1
and Applications
• COBIT 5
ID.AM-2 Asset Management within the
• ISA-62443-2-
organization are
1:2009
inventoried

18
 CSF Component 2 – Framework Implementation
How cybersecurity risks and processes are viewed within organization

Adaptable

Repeatable

Risk Informed

Partial

19
 A Common Language for All Levels

Priorities
Executive Level
Focus: Organizational risk
Risk Appetite
Actions: Risk Decision/Priority Budget

Status, Changes Process Level

Framework Profile
in Risk Focus: Risk Management
Actions: Select Profile, Allocate Budget

Implementation Progress Operations Level

Vulnerabilities, Threats, Focus: Risk Management Implementation
Assets Actions: Secure Infrastructure, Implement
Profile

20
 Process

Prioritize and Scope Business Objectives Priorities Strategy

Orient Related Systems Assets Regulations

Risk Assessment Exposure Tolerance

Create Current
Where you are now
Profile
Create Target Where you need to
Profile be

Delta between
Gap Analysis Current/Target

Action Plan Measure

21
 Components to Measuring Compliance

Endpoint
Assessment

Analytics

Network Event
Monitoring Monitoring

22
 Core CSF Functions Explained

Identify Protect Detect Respond Recover

Understand Develop Find bad What you do How to restore
what’s important safeguards to things when bad things what the bad
to the business ensure SAQ happen guys broke
and what the risks
are
23
24
25
 FINDING AND KEEPING RIGHT!

1 2 3

Discovery of all Discovery of network Constantly Monitor

assets, both IT and protocols & activities for Anomalies,
OT, to know what to find normal and Indicators of
belongs, the identify what isn’t Compromise
configurations, and Intrusions
states, and
vulnerabilities

CREATE CREATE ENFORCE

BASELINE BASELINE BASELINE
1
UNPARALLELED
VISIBILITY OF IT AND

ST
OT ASSETS

MARKET LEADING OT
THREAT INSIGHTS
TO DELIVER A
UNIFIED RISK BASED
VIEW OF IT AND OT UNIFIED REPORTING
AND DASHBOARDS FOR
IT AND OT ASSETS
 Questions?
Thank you
To schedule an in-depth demo of .OT and .SC,
please reach out to [email protected]

28