sdl deployment in ics
TRANSCRIPT
![Page 1: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/1.jpg)
SDL Deployment in Industrial Control Systems
Mayur Mehta
![Page 2: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/2.jpg)
2
AirplaneHacked
![Page 3: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/3.jpg)
Cyber Incidents
![Page 4: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/4.jpg)
Cyber Threats Emerged Over Time
Source: MITRE
Sop
hist
icat
ion
Decades
![Page 5: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/5.jpg)
NI
Yokog
awa
Honey
wellABB
CODESYSSiel
coEca
va GE
Roack
well
Advan
tech
Schne
ider
SIEMENS
0
20
40
60
80
100
120
Vendors
Row
Cou
nt
• The NIST CVE database - 71,500+ vulnerabilities.• Chart based on ICS 408 CVE
Source: Recorded Future
![Page 6: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/6.jpg)
SHODAN
![Page 7: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/7.jpg)
NORSE View
![Page 8: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/8.jpg)
Cost of Security Lapse
• After release, it costs 30 times more than the fix done in design phase ( As per National Institute of Standards and Technology)
• Goodwill Loss - Customer’s productivity and confidence.
0
10
20
30
2.5x 5x10x
15x
30x
![Page 9: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/9.jpg)
SDL – “Secure Development Lifecycle”
SDL helps us reduce Products maintenance costs and increase reliability of software concerning Security related issues.
![Page 10: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/10.jpg)
Training
![Page 11: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/11.jpg)
..
• Bare minimum knowledge• Role Based knowledge
![Page 12: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/12.jpg)
Requirements
![Page 13: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/13.jpg)
..
•Evaluate requirements •Access Control (Authentication), •Use Control (Authorization), •Logging (Auditing), •Confidentiality, •Integrity,•Availability.
•Standards •IEC-62443 •IEC-62351 •NIST 800-82/800-53 •NERC CIP
![Page 14: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/14.jpg)
Design
![Page 15: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/15.jpg)
..
Step1 Perform Threat Modeling Security design practice
Step2 Produce a Mitigation Action Plan STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) & DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability).
Step3 Perform Attack Surface Analysis & Reduction
Step4 Conduct a Secure Architecture Design Review
![Page 16: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/16.jpg)
Implementation
![Page 17: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/17.jpg)
..
Step1 Implement Security featuresStep2 Use approved toolsStep3 Secure Coding practices
Review Source Code – top 10 to top 100 best secure coding practices Perform Static Analysis – using Klocwork, FxCop, Fortify etc. Analyze & Fix security issues
![Page 18: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/18.jpg)
Verification
![Page 19: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/19.jpg)
Step1 Penetration test plan - Attack surface and Security requirements.
Step2 Test security requirement against attack vectors. Step3 Manual and/or automated vulnerability assessment. Step4 Penetration attempts.Step5 Remove false positives.
Step6 Final report with evidence(s).
![Page 20: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/20.jpg)
Release
![Page 21: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/21.jpg)
Step1 Results vs goalsStep2 Security features & settings in documentation
![Page 22: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/22.jpg)
Response
![Page 23: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/23.jpg)
• Incident response• Providing fixes on zero day vulnerability• Forensics Analysis• Binary Vulnerability Scanning• Responsible Disclosure
![Page 24: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/24.jpg)
![Page 25: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/25.jpg)
• Security is not a goal that can be reached• New vulnerabilities are discovered daily• Threats continue to evolve• Weak points in the system change, becoming new points of attack
• Security is a process and an attitude
SDL – “Secure Development Lifecycle”
![Page 26: Sdl deployment in ics](https://reader035.vdocuments.mx/reader035/viewer/2022062822/588203cb1a28abf05e8b5333/html5/thumbnails/26.jpg)
Reference•http://nvlpubs.nist.gov/•NIST 800-82 Guide to Industrial Control Systems (ICS) Security•Microsoft SDL•www.recordedfuture.com•http://www.isasecure.org/•NERC - North American Electric Reliability Corporation •IEC 62443 (formerly ISA-99)•ISO 27001 and 27002•OWASP - www.owasp.org/ •SE PSO wiki
The key to successful cyber defence is preparation...
Thank you.