assessing information security maturity in an industrial ... · assessing information security...

Ekaterina Rudina

Critical Infrastructure Defense

KL ICS-CERT

Assessing information security maturity in an industrial company

1

2

Contents

1. Motivation

2. Security Maturity assessment as a base for security processes in IIoT

3. Security Maturity Model, its purpose and intended use

4. Security Maturity enhancement process

5. Identifying and targeting required Security Maturity level

6. Conclusions and further work

3

Security FacetsWhich, when, where, and to which extent?

Consumerization & mobility

Increasing

online

commerceCritical infrastructure at

risk Big

data

Internet of ThingsCloud &

virtualization

Privacy & data

protection

challenge

Fragmentation of the

Internet

Cars become smarterConnected Cities

Mobile threats

banking at

risk

Massive data

leaks

Decreasing cost of

APTs

Commercialization of APTs

Supply chain attacks

Cyber-

mercenaries“Wipers” & cyber-

sabotage

Targeted attacks

Financial phishing attacksRansomware

Malware for

ATMs

Attacks on PoS

terminals

Merger of cybercrime and

APTs

Targeting

hotel

networks

Internet of

Things

Hacktivism

Vulnerable connected

cars

Ransomware in Targeted

Attacks

OnlineThreats

to Smart Cities

Attacks on Smart Cities IoT botnets

Patch

management Risk attitude

Threat modeling

Access control

Asset

management

Security

policy

Vulnerability assessment

Incident response

4

Difference between Security Level and Security Maturity Level

Consistency in the

implementation Assurance on the

implementation

Confidence in

assurance cases

is a degree for the implementation of security practices,

mechanisms, and procedures

is a degree of understanding of the current Security Level,

its benefits, and cost of its support

SECURITY LEVEL

SECURITY MATURITY LEVEL

5

Example. Approaches to Threat Modeling facet

++ valid across various IIoT domains.

-- sometimes they cannot be properly applied to the particular domain

-- in some other cases they do not cover the specific risks

Horizontal models: general (such as STRIDE or CAPEC classification)

technology specific (OWASP Top 10)

Vertical models: valid within one domain (LINDDUN, PASTA, template by NCC)

++ take into account the specific risks for the domains

-- may cover the narrow set of technologies

-- some “vertical” models address only certain objectives

Combining the methods and models is the best option

General objective: Stakeholders collaboration in the process of getting the mature state

Different stakeholders consider the same aspects from the different viewpoints

Business level stakeholders define the security goals*

Technical level implements the mechanisms and procedures**

* Business level here means security aware stakeholders (not CEO but CISO )

** Technical level – not codewriters but architects, high-level developers, etc.

Business level stakeholderCISO level

Technical level stakeholdersArchitects

High-level Developers

Creating the Security Maturity

Target

Planning the

roadmap

Security Maturity

Assessment

Security Maturity

Enhancement

Gap Analysis

Collaboration

The ProcessPerform

evaluation

Implement Plans

Analyze Identified

Gaps

Prioritize and Plan

Perform evaluation

Implement Plans

Analyze Identified

Gaps

Prioritize and Plan

Perform evaluation

Implement Plans

Analyze Identified

Gaps

Prioritize and Plan

Security Maturity Target

State 1 (initial)

State 2

State n


SM Target defines what the 100% Security Maturity for

the system is

Business level -

Strategist

Business Level -

Security Context Aware Practitioner

Technical level stakeholdersArchitects

High-level Developers


Business Strategy Maturity Model

Security Maturity Model

Knows the concerns.Determine

the objectives collaboration

collaboration

Knows the Context.Creates the new Target/

Reuses the Profile/...

Know the Technical Details.Implement the Roadmap to get the Target

Governance Enablement Hardening

Security Maturity Model

Security Program

Threat Modeling and Risk Assessment

Supply Chain and Dependencies Management

Vulnerability and Patch Management

Situational Awareness

Incident Response, Continuity of Operations

Identity and Access Management

Asset, Change and Configuration Management

Data Protection

Dimensions

Security Domains

Security PracticesSecurity

Program

Manageme

nt

Compliance

Manageme

nt

Threat

Modeling

Risk

Attitude

Supply

chain Risk

Manageme

nt

Third-Party

Dependenci

es

Manageme

nt

Establishing

and

Maintaining

Identities

Access

Control

Asset

Management

Change

and

Configurati

on

Manageme

nt

Security

Model and

Policy for

the Data

Implementat

ion of Data

Protection

Controls

Vulnerability

Assessment

Patch

Manageme

nt

Auditing Information

Sharing and

Communica

tion

Event and

Incident

Response

Remediatio

n, Recovery

and

Continuity

of

Operations

Measuring scale for the Security Facet

Specificity

Soph

isti

cati

on

General IIoT sector

specific

System specific

Every box containsBusiness objectives/

Assessment guidance/

Enhancement guidance

Sophistication and specificity are measured independently

The rows describe the measure of the comprehensive, consistent, and highly assured implementation of security controls

The columns relate to the customized, technically appropriate approach to the implementation of security controls

The detailed scale

Sophistication/Specificity

measured independentlyGeneral IIoT Sector specific System specific

No information on of how the Security Facet is

applied

The Security Facet is implemented somehow

The Security Facet is implemented with taking into

account the main use cases

The Security Facet employs the generally accepted

methods, classifications, tools, software, etc.

The Security Facet is implemented consistently,

using the process-oriented approach

Maturity

Security Facets and their maturity

Threat Modeling

Protection of endpoints

Secure communications ...Incident handlingRecovery and remediation

Vulnerability & Patch management Supply chain managementCompliance/conformance assessment

The Security Maturity Model

Specificity

Sop

hist

icat

ion

Specificity

Sop

his

tica

tio

n

EXAMPLE. SM Target

Security strategy and Governance Threat Modeling and Risk AssessmentSupply Chain and External Dependencies ManagementIdentity and Access ManagementAsset, Change and Configuration Management Vulnerability and Patch ManagementSituational AwarenessEvent and Incident Response, Continuity of Operations Information Sharing and Communication

EXAMPLE. SM State


EXAMPLE. How to get the Target?


The Roadmap

Asset, Change and Configuration Management

Phase 1

Phase 2

Phase 3

Phase 1

Phase 1

Phase 3

General Industrial

sector specific

System specific

Phase 1

Phase 2

Phase 3

Level 1

Level 2

Level 3

Level 4

• SMM allows choosing the direction and the strategy:

- use known security practices (increase maturity)

- tailor the security processes to the system (increase specificity), or

- step-by-step increase both parameters

19

Conclusions, current and further work

Two documents describing the SMM and its use

1. SMM description and intended use

2. SMM details and how to apply

The tool (currently Excel-based ) to support the process of setting the SM Target

1. Questionnaire for the business level stakeholders

2. Visualization of SM Target and SM State

Work continues in the Security Applicability WG of Industrial Internet Consortium

A lot of IIC members are already interested in the results

Contributions, comments, reviews are welcomed!

LET’S TALK?

Kaspersky Lab HQ

39A/3 Leningradskoe Shosse

Moscow, 125212, Russian Federation

Tel: +7 (495) 797-8700

www.kaspersky.com

assessing information security maturity in an industrial ... · assessing information security...

Documents