we welcome you to the 7th annual hacking conference

We Welcome You to the 7th Annual Hacking Conference

Lessons Learned in Cybersecurity Governance for IT/OT Convergence

Scott’s Bio:Scott Shinners - Scott has over 28 years of professional experience in internal and external auditing, consulting, information technology management, business process improvement, and internal controls across a wide variety of clients in industries including manufacturing, consumer products, financial services, nonprofits, and other commercial entities. He also has experience providing leadership in the areas of internal audit, SAP and other ERP systems risks and controls, information technology controls, continuous audit, data analytics, information technology security, enterprise risk management, and corporate governance.

Ghazi’s Bio:Tauseef Ghazi - Ghazi currently serves as a principal in RSM’s security and privacy risk practice. He is a technical lead with more than 15 years of infrastructure security, system implementation and application security review experience. He has served as the lead director with responsibility for planning, budgeting, execution and delivery of information technology (IT) security assessments, cyber maturity evaluations, process control assessments, data privacy, business continuity, disaster recovery, IT governance, IT performance, IT risk assessment, infrastructure risk assessments, penetration testing and diagnostics.

How to Claim CPE Credit

Visit https://iiachi.cnf.io or scan QR Code Below

CPE link

kananga

Code

© 2020 RSM US LLP. All Rights Reserved.

LESSONS LEARNED IN CYBERSECURITY GOVERNANCE FOR IT/OT CONVERGENCE

Shifts in Industrial Control and IOT

Risks

November 10, 2020


Introductions

RSM US LLP

Leader in RSM’s security and privacy risk

practice with over 20 years of cybersecurity,

implementation and security experience in

both IT and OT environments.

Tauseef Ghazi

Principal, Risk Consulting

Leader in RSM’s technology risk services

practice with over 30 years of internal audit,

consulting, and IT governance experience

Scott Shinners

Partner, Risk Consulting


Learning objectives

• Understand the key elements of the evolving threat landscape and of the IT/OT convergence

• Learn to address why organizations are considering IT/OT convergence

• Identify the key success factors and pitfalls in integrating IT and OT as well as the steps

involved in an IT/OT convergence

• Understand the key elements of cybersecurity governance frameworks that can be used to

determine what steps to take to better secure the organization

6

© 2020 RSM US LLP. All Rights Reserved. © 2020 RSM US LLP. All Rights Reserved.

IT / OT CONVERGENCE

The rapidly changing technology landscape


Shift in Industrial Control System landscape

Evolutionary drivers in industrial cyber security

1980 2020

Direct digital control

via serial

Ethernet adopted

UNIX and TCP-IP

adopted to promote

openness

First PLCs used

Windows becomes

de-facto control

software. Unix

dominates RTOS.

Suppliers switch to

commercial and off

the shelf hardware

components

Suppliers shift to

software and value-

add services

IT platforms become

“standardized”

ICS systems

connected to

enterprise/ public

internet

Hybrid environments

cause skill set gaps

NERC CIPv5

regulations

Industrial IoT Vision

Increasing desire and need for automation

AR & VR becoming

common UI


Polling question # 1

Has your company or client(s) implemented significant numbers of

IoT devices inside your (clients’) organization?

A. Yes

B. No

9



If you have implemented a significant number of IoT devices across

your network, are the processes (including risk management) and

controls included in your ERM/IT audit scope?

A. Our ERM covers IoT device risks

B. Our IT audit coverage includes IoT device risks

C. We have Both ERM and IT audit coverage over IoT devices

D. Significant IoT exists, but we have not built into ERM/IT Audit coverage

E. We do not have significant risks associated with IoT

10



11

Evolutionary drivers in industrial cyber security



12

New dimensions to risk and exposure within ICS

1990 2000 2010 2020

ANALOG ICS

Traditional Risks

Critical equipment failure

Health and safety

Compliance and regulatory

Theft or misuse of asset

Physical Espionage

Human Error

Environmental

DIGITAL ICS

Cyber Espionage

Cyber Attacks

Privacy Risks

Unavailability of Critical Systems

Critical System Failure

Interconnectivity Risks

Loss of Critical Data

Automation Errors and Misconfiguration

Data Integrity Risks

System Misuse

Disclosure of Sensitive Information

Emerging Risks


Web of disruptive technologies

13

Raising the bar for improvements in enterprise IT governance

©2018 RSM US LLP. All Rights Reserved.

Technology and Industry Trends

14

62% of manufacturers will accelerate technology within 2 years

“Tech Evaluation, Adoption Stays on a

Growth Curve”-Transformative Technologies: A Foggy Present, A Brighter Future (10/2019)


Technology and Industry Trends

15

• Players big and small across the oil and gas value chain are looking to digital technologies to achieve cost and

operational efficiencies

• In 2019 alone, 27 new artificial intelligence and analytics partnerships were announced in the oil and gas sector according

to Bloomberg

• Technologies such as Artificial Intelligence, Robotics, Enterprise Cloud Solutions and Blockchain are contributing to

significant advancement across the Industry

Example: Energy sector adoption of digital technologies will grow


IT / OT RISK

Challenges and Trends


Challenges and IT/OT risks

17

The typical Enterprise IT approach doesn’t work

Over the years, enterprise IT has developed a number of architecture patterns, security controls, and technologies for

information security. These approaches often have difficulties translating to the industrial world because:


Challenges and IT/OT risks

18

Virtualization and advancement of private and public cloud infrastructure accelerates risk

IoT devices are designed to interact with other systems, and to allow the user enhanced interaction with its capabilities and

configuration so with virtual cloud based systems increases risk with an expanded attack surface

• This interaction with unknown systems (other IoT devices,

mobile platforms, etc.), and additional access to users (including

physical), opens attack avenues for:

⁻ Physical tampering (Very difficult to detect without the

proper measures)

⁻ Network tampering (Almost impossible to detect)

• These attacks can results in:

⁻ Taking control of the IoT device

⁻ Stealing (or having access) to sensitive or private

information

⁻ Disruption of services

• Centrally-managed IoT devices (accessible from a centralized

control network) can provide an avenue for an attacker who

controls an IoT device, to attempt to compromise control (and

even corporate) infrastructure on the IoT manufacturer’s side.

Corporate

Cloud


Typical challenges managing IT/OT risks

LACK OF GOVERNANCE AND COMMON

UNDERSTANDING OF RISKS

Questions: Who should own the security

for cyber assets and what should be the

governance mechanisms in place? Is

cyber asset security an IT problem?

CHALLENGE 1

INHERENT ARCHITECTURAL LIMITATIONS

Questions: How do we approach different

generations of systems (i.e., legacy

systems with inherent limitation and end

of life) and consistently apply security

controls?

CHALLENGE 2

ASSETS / DEVICE CONTROLS

Questions: Do we have a complete

inventory of our assets, their current

security state and do we have clearly

documented controls for these assets?

CHALLENGE 3

TECHNICAL SECURITY CONTROLS

Questions: How do we implement

technical security controls across all the

different systems, components and

modules

CHALLENGE 4

ONGOING MAINTENANCE THROUGHOUT

THE ASSET LIFECYCLE

Questions: Do we understand the new

threat vectors introduced by system

changes? Do we always conduct change

driven risk assessments?

CHALLENGE 5

HIGH RELIANCE ON VENDORS

Questions: Do we understand the way

the vendors connect and use our

systems?

CHALLENGE 6

LACK OF CENTRALIZED COMPLIANCE

Questions: Do we know how many

systems currently comply with

security guidelines and how many are

vulnerable?

CHALLENGE 7


IT/OT integration challenges

20



What do you see as the most significant technology related

challenges for IoT at your (your clients’):

A. Differing technology stacks

B. Incompatible technology, software or tools

C. Environmental risks (onsite in industrial environments)

D. Reliance on third party vendors / support

E. Other

21


IT/OT integration challenges

There is no “one size fits all” answer

• Siloed IT/OT functions

⁻ Struggle with all of the mentioned challenges

⁻ Lower expense and effort of integration efforts

• Partially integrated IT/OT functions

⁻ Wide range of integration levels and associated benefits

⁻ Seek to balance cost/effort with risks and benefits

• Highly integrated IT/OT functions

⁻ Higher integration efficiencies and benefits

⁻ Higher cost and longer integration effort

⁻ More challenges with organizational / cultural changes

22


IT / OT GOVERNANCE

Leading Practices


Choose the right governance framework

▪ IT/IS governance is a framework to ensure that IT/IS investment and output are supporting

organizational objectives and goals

▪ Utilize the framework to establish gaps, risks and priorities

▪ Governance framework is specific to the needs of the organization

▪ Industry

▪ Regulatory

▪ Size

▪ Structure

▪ Focus

▪ Maturity

ERM


Measure Against the Framework

▪ Performance vs Risk Indicators

▪ KPIs measure the actions that lead to a result – Operational

▪ KRIs measures the results from your actions – Strategic

▪ Begin with most critical risks

▪ Many governance frameworks include recommended KPIs and KRIs

▪ Non-compliance to regulatory requirements and/or policy

▪ Start with the data you have - generate, iterate and automate

▪ Metric thresholds should align with organizational risk appetite

25

ERM


Risk model review

26

Effectiveness

Framework provides the basis for

improving maturity

Focus improvements on critical

risk areas

Policies & Procedures

Framework informs policy and

procedure content

Describe the “what” and “how” to

deliver on the framework

ERM

Enterprise Risk Management

Board and Executive visibility into

organizational risks

IT/IS adopts ERM framework processes

IT / IS Governance Framework

Select a framework for fit and purpose

Aligns IT risk governance to organizational

priorities

Metrics & Monitoring

Concisely inform the Board of

critical risk areas

Start with highest risk KPIs/KRIs

that can be produced today

Organization

Framework informs structure and

job descriptions

Leverage framework to identify

gaps


Implications for risk management reporting

27

Developing an efficient monitoring and risk reporting process to concisely inform board members

1

2

3

Incorporate InfoSec into ERM framework

and reporting process

Raise risk awareness at all levels of the

organization

Report only prioritized KRIs to the board to

reduce volume and detail of information

Create dashboard view of board packet to

focus on high risk KRIs4

IT Governance Improvement Program

Organization Policy Monitoring Effectiveness

Governance Assessment

Gaps and Roadmap

Improvement Projects


IMPROVING ICS SECURITY

A path to sustainable security and compliance

28


A Model for Industrial Cyber Security – Areas of Focus

Follow logical steps that should be implemented sequentially to produce increasing levels of

capability maturity

Primary guiding principles

▪ Keep it simple. Crawl before you walk

▪ Follow an ordered approach to avoid

wasted remediation efforts

▪ Ensure it is risk appropriate. Do not

disrupt the business

ICS Security

Model

Governance

ArchitectureSituational

Awareness

Third Party

Risk

Asset/

Device

Control

Process

Security

Technical

Security

IT

OT

©2018 RSM US LLP. All Rights Reserved.

30

Malware

CI Remote Control

PI Access

Business

Interruption

Economic

Impacts

Property

Damage

PREVENTION / PROTECTION MEASURES

ThreatsRisks

IDENTIFICATION / RESPONSSEMEASURES

Public Safety

Successful

Threat

Countermeasures Identification & Response Measures

1. Access Control

2. End Point Protection

3. Firewalls / ACLs

4. Security Protocols

5. Awareness Training

6. Patch Management

7. Configuration Management

1. Intrusion Detection System

2. Deep Packet Inspection

3. Network Analyzer

4. System Backup Restoration

5. DoS Defense System

6. Operating System

Reinstallation

7. Hardware Replacement

Direct Internal hack

7

Direct External hack

Denial of Service

Malicious Use

Physical Access

3

7

21

8

4

9

6

5

Reputational

Compliance

PI

Disclosure

1 3 52

9

8

4

6

Human error

Supply Chain

Vendor Compromise

ICS

Ide

nti

fy Y

ou

r R

isk


QUESTIONS

AND ANSWERS

31


This document contains general information, may be based on authorities that are subject to change, and is not

a substitute for professional advice or services. This document does not constitute audit, tax, consulting,

business, financial, investment, legal or other professional advice, and you should consult a qualified

professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and

related entities are not responsible for any loss resulting from or relating to reliance on this document by any

person. Internal Revenue Service rules require us to inform you that this communication may be deemed a

solicitation to provide tax services. This communication is being sent to individuals who have subscribed to

receive it or who we believe would have an interest in the topics discussed.

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network

of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide

services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each

member firm is responsible only for its own acts and omissions, and not those of any other party. Visit

rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.

RSM, the RSM logo and the power of being understood are registered trademarks of RSM International

Association.


RSM US LLP

100 South Wacker

Chicago, IL 60601

+1 800 274 3978

rsmus.com

32

How to Claim CPE Credit

Visit https://iiachi.cnf.io or scan QR Code Below

CPE link

kananga

Code

we welcome you to the 7th annual hacking conference

Documents