we welcome you to the 7th annual hacking conference
TRANSCRIPT
Lessons Learned in Cybersecurity Governance for IT/OT Convergence
Scott’s Bio:Scott Shinners - Scott has over 28 years of professional experience in internal and external auditing, consulting, information technology management, business process improvement, and internal controls across a wide variety of clients in industries including manufacturing, consumer products, financial services, nonprofits, and other commercial entities. He also has experience providing leadership in the areas of internal audit, SAP and other ERP systems risks and controls, information technology controls, continuous audit, data analytics, information technology security, enterprise risk management, and corporate governance.
Ghazi’s Bio:Tauseef Ghazi - Ghazi currently serves as a principal in RSM’s security and privacy risk practice. He is a technical lead with more than 15 years of infrastructure security, system implementation and application security review experience. He has served as the lead director with responsibility for planning, budgeting, execution and delivery of information technology (IT) security assessments, cyber maturity evaluations, process control assessments, data privacy, business continuity, disaster recovery, IT governance, IT performance, IT risk assessment, infrastructure risk assessments, penetration testing and diagnostics.
© 2020 RSM US LLP. All Rights Reserved.
LESSONS LEARNED IN CYBERSECURITY GOVERNANCE FOR IT/OT CONVERGENCE
Shifts in Industrial Control and IOT
Risks
November 10, 2020
© 2020 RSM US LLP. All Rights Reserved.
Introductions
RSM US LLP
Leader in RSM’s security and privacy risk
practice with over 20 years of cybersecurity,
implementation and security experience in
both IT and OT environments.
Tauseef Ghazi
Principal, Risk Consulting
Leader in RSM’s technology risk services
practice with over 30 years of internal audit,
consulting, and IT governance experience
Scott Shinners
Partner, Risk Consulting
© 2020 RSM US LLP. All Rights Reserved.
Learning objectives
• Understand the key elements of the evolving threat landscape and of the IT/OT convergence
• Learn to address why organizations are considering IT/OT convergence
• Identify the key success factors and pitfalls in integrating IT and OT as well as the steps
involved in an IT/OT convergence
• Understand the key elements of cybersecurity governance frameworks that can be used to
determine what steps to take to better secure the organization
6
© 2020 RSM US LLP. All Rights Reserved. © 2020 RSM US LLP. All Rights Reserved.
IT / OT CONVERGENCE
The rapidly changing technology landscape
© 2020 RSM US LLP. All Rights Reserved.
Shift in Industrial Control System landscape
Evolutionary drivers in industrial cyber security
1980 2020
Direct digital control
via serial
Ethernet adopted
UNIX and TCP-IP
adopted to promote
openness
First PLCs used
Windows becomes
de-facto control
software. Unix
dominates RTOS.
Suppliers switch to
commercial and off
the shelf hardware
components
Suppliers shift to
software and value-
add services
IT platforms become
“standardized”
ICS systems
connected to
enterprise/ public
internet
Hybrid environments
cause skill set gaps
NERC CIPv5
regulations
Industrial IoT Vision
Increasing desire and need for automation
AR & VR becoming
common UI
© 2020 RSM US LLP. All Rights Reserved.
Polling question # 1
Has your company or client(s) implemented significant numbers of
IoT devices inside your (clients’) organization?
A. Yes
B. No
9
© 2020 RSM US LLP. All Rights Reserved.
Polling question # 2
If you have implemented a significant number of IoT devices across
your network, are the processes (including risk management) and
controls included in your ERM/IT audit scope?
A. Our ERM covers IoT device risks
B. Our IT audit coverage includes IoT device risks
C. We have Both ERM and IT audit coverage over IoT devices
D. Significant IoT exists, but we have not built into ERM/IT Audit coverage
E. We do not have significant risks associated with IoT
10
© 2020 RSM US LLP. All Rights Reserved.
Shift in Industrial Control System landscape
11
Evolutionary drivers in industrial cyber security
© 2020 RSM US LLP. All Rights Reserved.
Shift in Industrial Control System landscape
12
New dimensions to risk and exposure within ICS
1990 2000 2010 2020
ANALOG ICS
Traditional Risks
Critical equipment failure
Health and safety
Compliance and regulatory
Theft or misuse of asset
Physical Espionage
Human Error
Environmental
DIGITAL ICS
Cyber Espionage
Cyber Attacks
Privacy Risks
Unavailability of Critical Systems
Critical System Failure
Interconnectivity Risks
Loss of Critical Data
Automation Errors and Misconfiguration
Data Integrity Risks
System Misuse
Disclosure of Sensitive Information
Emerging Risks
© 2020 RSM US LLP. All Rights Reserved.
Web of disruptive technologies
13
Raising the bar for improvements in enterprise IT governance
©2018 RSM US LLP. All Rights Reserved.
Technology and Industry Trends
14
62% of manufacturers will accelerate technology within 2 years
“Tech Evaluation, Adoption Stays on a
Growth Curve”-Transformative Technologies: A Foggy Present, A Brighter Future (10/2019)
© 2020 RSM US LLP. All Rights Reserved.
Technology and Industry Trends
15
• Players big and small across the oil and gas value chain are looking to digital technologies to achieve cost and
operational efficiencies
• In 2019 alone, 27 new artificial intelligence and analytics partnerships were announced in the oil and gas sector according
to Bloomberg
• Technologies such as Artificial Intelligence, Robotics, Enterprise Cloud Solutions and Blockchain are contributing to
significant advancement across the Industry
Example: Energy sector adoption of digital technologies will grow
© 2020 RSM US LLP. All Rights Reserved. © 2020 RSM US LLP. All Rights Reserved.
IT / OT RISK
Challenges and Trends
© 2020 RSM US LLP. All Rights Reserved.
Challenges and IT/OT risks
17
The typical Enterprise IT approach doesn’t work
Over the years, enterprise IT has developed a number of architecture patterns, security controls, and technologies for
information security. These approaches often have difficulties translating to the industrial world because:
© 2020 RSM US LLP. All Rights Reserved.
Challenges and IT/OT risks
18
Virtualization and advancement of private and public cloud infrastructure accelerates risk
IoT devices are designed to interact with other systems, and to allow the user enhanced interaction with its capabilities and
configuration so with virtual cloud based systems increases risk with an expanded attack surface
• This interaction with unknown systems (other IoT devices,
mobile platforms, etc.), and additional access to users (including
physical), opens attack avenues for:
⁻ Physical tampering (Very difficult to detect without the
proper measures)
⁻ Network tampering (Almost impossible to detect)
• These attacks can results in:
⁻ Taking control of the IoT device
⁻ Stealing (or having access) to sensitive or private
information
⁻ Disruption of services
• Centrally-managed IoT devices (accessible from a centralized
control network) can provide an avenue for an attacker who
controls an IoT device, to attempt to compromise control (and
even corporate) infrastructure on the IoT manufacturer’s side.
Corporate
Cloud
© 2020 RSM US LLP. All Rights Reserved.
Typical challenges managing IT/OT risks
LACK OF GOVERNANCE AND COMMON
UNDERSTANDING OF RISKS
Questions: Who should own the security
for cyber assets and what should be the
governance mechanisms in place? Is
cyber asset security an IT problem?
CHALLENGE 1
INHERENT ARCHITECTURAL LIMITATIONS
Questions: How do we approach different
generations of systems (i.e., legacy
systems with inherent limitation and end
of life) and consistently apply security
controls?
CHALLENGE 2
ASSETS / DEVICE CONTROLS
Questions: Do we have a complete
inventory of our assets, their current
security state and do we have clearly
documented controls for these assets?
CHALLENGE 3
TECHNICAL SECURITY CONTROLS
Questions: How do we implement
technical security controls across all the
different systems, components and
modules
CHALLENGE 4
ONGOING MAINTENANCE THROUGHOUT
THE ASSET LIFECYCLE
Questions: Do we understand the new
threat vectors introduced by system
changes? Do we always conduct change
driven risk assessments?
CHALLENGE 5
HIGH RELIANCE ON VENDORS
Questions: Do we understand the way
the vendors connect and use our
systems?
CHALLENGE 6
LACK OF CENTRALIZED COMPLIANCE
Questions: Do we know how many
systems currently comply with
security guidelines and how many are
vulnerable?
CHALLENGE 7
© 2020 RSM US LLP. All Rights Reserved.
Polling question # 3
What do you see as the most significant technology related
challenges for IoT at your (your clients’):
A. Differing technology stacks
B. Incompatible technology, software or tools
C. Environmental risks (onsite in industrial environments)
D. Reliance on third party vendors / support
E. Other
21
© 2020 RSM US LLP. All Rights Reserved.
IT/OT integration challenges
There is no “one size fits all” answer
• Siloed IT/OT functions
⁻ Struggle with all of the mentioned challenges
⁻ Lower expense and effort of integration efforts
• Partially integrated IT/OT functions
⁻ Wide range of integration levels and associated benefits
⁻ Seek to balance cost/effort with risks and benefits
• Highly integrated IT/OT functions
⁻ Higher integration efficiencies and benefits
⁻ Higher cost and longer integration effort
⁻ More challenges with organizational / cultural changes
22
© 2020 RSM US LLP. All Rights Reserved. © 2020 RSM US LLP. All Rights Reserved.
IT / OT GOVERNANCE
Leading Practices
© 2020 RSM US LLP. All Rights Reserved.
Choose the right governance framework
▪ IT/IS governance is a framework to ensure that IT/IS investment and output are supporting
organizational objectives and goals
▪ Utilize the framework to establish gaps, risks and priorities
▪ Governance framework is specific to the needs of the organization
▪ Industry
▪ Regulatory
▪ Size
▪ Structure
▪ Focus
▪ Maturity
ERM
© 2020 RSM US LLP. All Rights Reserved.
Measure Against the Framework
▪ Performance vs Risk Indicators
▪ KPIs measure the actions that lead to a result – Operational
▪ KRIs measures the results from your actions – Strategic
▪ Begin with most critical risks
▪ Many governance frameworks include recommended KPIs and KRIs
▪ Non-compliance to regulatory requirements and/or policy
▪ Start with the data you have - generate, iterate and automate
▪ Metric thresholds should align with organizational risk appetite
25
ERM
© 2020 RSM US LLP. All Rights Reserved.
Risk model review
26
Effectiveness
Framework provides the basis for
improving maturity
Focus improvements on critical
risk areas
Policies & Procedures
Framework informs policy and
procedure content
Describe the “what” and “how” to
deliver on the framework
ERM
Enterprise Risk Management
Board and Executive visibility into
organizational risks
IT/IS adopts ERM framework processes
IT / IS Governance Framework
Select a framework for fit and purpose
Aligns IT risk governance to organizational
priorities
Metrics & Monitoring
Concisely inform the Board of
critical risk areas
Start with highest risk KPIs/KRIs
that can be produced today
Organization
Framework informs structure and
job descriptions
Leverage framework to identify
gaps
© 2020 RSM US LLP. All Rights Reserved.
Implications for risk management reporting
27
Developing an efficient monitoring and risk reporting process to concisely inform board members
1
2
3
Incorporate InfoSec into ERM framework
and reporting process
Raise risk awareness at all levels of the
organization
Report only prioritized KRIs to the board to
reduce volume and detail of information
Create dashboard view of board packet to
focus on high risk KRIs4
IT Governance Improvement Program
Organization Policy Monitoring Effectiveness
Governance Assessment
Gaps and Roadmap
Improvement Projects
© 2020 RSM US LLP. All Rights Reserved. © 2020 RSM US LLP. All Rights Reserved.
IMPROVING ICS SECURITY
A path to sustainable security and compliance
28
© 2020 RSM US LLP. All Rights Reserved.
A Model for Industrial Cyber Security – Areas of Focus
Follow logical steps that should be implemented sequentially to produce increasing levels of
capability maturity
Primary guiding principles
▪ Keep it simple. Crawl before you walk
▪ Follow an ordered approach to avoid
wasted remediation efforts
▪ Ensure it is risk appropriate. Do not
disrupt the business
ICS Security
Model
Governance
ArchitectureSituational
Awareness
Third Party
Risk
Asset/
Device
Control
Process
Security
Technical
Security
IT
OT
©2018 RSM US LLP. All Rights Reserved.
30
Malware
CI Remote Control
PI Access
Business
Interruption
Economic
Impacts
Property
Damage
PREVENTION / PROTECTION MEASURES
ThreatsRisks
IDENTIFICATION / RESPONSSEMEASURES
Public Safety
Successful
Threat
Countermeasures Identification & Response Measures
1. Access Control
2. End Point Protection
3. Firewalls / ACLs
4. Security Protocols
5. Awareness Training
6. Patch Management
7. Configuration Management
1. Intrusion Detection System
2. Deep Packet Inspection
3. Network Analyzer
4. System Backup Restoration
5. DoS Defense System
6. Operating System
Reinstallation
7. Hardware Replacement
Direct Internal hack
7
Direct External hack
Denial of Service
Malicious Use
Physical Access
3
7
21
8
4
9
6
5
Reputational
Compliance
PI
Disclosure
1 3 52
9
8
4
6
Human error
Supply Chain
Vendor Compromise
ICS
Ide
nti
fy Y
ou
r R
isk
© 2020 RSM US LLP. All Rights Reserved. © 2020 RSM US LLP. All Rights Reserved.
QUESTIONS
AND ANSWERS
31
© 2020 RSM US LLP. All Rights Reserved.
This document contains general information, may be based on authorities that are subject to change, and is not
a substitute for professional advice or services. This document does not constitute audit, tax, consulting,
business, financial, investment, legal or other professional advice, and you should consult a qualified
professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and
related entities are not responsible for any loss resulting from or relating to reliance on this document by any
person. Internal Revenue Service rules require us to inform you that this communication may be deemed a
solicitation to provide tax services. This communication is being sent to individuals who have subscribed to
receive it or who we believe would have an interest in the topics discussed.
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network
of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide
services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each
member firm is responsible only for its own acts and omissions, and not those of any other party. Visit
rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.
RSM, the RSM logo and the power of being understood are registered trademarks of RSM International
Association.
© 2020 RSM US LLP. All Rights Reserved.
RSM US LLP
100 South Wacker
Chicago, IL 60601
+1 800 274 3978
rsmus.com
32