welcome to orange cyberdefense live 2021
TRANSCRIPT
Welcome to Orange Cyberdefense Live 2021
Thank you for you attention!
AddressOrange Cyberdefense BelgiumGreen Water TowerStokerijstraat 352110 WijnegemBelgium
Contact number+32 3 641 95 95
NIS implementation @ FARYSInge Opreel
Director ICT FARYS
Introduction
Multi-Utility Company in Flanders
WaterSupply
DomainServices
Sports CREATAquaDomo
& RENI
• Production, delivery
• Customer service: metering etc.
• Build & MaintainInfrastructurefor water and
sewage
• Management and maintenance of over 80 swimming pools and sport facilities
• Purchase center for governmental and non-profit organizations
• Online catalogs & procurement
• Water management, re-use, treatment, rainwater, and sanitation
600 000 water meters84 Mm³ delivered
11 000 km of network
650 000 Customers950 Employees
Drinking water sector in Flanders6
• Aquaflanders: AquaFlanders is the federation of Flemish water companies and sewer managers.
• VMM: regulator for the drinking water sector.
National Committee for the Security of the Supply and Distribution of Drinking Water
7
• Royal decree of 20th August 2020 defines the creation and organization of this Committee
• Competent Authority for the drinking water sector under the NIS regulation
• Select the OES’s (Operators of Essential Services)
NIS & the drinking water sector
NIS & the drinking water sector9
• The Belgian “NIS” - law was published on the 3th of May 2019
• A first Royal Decree was published on the 18th of July 2019No competent authority was assigned at this stage
• A second Royal Decree was published on the 20th of August 2020National Committee for the Security of the Supply and Distribution
of Drinking Water
Joint approach in Flanders10
• NIS workgroup at Aquaflanders• Members: AGSO Knokke Heist, De Watergroep, FARYS, IWVA, Pidpa
and Waterlink.• Frequency: 6 – 8 weeks
• Joint approach was decided in 2019 ISO/IEC 27001 certification
Minimal scope definition of essential services
11
• Scope was defined in 2019 during workshops at Aquaflanders NIS Workgroup level in collaboration with Orange Cyberdefense.
• Definition of essentials services for a drinking water company:The essential service of a drinking water company is the reliable and high-
quality supply of drinking water to all customers of the water company.
• Scope statement for the ISMS:The ISMS applies to all relevant processes and technological resources that
support the production and distribution of drinking water to our customers. All systems that have no impact on the essential services are disregarded.
• High level inventory of processes relevant to the scope (see next slide)
High level process overview12
Essential processes
Supportingprocesses
Incident Management
processes
WatersupplyWater-
productionWater-storage
Distribution of drinkingwater
Qualitycontrol
HR ICT Supplier-
management
Monitoring and alerting
Communication
NIS obligations for drinking water sector13
1. Assign a contact and communicate the contact details for the security of the network and information systems within 3 months after the assignment as an OES.
2. Deliver a description of the network and information systems relevant to the supply and distribution of drinking water to the committee.
3. Report all incidents with an impact on availability, confidentiality, integrity or authenticity on the network and information systems relevant to the supply and distribution of drinking water.
4. Take technical and organizational measures to manage the risks of the network and information systems relevant to the supply and distribution of drinking water. (Cfr ISO27001)
5. Draw up a security policy for network and information systems (ISMS) within 12 months after the assignment as an OES.
NIS obligations for drinking water sector14
6. Implement all selected security measures in the ISMS within 24 months after the assignment as an OES.
7. Conduct an annual internal audit of the network and information systems within 3 months after the implementation of the ISMS.
8. Conduct an external audit every 3 years and the first external audit must be conducted within 24 months after the first internal audit.
NIS & ISO/IEC 2700115
Belgian “NIS”-law : you are legally considered to be in accordance with NIS legislation when you are ISO/IEC 27001 certified.
NIS Implementation @ FARYS
NIS implementation at FARYS17
• FARYS has been assigned as an Operator of Essential Services (OES) on the 4th of March 2021.
ISO/IEC 27001 certification by the end of 2023!
Timing18
Today
2019 2020 2021 2022 2023
First internalaudit
May 2022
First externalaudit
December 2023
Creation of the competent authority
September 2020Appointment as
Operator of Essential Services
4 Mar 2021
Scope definition of essential services
1 Dec '19 - 29 Feb '20Inventory of processes
1 Jun '20 - 31 Dec '20Risk assessment
Implementation of ISMS
Implementation of security measures
1 April ‘22 - 31 Dec '23audit / certification
4 Mar 2022
Description of network and information services
4 June 2021
ISMS implemented
1 April '21 - 4 Mar ‘23
4 Mar 2023Security measures
implemented
1 Sep '19 - 31 Oct '19
Joint approach at Aquaflanders level
August 2019
31 May '20 - 28 Feb ‘22
High level process overview19
Essential processes
Supportingprocesses
Incident Management
processes
WatersupplyWater-
productionWater-storage
Distribution of drinkingwater
Qualitycontrol
HR ICT Supplier-
management
Monitoring and alerting
Communication
The laboratory of FARYS is already ISO/IEC 17025
certified
Depends heavily on SCADA environment
SCADA environment20
■ Standardized on Siemens infrastructure
■ Simatic WINcc
■ IO Servers, Archive servers and webservers
■# PLC’s: 500 PLC connections
Inventory of processes21
• Workshops with the relevant business units
• Detailed inventory of the essential processes @ FARYS
• Overview of the supporting ICT systems
• Input for the risk assessment
Risk assessment22
• OT Maturity assessment based on IEC62443 standard conducted by Siemens
• Risk assessment of all relevant processes and systems based on ISO27005
Risk treatment plan with a selection of technical and organizational measures to mitigate the risks
Implementation of the ISMS23
• Finalizing the documentary phase of the 7 clauses of ISO/IEC 27001
• Examples:• Stakeholder analysis• Risk assessment methodology• KPI’s• Document management
methodology• Etc.
• Next step is the implementation of the selected controls of ISO/IEC 27002
ISMS implementation overview24
Monitor & ReviewDefine & Establish Implement & Operate
Initiating ISMS Understand the organization Analyse existing Leadership & Approval Scope Policies Risk Management Organizational Structure Statement of Applicability
Maintain & Improve Design of Controls & Procedures Implementation of Controls Document Management Communication Awareness & Training Operations Management
Monitor & Measurement Analysis & Evaluation Internal Audit Management review
Treatment of Non-Conformities
Continuous Improvement
PLAN DO CHECK ACT
Implementation of security measures 1/225
• ISO/IEC27001 and the CIS controls as inspiration
• Best practices
• Pragmatic approach
Implementation of security measures 2/226
• In ICS/OT environment we use the IEC62443 standard as inspiration
Audit / certification27
• A first internal ISO/IEC27001 audit will be performed before May 2022.
• The certification audit will be planned by the end of 2023.
Main focus areas / Defense in Depth28
• Define security baselines based on the criticality of the drinking water sites.
• Physical security
• Asset inventory and vulnerability scanning.
• 3th party remote access
• User awareness
• Creating visibility / anomaly detection
Key success factors 1/229
■Management buy in Involvement of management is key project is presented at multiple management team meetings Clear responsibilities Security Officer Impact on the organization Budget
■Pragmatic approach Look at best practices Avoid creating complex processes
■Resources Budget Manpower Impact on different business area’s
- Management - ICT department (incl. the SCADA team)- HR department- Purchase department- Legal department
Key success factors 2/230
■Collaboration Close collaboration between ICT and ICS/OT teams is very important
Collaboration within the drinking water sector
■Partnership with Orange Cyberdefense Guidance during the complete journey towards NIS compliancy
In depth knowledge of ISO27001/IEC62443 standards
Knowledge of the drinking water sector
Pragmatic approach
NIS 2.0
Possible impact NIS 2.032
■NIS 1.0 : only distribution of drinking water is included
■NIS 2.0 : waste water will be added to the scope
Scope of the ISMS will be extended to waste water infrastructure
Impact on FARYS33
■The waste water infrastructure is managed via the same SCADA environment as the drinking water infrastructure
■Most processes already include the waste water infrastructure
Impact of NIS2.0 will be moderate
Q & A
34
Merci! Thank you!Danke! Dank u!