CSHM-2017 | Creating Realistic Cyber Security Policies for Industrial Control Systems

Crafting a cyber security strategy that is simple enough to actually be implemented, yet nuanced enough to be effective is no easy task. This session will present the principles that a successful cyber security policy can be built around. This can be accomplished by reconciling IT security solutions’ prioritization of confidentiality against ICS’s prioritization of availability. An understanding of the threats ICS will face in terms of probability, not possibility, is required. This understanding would include an explanation of how current ICS strategies fail. Policy foundations will then be presented that allow proven IT security strategies to be successfully applied to ICS legacy networks. These recommendations include:

1) Prioritizing the field equipment.
2) Extending proven IP security strategies and techniques to the field.
3) Following accredited guidelines as a way to standardize and therefore successfully implement a strategy. Success being measured here by a policy’s likelihood of successful implementation and its actual ability to provide security.

Objectives:

• Attendees will be shown relevant examples of ICS security breaches as a context for understanding the probability of an attacks vs. the possibility of an attack as well as highlighting the failures of ad hoc security.
• Attendees will gain a better understanding of how the IOT and IIOT differ in their approaches to cyber security and therefore also differ in their implementation of cyber security. Specifically, they will be shown the difference between technology that has security features and security technology and the impact this has on actual network security.

Attendees will leave the presentation with an understanding of how accredited standards guide decision making for successful cyber security policies. Success being measured here by a policy’s likelihood of effective implementation and its actual ability to provide security.