SlideShare una empresa de Scribd logo

Cybersecurity-for-Industrial-Control-Systems_joa_Eng_0115

A
A Krista Kivisild
1 de 2
Descargar para leer sin conexión
1ISACA JOURNAL Volume 1, 2015©2015 ISACA. All rights reserved. www.isaca.org In June 2010, a computer worm known as Stuxnet, designed to attack industrial programmable logic controllers (PLCs) in target areas, such as nuclear power plants in Iran,1 was discovered. While certainly not the first (nor the last) piece of malware targeting industrial control systems (ICSs), it helped bring this type of industrial espionage into the limelight, as it appeared to involve matters of national security, bringing the activity of planting a virus from the fictional world of James Bond to the real world of national secret service agencies. Suddenly, mundane control systems became provocative. ICSs have been around for decades with the job of controlling, monitoring and managing large production systems, often in critical infrastructure industries, such as electric power generators, transportation systems, dams, chemical facilities, petrochemical operations and pipelines. ICSs include process control systems (PCSs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA). While not traditionally lively, the field of ICS has been rapidly expanding with security solutions in response to the increasing threats. Despite this expansion, there is still a small amount of management-level guidance to develop business cases for risk managers to use to perform assessments. There is also a lack of guidance for use by auditors to evaluate the adequacy and balance of controls relative to risk.2 In short, the purpose of the book Cybersecurity for Industrial Control Systems by Tyson Macaulay and Bryan Singer is to address the imbalance between the available technical information on ICS security and related management-level guidance. The authors do a good job of providing a thorough introduction into ICSs, explaining all of the technical details and information so that even novice information systems (IS) security professionals or auditors can get their bearings and begin to have a solid understanding of the business and the environment in which ICS operates. While ICS and related subjects can be technical, this book presents them with enough detail and in a straightforward enough manner so that the information is clear. From here, the authors provide ample information to ensure that even an experienced security professional is fully briefed on the threats, vulnerabilities, risk assessment techniques and what is coming next in the field. From this vantage point, the book serves as a good reference book to gain a valuable breadth of knowledge of areas falling within the field of ICS. The book is well documented throughout and includes references to various regulations governing the field of ICS, including those from the US National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the UK National Security Advice Centre. It also discusses the impact of various regulatory commissions across different countries, as these bodies set standards for process controls, establish security standards for industry and, thus, have an impact on ICS security. The book also compares ICS security to regular IT security and highlights any differences and similarities. Although the book is well documented and provides great detail, there is some truth in the saying that it is not possible to be all things to all people. The authors identify their target audience as IT or ICS security novices, IT or ICS security practitioners, experienced IT security gurus, auditors of IT systems, forensic practitioners, accident investigators, and ICS engineers. This target audience contains quite a wide range of readers with differing needs. While there is sufficient detail from a security, audit or investigative point of view, those who are engineers or are involved with forensics may require more Reviewed by A. Krista Kivisild, CISA, CA, who has had a diverse career in audit, working in government, private companies and public organizations. Kivisild has experience in IT audit, governance, compliance/ regulatory auditing, value for money auditing and operational auditing. She has served as a volunteer instructor, training not-for-profit boards on board governance concepts, with the Alberta (Canada) Government Board Development Program and has served as the membership director and CISA director for the ISACA Winnipeg (Manitoba, Canada) Chapter. Cybersecurity for Industrial Control Systems By Tyson Macaulay and Bryan Singer
2ISACA JOURNAL Volume 1, 2015©2015 ISACA. All rights reserved. www.isaca.org detailed information than this book provides. For most users, the detailed explanations, supporting figures and tables, and detailed references at the end of each chapter provide the answers to their questions. ICSs are not new, but more and more they are being exposed to new threats as they become Internet-facing and their critical services are exposed to attack. Cybersecurity for Industrial Control Systems provides readers with a solid foundation to understand what the different control systems are, what the threats and vulnerabilities are, what the current and new risk assessment techniques are in the field of ICS risk management, and where ICS security is headed in the future. EDITOR’S NOTE Cybersecurity for Industrial Control Systems is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca. org/bookstore, email bookstore@isaca.org or telephone +1.847.660.5650. ENDNOTE 1 Gross, Michael Joseph; “A Declaration of Cyber-War,” Vanity Fair, April 2011, www.vanityfair.com/culture/ features/2011/04/stuxnet-201104 2 Macaulay, Tyson; Bryan Singer; Cybersecurity for Industrial Control Systems SCADA, DCS, PLC, HMI, and SIS, CRC Press, USA, 2012

Recomendados

Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
Bob Marcus
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of CornSecuring Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Eric Andresen
 
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
Mighty Guides, Inc.
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
David Sweigert
 
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber AttacksLessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Mighty Guides, Inc.
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity Risk
Mighty Guides, Inc.
 
Bankinfonews
BankinfonewsBankinfonews
Bankinfonews
Vikram Kalkat
 
InduSoft Speaks at Houston Infragard on February 17, 2015
InduSoft Speaks at Houston Infragard on February 17, 2015InduSoft Speaks at Houston Infragard on February 17, 2015
InduSoft Speaks at Houston Infragard on February 17, 2015
AVEVA
 

Recomendados

Security and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical SystemsSecurity and Privacy in IoT and Cyber-physical Systems
Security and Privacy in IoT and Cyber-physical Systems
Bob Marcus
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of CornSecuring Industrial Control Systems - CornCON II: The Wrath Of Corn
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
Eric Andresen
 
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
OT Experts Share Their Strategies - Securing Critical Infrastructure in the P...
Mighty Guides, Inc.
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurityNIST releases SP 800-160 Multi-discplinary approach to cybersecurity
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
David Sweigert
 
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber AttacksLessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Mighty Guides, Inc.
 
Strategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity RiskStrategies for Managing OT Cybersecurity Risk
Strategies for Managing OT Cybersecurity Risk
Mighty Guides, Inc.
 
Bankinfonews
BankinfonewsBankinfonews
Bankinfonews
Vikram Kalkat
 
InduSoft Speaks at Houston Infragard on February 17, 2015
InduSoft Speaks at Houston Infragard on February 17, 2015InduSoft Speaks at Houston Infragard on February 17, 2015
InduSoft Speaks at Houston Infragard on February 17, 2015
AVEVA
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
Luca Moroni ✔✔
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
Community Protection Forum
 
CyCron 2016
CyCron 2016CyCron 2016
CyCron 2016
Cruxcreative
 
IT-Security-Governance-Innovations_joa_Eng_0515
IT-Security-Governance-Innovations_joa_Eng_0515IT-Security-Governance-Innovations_joa_Eng_0515
IT-Security-Governance-Innovations_joa_Eng_0515
A Krista Kivisild
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
The Security of Things Forum
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Security
reuben_mathew
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the Fog
The Security of Things Forum
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC Advisory Group
 
Internet of things
Internet of thingsInternet of things
Internet of things
varungoyal98
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
Luke Fretwell
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultant
John Kingsley
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Luca Moroni ✔✔
 
Security and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of thingsSecurity and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of things
IRJET Journal
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cimetrics Inc
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoT
Amy Daly
 
Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!
Daniel L. Cruz
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
Richardus Indrajit
 
Infosecurity Europe - Infographic
Infosecurity Europe - InfographicInfosecurity Europe - Infographic
Infosecurity Europe - Infographic
Synopsys Software Integrity Group
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
Austin Eppstein
 
CyberSecurity_for_the_IoT
CyberSecurity_for_the_IoTCyberSecurity_for_the_IoT
CyberSecurity_for_the_IoT
Abdullahi Arabo Jr (MEng, MBCS, PhD)
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
BGA Cyber Security
 
Advice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT CybersecurityAdvice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT Cybersecurity
Mighty Guides, Inc.
 

Más contenido relacionado

La actualidad más candente

IT-Security-Governance-Innovations_joa_Eng_0515
IT-Security-Governance-Innovations_joa_Eng_0515IT-Security-Governance-Innovations_joa_Eng_0515
IT-Security-Governance-Innovations_joa_Eng_0515
A Krista Kivisild
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Security
reuben_mathew
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
Luke Fretwell
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultant
John Kingsley
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
Austin Eppstein
 

La actualidad más candente (20)

ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
 
Critical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challengesCritical Infrastructure and Cyber Security: trends and challenges
Critical Infrastructure and Cyber Security: trends and challenges
 
CyCron 2016
CyCron 2016CyCron 2016
CyCron 2016
 
IT-Security-Governance-Innovations_joa_Eng_0515
IT-Security-Governance-Innovations_joa_Eng_0515IT-Security-Governance-Innovations_joa_Eng_0515
IT-Security-Governance-Innovations_joa_Eng_0515
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Security
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the Fog
 
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
ARC's Bob Mick Cyber Security Presentation @ ARC Industry Forum 2010
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
 
John kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultantJohn kingsley OT ICS SCADA Cyber security consultant
John kingsley OT ICS SCADA Cyber security consultant
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
Security and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of thingsSecurity and Privacy Big Challenges in Internet of things
Security and Privacy Big Challenges in Internet of things
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework Cimetrics
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoT
 
Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!Security Redefined - Prevention is the future!!
Security Redefined - Prevention is the future!!
 
Cyber Six: Managing Security in Internet
Cyber Six: Managing Security in InternetCyber Six: Managing Security in Internet
Cyber Six: Managing Security in Internet
 
Infosecurity Europe - Infographic
Infosecurity Europe - InfographicInfosecurity Europe - Infographic
Infosecurity Europe - Infographic
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
 
CyberSecurity_for_the_IoT
CyberSecurity_for_the_IoTCyberSecurity_for_the_IoT
CyberSecurity_for_the_IoT
 

Similar a Cybersecurity-for-Industrial-Control-Systems_joa_Eng_0115

Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
TopCyberNewsMAGAZINE
 
New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...
New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...
New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...
ijtsrd
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
Dave Darnell
 
wp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-icswp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-ics
Numaan Huq
 
wp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-icswp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-ics
Thomas Hughes
 
· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx
oswald1horne84988
 
ghostsinthemachine2
ghostsinthemachine2ghostsinthemachine2
ghostsinthemachine2
Shane Kite
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 

Similar a Cybersecurity-for-Industrial-Control-Systems_joa_Eng_0115 (20)

Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
 
Advice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT CybersecurityAdvice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT Cybersecurity
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat Briefing
 
Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich Top Cyber News Magazine Daniel Ehrenreich
Top Cyber News Magazine Daniel Ehrenreich
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
 
Need for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure ProtectionNeed for Improved Critical Industrial Infrastructure Protection
Need for Improved Critical Industrial Infrastructure Protection
 
New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...
New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...
New Threats, Existing Remedies, and Unresolved Issues Related to the Effect o...
 
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
EXPLORING CRITICAL VULNERABILITIES IN SIEM IMPLEMENTATION AND SOC SERVICE PRO...
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
Cyber Immunity Unleashed: Explore the Future with iTech Magazine!
Cyber Immunity Unleashed: Explore the Future with iTech Magazine!Cyber Immunity Unleashed: Explore the Future with iTech Magazine!
Cyber Immunity Unleashed: Explore the Future with iTech Magazine!
 
wp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-icswp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-ics
 
wp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-icswp-us-cities-exposed-industries-and-ics
wp-us-cities-exposed-industries-and-ics
 
Cisco Award Write Up
Cisco Award Write UpCisco Award Write Up
Cisco Award Write Up
 
InTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdfInTech-FOCUS-Process-Safety-Sept2020.pdf
InTech-FOCUS-Process-Safety-Sept2020.pdf
 
· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx· Answer the following questions in a 100- to 150 word response .docx
· Answer the following questions in a 100- to 150 word response .docx
 
Outlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber SecurityOutlook Briefing 2016: Cyber Security
Outlook Briefing 2016: Cyber Security
 
ghostsinthemachine2
ghostsinthemachine2ghostsinthemachine2
ghostsinthemachine2
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 

Cybersecurity-for-Industrial-Control-Systems_joa_Eng_0115

  • 1. 1ISACA JOURNAL Volume 1, 2015©2015 ISACA. All rights reserved. www.isaca.org In June 2010, a computer worm known as Stuxnet, designed to attack industrial programmable logic controllers (PLCs) in target areas, such as nuclear power plants in Iran,1 was discovered. While certainly not the first (nor the last) piece of malware targeting industrial control systems (ICSs), it helped bring this type of industrial espionage into the limelight, as it appeared to involve matters of national security, bringing the activity of planting a virus from the fictional world of James Bond to the real world of national secret service agencies. Suddenly, mundane control systems became provocative. ICSs have been around for decades with the job of controlling, monitoring and managing large production systems, often in critical infrastructure industries, such as electric power generators, transportation systems, dams, chemical facilities, petrochemical operations and pipelines. ICSs include process control systems (PCSs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA). While not traditionally lively, the field of ICS has been rapidly expanding with security solutions in response to the increasing threats. Despite this expansion, there is still a small amount of management-level guidance to develop business cases for risk managers to use to perform assessments. There is also a lack of guidance for use by auditors to evaluate the adequacy and balance of controls relative to risk.2 In short, the purpose of the book Cybersecurity for Industrial Control Systems by Tyson Macaulay and Bryan Singer is to address the imbalance between the available technical information on ICS security and related management-level guidance. The authors do a good job of providing a thorough introduction into ICSs, explaining all of the technical details and information so that even novice information systems (IS) security professionals or auditors can get their bearings and begin to have a solid understanding of the business and the environment in which ICS operates. While ICS and related subjects can be technical, this book presents them with enough detail and in a straightforward enough manner so that the information is clear. From here, the authors provide ample information to ensure that even an experienced security professional is fully briefed on the threats, vulnerabilities, risk assessment techniques and what is coming next in the field. From this vantage point, the book serves as a good reference book to gain a valuable breadth of knowledge of areas falling within the field of ICS. The book is well documented throughout and includes references to various regulations governing the field of ICS, including those from the US National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the UK National Security Advice Centre. It also discusses the impact of various regulatory commissions across different countries, as these bodies set standards for process controls, establish security standards for industry and, thus, have an impact on ICS security. The book also compares ICS security to regular IT security and highlights any differences and similarities. Although the book is well documented and provides great detail, there is some truth in the saying that it is not possible to be all things to all people. The authors identify their target audience as IT or ICS security novices, IT or ICS security practitioners, experienced IT security gurus, auditors of IT systems, forensic practitioners, accident investigators, and ICS engineers. This target audience contains quite a wide range of readers with differing needs. While there is sufficient detail from a security, audit or investigative point of view, those who are engineers or are involved with forensics may require more Reviewed by A. Krista Kivisild, CISA, CA, who has had a diverse career in audit, working in government, private companies and public organizations. Kivisild has experience in IT audit, governance, compliance/ regulatory auditing, value for money auditing and operational auditing. She has served as a volunteer instructor, training not-for-profit boards on board governance concepts, with the Alberta (Canada) Government Board Development Program and has served as the membership director and CISA director for the ISACA Winnipeg (Manitoba, Canada) Chapter. Cybersecurity for Industrial Control Systems By Tyson Macaulay and Bryan Singer
  • 2. 2ISACA JOURNAL Volume 1, 2015©2015 ISACA. All rights reserved. www.isaca.org detailed information than this book provides. For most users, the detailed explanations, supporting figures and tables, and detailed references at the end of each chapter provide the answers to their questions. ICSs are not new, but more and more they are being exposed to new threats as they become Internet-facing and their critical services are exposed to attack. Cybersecurity for Industrial Control Systems provides readers with a solid foundation to understand what the different control systems are, what the threats and vulnerabilities are, what the current and new risk assessment techniques are in the field of ICS risk management, and where ICS security is headed in the future. EDITOR’S NOTE Cybersecurity for Industrial Control Systems is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca. org/bookstore, email bookstore@isaca.org or telephone +1.847.660.5650. ENDNOTE 1 Gross, Michael Joseph; “A Declaration of Cyber-War,” Vanity Fair, April 2011, www.vanityfair.com/culture/ features/2011/04/stuxnet-201104 2 Macaulay, Tyson; Bryan Singer; Cybersecurity for Industrial Control Systems SCADA, DCS, PLC, HMI, and SIS, CRC Press, USA, 2012