Asessment Findings Conclusion Recommendations RoadMap

8/12/2019 Asessment Findings Conclusion Recommendations RoadMap

1/22

COMESAMEETING/2ND ICTSUMMUTONCYBERSECURITY

25TH

28TH

NOV

2013SAFARIPARKHOTEL,NAIROBI,KENYA

STUDY:PKIforCIIPCOMESA

Member

states

Preparedness

ASSESSMENT&FINDINGS

MOTSIMABUSIN


2/22

PROBLEM,CONSTRAINTS&OBSTACLES


3/22

Awarenessislargelymissingwithregardsto:

Riskamountand

eminence

around

member

statescriticalinfrastructure.Minimumtonosecurity on critical infrastructures.

OpportunitybehindimplementingPKIasa

solutiontomanagerisks(Transfer/Mitigate).

Strategies or policies addressing the securityissues are not in the scope for most criticalprojects.

PROBLEM


4/22

CONSTRAINTS

&

OBSTACLES

AWARENESS

SENSE

OF

URGENCY

EXPERTISE

FORMULATING

A

BUSINESS

CASE

FOR

IT

SECURITY

COMPLEXITY

OF

SECURITY

ISSUES.

HIGH

TECHNOLOGY/AVAILABLITY

SYSTEMS

DEPLOYMENTS

WITHOUT

PROPPER

SECURITY


5/22

CHALLENGES


6/22

IMPLEMENTATION


7/22

BUDGET&BUDGETING


8/22

VISUALIZING

THE

SITUATION


9/22

CRITICALINFRASTRUCTURESNETWORK(Terminals,devices,Serversandmanagementconsoles)

EXAMPLES: POWERGRIDS/PLANTS

WATERSUPPLYSYSTEMS

AIRTRAFFICCONTROLS

REFINERIES

NEUCLEARPLANTS

TRANSPORTATIONSYSTEMS(TRAINS,METROS,..ETC)

ETC

ENGINEERIN

G

PCs/laptops

OTHER

EMPLOYEES

PCS/laptops

TESTING

Guest

WIFI

WEB AND

MAIL

SERVERS

Authentication

Database

AIRGAP

(FIREWALL)

Us

eofUSBto(movefiles,co

pydata,

loadnew

softw

are

etc.,


10/22

TheSCADA,

PLC

,or

any

control

system

VALVE

S

FANS

RADIATION

SENSORS

TEMPRATU

RE

READINGS

WATE

R

LEVEL

ENGINEERIN

G

PCs/laptops

OTHER

EMPLOYEES

PCS/laptops

TESTING

Guest

WIFI

WEB AND

MAIL

SERVERS

Authentication

Serversand

managementPCS

Database

AIRGAP

(FIREWALL) U

SINGUSB


11/22

SourceFortinet.com

SCADA,PLC,..etc.,in

industrial

environment


12/22

THE

FINDINGS


13/22

LackofAwareness[Triggers:incident,

regulation,customer

demand]

Lackof

laws,

policies,

&

law

enforcement

capabilities.

Lackofstandards&technologies.

Scarcityinresourcesandweaknessesin

capacitybuilding.


14/22

RECOMMENDATIONS


15/22

Boostawareness

and

capacity

buildingonCIIPandPKI.

Consultants,Implementation

partner,and

technology

selection

iscrucial

Recommendations:


16/22

DESIGNREALITY

GAP

must

always

beperformedwithsuchlargescale

projects.

UNCITRAL,IETF,FIPS,ITU,and

other

international

PKI

standards.

Recommendations:


17/22

SAMPLESTRATEGYOFCIIP


18/22

USAFederalAviationAdministration(FAA)

hasdevelopedseveralstrategyguidelinesto

helpstrengthencyberdefense;itincludes:

Systemandnetworkshardening.

Segmentationandisolationof

systemsandnetworks.

Establishredundancyandbackupto

avoidservice

disruption


19/22

e.g., Approach to Protecting the U.S. Air Traffic Control System Against Cyber

Terrorism.

Reference:http://www.incose.org


20/22

FederalAviation

Administrations

model

in

protecting

air

traffic

control

systems.

Source:http://www.incose.org


21/22

FAAS APPROACH

TO

ACHIEVE

THE

STRATEGY.

Establishstrategy,policy,andguidance

Systematicallyandcontinuallyexamine

threatsandvulnerabilities

Createan

information

systems

security

architecturethatrespondstothosethreats

andvulnerabilities

Implementinformationsystemsand

networksconsistent

with

the

architecture


22/22

CONT.

FAAS APPROACH

TO

ACHIEVE

THE

STRATEGY.

Establish,institutionalize,and

continuouslyimprove

processes

Deploysecuritymeasuresincrementally

Monitorcomplianceandmeasureprogress

Managerisksproactivelyateachmajor

decisionpoint

Documents

Asessment Findings Conclusion Recommendations RoadMap