SlideShare a Scribd company logo

Sdl deployment in ics

Download as PPTX, PDF
Mayur Mehta
Mayur Mehta

Secure Development Lifecycle Deployment in Industrial Control System

Engineering
1 of 26
SDL Deployment in Industrial Control Systems Mayur Mehta
2
Cyber Incidents
Cyber Threats Emerged Over Time Source: MITRE Sophistication Decades
0 20 40 60 80 100 120 RowCount Vendors • The NIST CVE database - 71,500+ vulnerabilities. • Chart based on ICS 408 CVE Source: Recorded Future
SHODAN
NORSE View
Cost of Security Lapse • After release, it costs 30 times more than the fix done in design phase ( As per National Institute of Standards and Technology) • Goodwill Loss - Customer’s productivity and confidence. 2.5x 5x 10x 15x 30x 0 5 10 15 20 25 30 35 Requirement/ Architecture Coding Integration/Component Testing System/ Acceptance Testing Production/ Post Release
SDL – “Secure Development Lifecycle” SDL helps us reduce Products maintenance costs and increase reliability of software concerning Security related issues.
Training
.. • Bare minimum knowledge • Role Based knowledge
Requirements
.. • Evaluate requirements • Access Control (Authentication), • Use Control (Authorization), • Logging (Auditing), • Confidentiality, • Integrity, • Availability. • Standards • IEC-62443 • IEC-62351 • NIST 800-82/800-53 • NERC CIP
Design
.. Step1 Perform Threat Modeling Security design practice Step2 Produce a Mitigation Action Plan STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) & DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability). Step3 Perform Attack Surface Analysis & Reduction Step4 Conduct a Secure Architecture Design Review
Implementation
.. Step1 Implement Security features Step2 Use approved tools Step3 Secure Coding practices  Review Source Code – top 10 to top 100 best secure coding practices  Perform Static Analysis – using Klocwork, FxCop, Fortify etc.  Analyze & Fix security issues
Verification
Step1 Penetration test plan - Attack surface and Security requirements. Step2 Test security requirement against attack vectors. Step3 Manual and/or automated vulnerability assessment. Step4 Penetration attempts. Step5 Remove false positives. Step6 Final report with evidence(s).
Release
Step1 Results vs goals Step2 Security features & settings in documentation
Response
• Incident response • Providing fixes on zero day vulnerability • Forensics Analysis • Binary Vulnerability Scanning • Responsible Disclosure
• Security is not a goal that can be reached • New vulnerabilities are discovered daily • Threats continue to evolve • Weak points in the system change, becoming new points of attack • Security is a process and an attitude SDL – “Secure Development Lifecycle”
Reference •http://nvlpubs.nist.gov/ •NIST 800-82 Guide to Industrial Control Systems (ICS) Security •Microsoft SDL •www.recordedfuture.com •http://www.isasecure.org/ •NERC - North American Electric Reliability Corporation •IEC 62443 (formerly ISA-99) •ISO 27001 and 27002 •OWASP - www.owasp.org/ •SE PSO wiki The key to successful cyber defence is preparation... Thank you.

Recommended

Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
Mayur Mehta
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
Asif Anik
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision Points
PivotPointSecurity
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 

Recommended

Classification of vulnerabilities
Classification of vulnerabilitiesClassification of vulnerabilities
Classification of vulnerabilities
Mayur Mehta
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
Asif Anik
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
Miriam Celi, CISSP, GISP, MSCS, MBA
 
Network Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision PointsNetwork Vulnerability Assessment: Key Decision Points
Network Vulnerability Assessment: Key Decision Points
PivotPointSecurity
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
Eoin Keary
 
Btpsec Sample Penetration Test Report
Btpsec Sample Penetration Test ReportBtpsec Sample Penetration Test Report
Btpsec Sample Penetration Test Report
btpsec
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
Eelco Visser
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”
Dakiry
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
AHM Pervej Kabir
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
Thomas Kurian Ambattu,CRISC,ISLA-2011 (ISC)²
 
Centraleyezer
CentraleyezerCentraleyezer
Centraleyezer
👨🏼‍💻Radu Stanescu
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
Papitha Velumani
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
Lalit Kale
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
Mohamed Ridha CHEBBI, CISSP
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Software security testing
Software security testingSoftware security testing
Software security testing
nehabsairam
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 
Understanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareUnderstanding Vulnerabilities in Software
Understanding Vulnerabilities in Software
Nicole Gaehle, MSIST
 
Dental Media - Google Ranking Factors
Dental Media - Google Ranking FactorsDental Media - Google Ranking Factors
Dental Media - Google Ranking Factors
DentalMedia
 
Patent Box
Patent BoxPatent Box
Patent Box
wisepro
 

More Related Content

What's hot

Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
Marco Morana
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
Eric Lai
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 

What's hot (20)

Software Security Engineering
Software Security EngineeringSoftware Security Engineering
Software Security Engineering
 
TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1TUD CS4105 | 2015 | Lecture 1
TUD CS4105 | 2015 | Lecture 1
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”Олексій Барановський “Vulnerability assessment as part software testing process”
Олексій Барановський “Vulnerability assessment as part software testing process”
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Software security engineering
Software security engineeringSoftware security engineering
Software security engineering
 
Application Security Risk Assessment
Application Security Risk AssessmentApplication Security Risk Assessment
Application Security Risk Assessment
 
Centraleyezer
CentraleyezerCentraleyezer
Centraleyezer
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Web Application Security Testing Tools
Web Application Security Testing ToolsWeb Application Security Testing Tools
Web Application Security Testing Tools
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
Introduction to Application Security Testing
Introduction to Application Security TestingIntroduction to Application Security Testing
Introduction to Application Security Testing
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Software security testing
Software security testingSoftware security testing
Software security testing
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 
Understanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareUnderstanding Vulnerabilities in Software
Understanding Vulnerabilities in Software
 

Viewers also liked

Jon thomaschaske Resume for cpin 279
Jon thomaschaske Resume for cpin 279Jon thomaschaske Resume for cpin 279
Jon thomaschaske Resume for cpin 279
Jonathan Thomaschaske
 
Low Impact Development_ The Basics of Bioretention Webinar
Low Impact Development_ The Basics of Bioretention WebinarLow Impact Development_ The Basics of Bioretention Webinar
Low Impact Development_ The Basics of Bioretention Webinar
Mansi Chhatralia
 

Viewers also liked (12)

Dental Media - Google Ranking Factors
Dental Media - Google Ranking FactorsDental Media - Google Ranking Factors
Dental Media - Google Ranking Factors
 
Patent Box
Patent BoxPatent Box
Patent Box
 
Jon thomaschaske Resume for cpin 279
Jon thomaschaske Resume for cpin 279Jon thomaschaske Resume for cpin 279
Jon thomaschaske Resume for cpin 279
 
La tecnología, la información y la comunicación
La tecnología, la información y la comunicaciónLa tecnología, la información y la comunicación
La tecnología, la información y la comunicación
 
Transforme la experiencia de compra con soluciones de retail en la nube
Transforme la experiencia de compra con soluciones de retail en la nubeTransforme la experiencia de compra con soluciones de retail en la nube
Transforme la experiencia de compra con soluciones de retail en la nube
 
Low Impact Development_ The Basics of Bioretention Webinar
Low Impact Development_ The Basics of Bioretention WebinarLow Impact Development_ The Basics of Bioretention Webinar
Low Impact Development_ The Basics of Bioretention Webinar
 
Grameen Creative Lab Overview
Grameen Creative Lab OverviewGrameen Creative Lab Overview
Grameen Creative Lab Overview
 
Evento en Córdoba 2016 - Taller de testing exploratorio - Federico Toledo
Evento en Córdoba 2016 - Taller de testing exploratorio - Federico ToledoEvento en Córdoba 2016 - Taller de testing exploratorio - Federico Toledo
Evento en Córdoba 2016 - Taller de testing exploratorio - Federico Toledo
 
Escala likert 3
Escala likert 3Escala likert 3
Escala likert 3
 
Escala de likert
Escala de likertEscala de likert
Escala de likert
 
Dns lam
Dns lamDns lam
Dns lam
 
Domain tooslidesharels com-2016-08-08
Domain tooslidesharels com-2016-08-08Domain tooslidesharels com-2016-08-08
Domain tooslidesharels com-2016-08-08
 

Similar to Sdl deployment in ics

Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
MardhaniAR
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 

Similar to Sdl deployment in ics (20)

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Sumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing FrameworkSumeet Mandloi: Robust Security Testing Framework
Sumeet Mandloi: Robust Security Testing Framework
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
(SACON) Dr. Soumya Maity & Lokesh Balu - A scalable, control-based, developer...
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...How can a successful SOC2-compliant ISMS be built without power, money and a...
How can a successful SOC2-compliant ISMS be built without power, money and a...
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLC
 
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
Luncheon 2016-01-21 - Emerging Threats and Strategies for Defense by Paul Fle...
 
Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...Enumerating software security design flaws throughout the ssdlc cosac - 201...
Enumerating software security design flaws throughout the ssdlc cosac - 201...
 
Enumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLCEnumerating software security design flaws throughout the SSDLC
Enumerating software security design flaws throughout the SSDLC
 
Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges Power System Cybersecurity: Barriers and Challenges
Power System Cybersecurity: Barriers and Challenges
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
Azure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure CloudAzure 101: Shared responsibility in the Azure Cloud
Azure 101: Shared responsibility in the Azure Cloud
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 

Recently uploaded

Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 

Recently uploaded (20)

Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Unit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdfUnit 2- Effective stress & Permeability.pdf
Unit 2- Effective stress & Permeability.pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 

Sdl deployment in ics

  • 1. SDL Deployment in Industrial Control Systems Mayur Mehta
  • 2. 2
  • 4. Cyber Threats Emerged Over Time Source: MITRE Sophistication Decades
  • 5. 0 20 40 60 80 100 120 RowCount Vendors • The NIST CVE database - 71,500+ vulnerabilities. • Chart based on ICS 408 CVE Source: Recorded Future
  • 8. Cost of Security Lapse • After release, it costs 30 times more than the fix done in design phase ( As per National Institute of Standards and Technology) • Goodwill Loss - Customer’s productivity and confidence. 2.5x 5x 10x 15x 30x 0 5 10 15 20 25 30 35 Requirement/ Architecture Coding Integration/Component Testing System/ Acceptance Testing Production/ Post Release
  • 9. SDL – “Secure Development Lifecycle” SDL helps us reduce Products maintenance costs and increase reliability of software concerning Security related issues.
  • 11. .. • Bare minimum knowledge • Role Based knowledge
  • 13. .. • Evaluate requirements • Access Control (Authentication), • Use Control (Authorization), • Logging (Auditing), • Confidentiality, • Integrity, • Availability. • Standards • IEC-62443 • IEC-62351 • NIST 800-82/800-53 • NERC CIP
  • 15. .. Step1 Perform Threat Modeling Security design practice Step2 Produce a Mitigation Action Plan STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) & DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability). Step3 Perform Attack Surface Analysis & Reduction Step4 Conduct a Secure Architecture Design Review
  • 17. .. Step1 Implement Security features Step2 Use approved tools Step3 Secure Coding practices  Review Source Code – top 10 to top 100 best secure coding practices  Perform Static Analysis – using Klocwork, FxCop, Fortify etc.  Analyze & Fix security issues
  • 19. Step1 Penetration test plan - Attack surface and Security requirements. Step2 Test security requirement against attack vectors. Step3 Manual and/or automated vulnerability assessment. Step4 Penetration attempts. Step5 Remove false positives. Step6 Final report with evidence(s).
  • 21. Step1 Results vs goals Step2 Security features & settings in documentation
  • 23. • Incident response • Providing fixes on zero day vulnerability • Forensics Analysis • Binary Vulnerability Scanning • Responsible Disclosure
  • 24.
  • 25. • Security is not a goal that can be reached • New vulnerabilities are discovered daily • Threats continue to evolve • Weak points in the system change, becoming new points of attack • Security is a process and an attitude SDL – “Secure Development Lifecycle”
  • 26. Reference •http://nvlpubs.nist.gov/ •NIST 800-82 Guide to Industrial Control Systems (ICS) Security •Microsoft SDL •www.recordedfuture.com •http://www.isasecure.org/ •NERC - North American Electric Reliability Corporation •IEC 62443 (formerly ISA-99) •ISO 27001 and 27002 •OWASP - www.owasp.org/ •SE PSO wiki The key to successful cyber defence is preparation... Thank you.