Embed Size (px)
Citation preview
2019-11-07
1
David HanlonSecretary, IEC ConformityAssessment Board (CAB)
UNECE WP.6 annual meetingUNOG, Geneva22nd November, 2019
UN CRO Guidelines for Cybersecurity • Draft version endorsed in November 2018• Further developed during 2019• Added sector examples (uncompleted)• Currently circulated for review• Endorsement of 2nd draft expected Nov.2019
http://www.unece.org/tradewelcome/tradewp6/groups/cybersecurity.html
1st & 2nd draft versions available here
1
2
2019-11-07
2
UN CRO Guidelines for Cybersecurity • Draft version endorsed in November 2018• Further developed during 2019• Added sector examples (uncompleted)• Currently circulated for review• Endorsement of 2nd draft expected Nov.2019
http://www.unece.org/tradewelcome/tradewp6/groups/cybersecurity.html
1st & 2nd draft versions available here
Proposed decision:
“The Working Party adopts the proposal for a common regulatory framework as contained inthis draft proposal”
It requests that the proposal be published. It also requests the secretariat to continue to reporton the progress of the initiative.
Systematic MethodologySystems-approach• Model the system• Use the GMM • Risk based• Open choice of requirements could be standards based
• Open choice of conformity assessment (CA)
suppliers declaration (1st party)
open choice of standards
Internal audits (2nd party) Certification (3rd party)
Use appropriate CA at appropriate points according to risk.
Often forgotten in other frameworks,yet essential
3
4
2019-11-07
3
Systematic Methodology1) Map sector application to Generic Matrix Model (GMM)
2) Risk analysis of sector application map
o Identify and rate risk points
3) Determine appropriate level of CA for each risk point according to risk level rating
4) Identify requirements documents (standards)
o Determine what is available/appropriate standards gap analysis
o Determine how to fill the gaps ( standards development)
5) Apply appropriate CA to appropriate standards at each risk point
Revue, revise, renew (R3)
perio
dic
Components
Interconnections
Interventions SYST
EM M
ODEL
Products People Processes
OBJECTS OF CONFORMITY
product A, B, C…Product developmentProduct manufactureetc
Systems integration designSystems integration implementationetc / realisation
Asset owner operationSystems upgrades / patch managementVendor & service providersetc
Generic Matrix Model (GMM)Systematic Methodology
5
6
2019-11-07
4
Components
Interconnections
Interventions SYST
EM M
ODEL
Products People Processes
OBJECTS OF CONFORMITY
product A, B, C…Product developmentProduct manufactureetc
Systems integration designSystems integration implementationetc / realisation
Asset owner operationSystems upgrades / patch managementVendor & service providersetc
Testing Product design competency
Systems design competency
Manufacturing processes
Product manufacturing competency
Design processes
IT/OT competency
IT/OT competency
Systems build competency
Component selection processes
Design / realization processes
People selection processes
Supplier qualification processes
Service processes
Generic Matrix Model (GMM)Systematic Methodology
Components
Interconnections
Interventions SYST
EM M
ODEL
Products People Processes
OBJECTS OF CONFORMITY
product A, B, C…Product developmentProduct manufactureetc
Systems integration designSystems integration implementationetc / realisation
Asset owner operationSystems upgrades / patch managementVendor & service providersetc
Testing Product design competency
Systems design competency
Manufacturing processes
Product manufacturing competency
Design processes
IT/OT competency
IT/OT competency
Systems build competency
Component selection processes
Design / realization processes
People selection processes
Supplier qualification processes
Service processes
Generic Matrix Model (GMM)Systematic Methodology
Patch management
Testing
Supplier qualification processes
Product manufacturing competency
Manufacturing processesInteroperability
Product design competency
Design processes
IT/OT competency Service processes
Systems build competency
Component selection processes
7
8
2019-11-07
5
Generic Matrix Model (GMM)
Annex C - sector examples (uncompleted)http://www.unece.org/tradewelcome/tradewp6/groups/cybersecurity.html
9
10
2019-11-07
6
Annex C - sector examples (uncompleted)
• 8 sector examples o Corporate systemo Medical network systemo Banking systemo Railway systemo Traditional energy utility systemo Smart grid electrical systemo Active assisted living systemo Networked vehicles
Annex C - sector examples (uncompleted)
Each sector example has a GMM table indicating standards that can be used in the different phases and applications of the system.
The GMMs are not complete.
The uncompleted sector examples with GMMs areincluded in order to stimulate discussion.
11
12
2019-11-07
7
David HanlonSecretary, IEC ConformityAssessment Board (CAB)
UNECE WP.6 annual meetingUNOG, Geneva22nd November, 2019
13
14
