Embed Size (px)
Citation preview
ICS Cybersecurity
Threat Modeling
Salem S. Elwi
© Saudi Arabian Oil Company, 2020
2
Saudi Aramco: Company General Use
Threat Modeling and Risk
Management
Value Realization
Future Value Maximization
Key Points
3
3
Saudi Aramco: Company General Use
Risk Management Framework
4
Saudi Aramco: Company General Use
ICS Cybersecurity Threat Model
5
Saudi Aramco: Company General Use
ICS Threat Modeling Elements
6
Saudi Aramco: Company General Use
ICS Threat Vectors Driven Risk Assessment
7
Saudi Aramco: Company General Use
ICS Cyber Risk Assessment Process
Risk Management Process Applied Across the TiersNIST SP 800-39 Managing Information Security Risk, NIST, March 2019,
[https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf].
Graphical view of elements of a
cyber security management systemIEC 62443-2-1:2010(E) Industrial communication networks –
Network and system security – Part 2-1: Establishing an
industrial automation and control system security Program,
IEC, 2010.
8
Saudi Aramco: Company General Use
Risk Calculation – High Level Approach
9
Saudi Aramco: Company General Use
Impact Rating
10
Saudi Aramco: Company General Use
Sr
Management
GRC
Value Realization
• Limited automation
• No ICS standards such
as IEC 62443 and
C2M2
• No ICS process such as
Cyber PHA
• No ICS certificate
schemes such as
ISASecure
• No out-of-the-box
baseline config for ICS
• Vendors’ vetting
TechnologyPeople
Process
11
Saudi Aramco: Company General Use
Future Value Maximization
Cybersecurity Big Data AI Based CybersecurityRisk Management
